Close Open Privacy Scan

link https://github.com/prisma/prisma
bolt Snapshot: commit 918cf5d
science engine v1
schedule 2026-06-25T11:22:54.996393+00:00

verified_user Possible application data leak

Potential data exfiltration identified in application code.

Incomplete scan — only 95/200 dependencies were analyzed. Treat the score as provisional.

App Privacy Score

22 /100
High privacy risk — possible application leak

High risk · 1921 finding(s)

Dependency score: 37 (High risk)

bar_chart Score Breakdown

pii_flow −60
egress −15
env_fs −3

list Scan Summary

2 high 30 medium 1889 low
First-party packages: 19
Dependency packages: 38
Ecosystem: npm

swap_horiz Potential data exfiltration in application code

External domains: prisma-generate-server.prisma.workers.devproxyhog.prisma-data.netpub-833f4cf4b3dc4d17a6db4981affc9fbb.r2.dev

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/scripts/create-git-tag.mjs:10 repo/.github/scripts/create-git-tag.mjs:46
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/scripts/create-git-tag.mjs:10 repo/.github/scripts/create-git-tag.mjs:72
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/scripts/create-git-tag.mjs:10 repo/.github/scripts/create-git-tag.mjs:78
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:53
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:76
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:125
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:135
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:140
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:173
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:181
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:200
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:228
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:230
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:251
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 repo/.github/workflows/scripts/auto-close-github-discussions.js:257
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/fetch-engine/src/download.ts:121 repo/packages/fetch-engine/src/download.ts:125
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:2 repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:12
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:12 repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:13
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/sandbox/basic-postgres/index.ts:6 repo/sandbox/basic-postgres/index.ts:17
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/sandbox/driver-adapters/src/neon.ws.ts:12 repo/sandbox/driver-adapters/src/neon.ws.ts:13
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/ci/publish.ts:484 repo/scripts/ci/publish.ts:484
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/ci/publish.ts:491 repo/scripts/ci/publish.ts:562
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/ci/publish.ts:485 repo/scripts/ci/publish.ts:566
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/ci/publish.ts:888 repo/scripts/ci/publish.ts:889
medium first-party (npm): packages/migrate PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:12 repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:13
medium first-party (npm): packages/internals PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:2 repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:12
medium first-party (npm): packages/fetch-engine PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/fetch-engine/src/download.ts:121 repo/packages/fetch-engine/src/download.ts:125
hub Dependency data flows (5)
high wrangler dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/templates/startDevWorker/InspectorProxyWorker.ts:293 pkgs/npm/[email protected]/templates/startDevWorker/InspectorProxyWorker.ts:306
high wrangler dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/wrangler-dist/InspectorProxyWorker.js:215 pkgs/npm/[email protected]/wrangler-dist/InspectorProxyWorker.js:223
medium esbuild dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/install.js:29 pkgs/npm/[email protected]/install.js:248
medium esbuild dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/lib/main.js:1595 pkgs/npm/[email protected]/lib/main.js:1678
medium dotenv-cli dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/cli.js:96 pkgs/npm/[email protected]/cli.js:100

</> First-Party Code

first-party (npm)

npm first-party
medium pii_flow production #9187c5b4437729ae PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/scripts/create-git-tag.mjs:46 · flow /tmp/closeopen-17zukif3/repo/.github/scripts/create-git-tag.mjs:10 → /tmp/closeopen-17zukif3/repo/.github/scripts/create-git-tag.mjs:46 
    core.info(`Tag ${tagName} already exists on ${owner}/${repo}, skipping.`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #b50faf8e3f1468c0 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/scripts/create-git-tag.mjs:72 · flow /tmp/closeopen-17zukif3/repo/.github/scripts/create-git-tag.mjs:10 → /tmp/closeopen-17zukif3/repo/.github/scripts/create-git-tag.mjs:72 
      core.info(`Tag reference refs/tags/${tagName} already exists on ${owner}/${repo}, skipping.`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #de0818ae1174b6e4 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/scripts/create-git-tag.mjs:78 · flow /tmp/closeopen-17zukif3/repo/.github/scripts/create-git-tag.mjs:10 → /tmp/closeopen-17zukif3/repo/.github/scripts/create-git-tag.mjs:78 
  core.info(`Created tag ${tagName} on ${owner}/${repo} at ${commitSha}.`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #a369f4b49ee699c9 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:53 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:53 
    console.log(`Found ${collaborators.length} collaborators with write access.`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #b63a61364649eccd PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:76 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:76 
    console.log(`Found Q&A category with ID: ${qaCategory.id}`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #42366a378e2337a3 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:125 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:125 
    console.log(`Fetched ${discussions.length} discussions`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #cd8be4760acc1d4b PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:135 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:135 
    console.log(`Found ${filteredDiscussions.length} open Q&A discussions with at least one target label.`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #8f69ebba1f65d032 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:140 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:140 
      console.log(`Processing discussion #${discussionNumber}: ${discussion.title}`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #dd4dd1368a18e51d PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:173 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:173 
      console.log(
        `Last activity on discussion #${discussionNumber} was a ${lastActivity} from ${lastActivityAuthor} on ${lastActivityDate}`,
      )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #3be98053c743c76b PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:181 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:181 
        console.log(
          `Discussion #${discussionNumber} qualifies for closure. Last activity was from collaborator ${lastActivityAuthor} more than a week ago.`,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #37e6399df26e1b6b PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:200 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:200 
          console.log(`Posted closing comment on discussion #${discussionNumber}.`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #64bb9a8d8d0f4cdd PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:228 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:228 
            console.log(`Removed target labels from discussion #${discussionNumber}.`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #8a081de1d7371634 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:230 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:230 
            console.log(`No target labels to remove from discussion #${discussionNumber}.`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #40448e66ecb553b8 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:251 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:251 
          console.log(`Closed discussion #${discussionNumber} as OUTDATED.`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #917233d2f46c8a2b PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/.github/workflows/scripts/auto-close-github-discussions.js:257 · flow /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:16 → /tmp/closeopen-17zukif3/repo/.github/workflows/scripts/auto-close-github-discussions.js:257 
        console.log(`Discussion #${discussionNumber} does not qualify for closure.`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #ddbd7f940141ece1 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/fetch-engine/src/download.ts:125 · flow /tmp/closeopen-17zukif3/repo/packages/fetch-engine/src/download.ts:121 → /tmp/closeopen-17zukif3/repo/packages/fetch-engine/src/download.ts:125 
    console.log(`version: ${opts.version}`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #eeabe5d665af5ed7 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:12 · flow /tmp/closeopen-17zukif3/repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:2 → /tmp/closeopen-17zukif3/repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:12 
    console.error(
      `We could not parse the AWS_LAMBDA_JS_RUNTIME env var with the following value: ${runtimeEnvVar}. This was silently ignored.`,
    )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #16f7285477810708 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:13 · flow /tmp/closeopen-17zukif3/repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:12 → /tmp/closeopen-17zukif3/repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:13 
  console.log(result)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #83f84acd01e44568 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/sandbox/basic-postgres/index.ts:17 · flow /tmp/closeopen-17zukif3/repo/sandbox/basic-postgres/index.ts:6 → /tmp/closeopen-17zukif3/repo/sandbox/basic-postgres/index.ts:17 
  console.log(users)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #eb010f894a9cc76d PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/sandbox/driver-adapters/src/neon.ws.ts:13 · flow /tmp/closeopen-17zukif3/repo/sandbox/driver-adapters/src/neon.ws.ts:12 → /tmp/closeopen-17zukif3/repo/sandbox/driver-adapters/src/neon.ws.ts:13 
  console.log('connectionString', connectionString)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #e00cedd59924d4bb PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/ci/publish.ts:484 · flow /tmp/closeopen-17zukif3/repo/scripts/ci/publish.ts:484 → /tmp/closeopen-17zukif3/repo/scripts/ci/publish.ts:484 
    console.log(`Setting --release to RELEASE_VERSION = ${process.env.RELEASE_VERSION}`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #39a72007990fb67a PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/ci/publish.ts:562 · flow /tmp/closeopen-17zukif3/repo/scripts/ci/publish.ts:491 → /tmp/closeopen-17zukif3/repo/scripts/ci/publish.ts:562 
    console.log(`Using custom dist tag: ${args['--custom-dist-tag']}`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #becad015cc127276 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/ci/publish.ts:566 · flow /tmp/closeopen-17zukif3/repo/scripts/ci/publish.ts:485 → /tmp/closeopen-17zukif3/repo/scripts/ci/publish.ts:566 
  console.log({
    patchBranch,
    tag,
    tagForEcosystemTestsCheck,
    prismaVersion,
  })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #cda82dc097eec36d PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/ci/publish.ts:889 · flow /tmp/closeopen-17zukif3/repo/scripts/ci/publish.ts:888 → /tmp/closeopen-17zukif3/repo/scripts/ci/publish.ts:889 
    console.debug('versions from patch branch:', versions)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 818 low-confidence finding(s)
low env_fs production #d3b093bc117cce7f Environment-variable access.
repo/.github/scripts/create-git-tag.mjs:10 
  const repoInput = process.env.INPUT_REPOSITORY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f5900aae7c6db854 Environment-variable access.
repo/.github/scripts/create-git-tag.mjs:25 
  const tagName = process.env.TAG_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0484e5c618117ca8 Environment-variable access.
repo/.github/scripts/create-git-tag.mjs:31 
  const commitSha = process.env.COMMIT_SHA

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #014d3e9feb6a33fa Environment-variable access.
repo/.github/scripts/create-git-tag.mjs:37 
  const messageEnv = process.env.TAG_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7b84574d50d77494 Environment-variable access.
repo/.github/workflows/scripts/auto-close-github-discussions.js:5 
const repoInfo = process.env.GITHUB_REPOSITORY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0c6e5260eeed2876 Environment-variable access.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16 
  const token = process.env.GITHUB_TOKEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9685f2b1b76cd1d2 Environment-variable access.
repo/.github/workflows/scripts/auto-close-github-discussions.js:22 
  const closingMessage = process.env.CLOSING_MESSAGE || 'Closing discussion due to inactivity.'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0c13e786ee5075ca Filesystem access.
repo/.github/workflows/scripts/detect-jobs-to-run.js:4 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0c13e786ee5075ca Filesystem access.
repo/.github/workflows/scripts/detect-jobs-to-run.js:4 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c713ea90f2ed9423 Environment-variable access.
repo/.github/workflows/scripts/detect-jobs-to-run.js:53 
  if (typeof process.env.GITHUB_OUTPUT == 'string' && process.env.GITHUB_OUTPUT.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c713ea90f2ed9423 Environment-variable access.
repo/.github/workflows/scripts/detect-jobs-to-run.js:53 
  if (typeof process.env.GITHUB_OUTPUT == 'string' && process.env.GITHUB_OUTPUT.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #38570356ddfd9577 Environment-variable access.
repo/.github/workflows/scripts/detect-jobs-to-run.js:54 
    fs.appendFileSync(process.env.GITHUB_OUTPUT, `jobs=${jobsToRun.join()}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #079053a2e6f41ee0 Filesystem access.
repo/eslint-local-rules/valid-exported-types-index.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cd8a67fa6e428b70 Filesystem access.
repo/helpers/compile/build.ts:4 
import { writeFileSync } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #06e503e8f85b8c21 Environment-variable access.
repo/helpers/compile/build.ts:117 
  if (process.env.WATCH === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ca6303bc7b4adfa4 Filesystem access.
repo/helpers/compile/build.ts:128 
    writeFileSync(metafilePath, JSON.stringify(build.metafile))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #af5c37035efd7cbe Environment-variable access.
repo/helpers/compile/build.ts:158 
  if (process.env.WATCH !== 'true') return context

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b424eb4d5e122d3d Environment-variable access.
repo/helpers/compile/build.ts:226 
  if (!process.env.IGNORE_EXTERNALS && options.bundle === true) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #354d7dc0af18168c Filesystem access.
repo/helpers/compile/plugins/copyFilePlugin.ts:2 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #92aa79c9ba19ba7f Environment-variable access.
repo/helpers/compile/plugins/onErrorPlugin.ts:12 
        if (process.env.WATCH !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #96be6d2c51510f35 Filesystem access.
repo/helpers/compile/plugins/replaceWithPlugin.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f85762ebe405a010 Filesystem access.
repo/helpers/compile/plugins/replaceWithPlugin.ts:33 
        const contents = await fs.promises.readFile(args.path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0702a193dbf07272 Environment-variable access.
repo/helpers/compile/plugins/tscPlugin.ts:76 
      if (process.env.WATCH !== 'true' && process.env.DEV !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0702a193dbf07272 Environment-variable access.
repo/helpers/compile/plugins/tscPlugin.ts:76 
      if (process.env.WATCH !== 'true' && process.env.DEV !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #787e7103767e9af5 Environment-variable access.
repo/helpers/compile/plugins/tscPlugin.ts:96 
        if (process.env.WATCH !== 'true' && process.env.DEV !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #787e7103767e9af5 Environment-variable access.
repo/helpers/compile/plugins/tscPlugin.ts:96 
        if (process.env.WATCH !== 'true' && process.env.DEV !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1391f34a85c86bd7 Filesystem access.
repo/helpers/compile/plugins/tscPlugin.ts:100 
          const dtsContents = await fs.readFile(`${bundlePath}.d.ts`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #94afb6fab7d251bd Filesystem access.
repo/packages/cli/helpers/build.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1e8230dc2daba853 Environment-variable access.
repo/packages/cli/helpers/build.ts:153 
const optionalPlugins = process.env.DEV === 'true' ? [] : [cliTypesBuildConfig, cliConfigBuildConfig]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a2f4fb199edd622d Environment-variable access.
repo/packages/cli/jest.setup.js:11 
  process.env['JITI_ALIAS'] = JSON.stringify({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fd89757a0715d676 Environment-variable access.
repo/packages/cli/jest.setup.js:18 
  delete process.env['JITI_ALIAS']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5853537728a737c5 Environment-variable access.
repo/packages/cli/src/DebugInfo.ts:66 
      const value = process.env[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4496ba711e0e06d3 Filesystem access.
repo/packages/cli/src/Format.ts:106 
      await fs.writeFile(filename, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1989cf0f287bb4ab Filesystem access.
repo/packages/cli/src/Generate.ts:23 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low egress production #80b6a7d9011110aa Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/Init.ts:467 
              await fetch(`https://prisma-generate-server.prisma.workers.dev/`, {
                method: 'POST',
                headers: {
                  'Content-Type': 'application/json',
                },
                body: JSON.stringify({
                  description: prompt,
                }),
              })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low env_fs production #0ac457220b4ec4b0 Filesystem access.
repo/packages/cli/src/Init.ts:656 
      const envFile = fs.readFileSync(envPath, { encoding: 'utf8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2666df20738cb4b0 Environment-variable access.
repo/packages/cli/src/Studio.ts:320 
        const browser = args['--browser'] || process.env.BROWSER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a5ad620432816b5b Filesystem access.
repo/packages/cli/src/Studio.ts:644 
      return await readFile(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a2fa50b6369c8e3d Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:3 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #218e9957742399f4 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:15 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #957714230c753e72 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:19 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4e84a24a60a5bcfa Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:22 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #73635f27a4f95d45 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:48 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c75133707a5bd298 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:56 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7f67cc1742bcb785 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:68 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a0e702a2fb957695 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:96 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #227af07bde03b7fb Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:104 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a819307b2db5258e Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:116 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #738065b6713f9313 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:144 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4345ee190929a3b0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:152 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4197a0b494206631 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:164 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3ebbcf4a46a885dc Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:179 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d95237e379d75ac3 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:187 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e08de06debee2d2f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:199 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #22a9e38285bdf851 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:209 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #82387afceeda4742 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:217 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2a56063d5ba74ac7 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:229 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c47b6b6c16be6d0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:239 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ac5a8c0a32608d01 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:247 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1d7c2cfe3e0b189a Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:259 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #22f03523e775d6ea Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:271 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7134cfc131caa6c2 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:279 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2bf582156ecd0413 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:291 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6a1732b29e58e118 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:301 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7c61eb5c7030f18b Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:309 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1947fa36556aec65 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:321 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #aa788e88fd1332c0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:336 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cad04ca3f29c8cab Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:340 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9bcaca41a6da8eee Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:352 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8d32b938a9bba387 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:356 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #727755fbd5f29edf Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:368 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #196de0afc0e08ba0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:372 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #08588bba6ca56f34 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:387 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9f601fa54e12d788 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:395 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #df96373dee25fd7f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:405 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e5825a25f956d3d8 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:413 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9b866c7a6f3315f7 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:425 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #35c8f955617f2c11 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:433 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7caeee068643ebac Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:443 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cf4fd02c198e49f9 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:451 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #25ff13e7cb8ef0dd Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:457 
  fs.writeFileSync(join(ctx.tmpDir, '.env'), `DATABASE_URL="postgres://dont:overwrite@me:5432/tests"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #47f2b38cdd4b1704 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:461 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6ae24c1f879f9b3c Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:465 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d197c5c772ae5638 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:468 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a8600f3211cdd27d Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:474 
  fs.writeFileSync(join(ctx.tmpDir, '.env'), `SOMETHING="is here"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #64fc81bc2f444f19 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:478 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #885dfeeec033229e Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:482 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a8dbbe398ca9025f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:486 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b2c6e3e7ce60f1b6 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:494 
  const gitignore = fs.readFileSync(join(ctx.tmpDir, '.gitignore'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #756dd5759a8aabab Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:497 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1212732c0c40f690 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:505 
  fs.writeFileSync(gitignorePath, `# This should not be overridden`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9935c4eb61538fb5 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:506 
  fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #73625438d28e374f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:508 
  const gitignoreAfter = fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6f8a358e395490e4 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:511 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #01e1c735b44f9489 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:519 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6aa2c9b4eb0c8955 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:522 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #eeaa59c583219c41 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:15 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ce0edd06307d3f29 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:21 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #22241c9aa3400018 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:23 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #99b1bf4945770a9a Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:44 
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4d8c8cca71178aa7 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:74 
    process.env.FORCE_PANIC_PRISMA_SCHEMA = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #faba879282d270de Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:100 
    process.env.FORCE_PANIC_GET_CONFIG = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #33a71507adff508e Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:126 
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a0b390b4bbca7ecc Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:144 
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f15dab6f0b2cee89 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:170 
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #533c4951d3e4b8c4 Filesystem access.
repo/packages/cli/src/__tests__/commandState.test.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #56f464bcdc49d870 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:18 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6b1f7ca0583eeb4d Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:24 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3be3df31735f7a0a Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:26 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c5153f343c488e93 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:70 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9fdc4847ce447af2 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:82 
    Object.keys(envVars).map((key) => delete process.env[key])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ed1364b3512e0a02 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:86 
    process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bc7612165ab26dbe Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:160 
    process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #558cedc5eae1c19a Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:19 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6587907595042b32 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:25 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #93f5d260630ab15b Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:27 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ef6bed4363e62417 Filesystem access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:265 
    expect(fs.readFileSync('schema.prisma', { encoding: 'utf-8' })).toMatchSnapshot()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #658e9bbcc4e12991 Filesystem access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:271 
    expect(fs.readFileSync('missing-backrelation.prisma', { encoding: 'utf-8' })).toMatchSnapshot()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2e8a24ab269b7c57 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:312 
    process.env.PRISMA_DISABLE_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d81c649bd8e96d53 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:18 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #774e0f1371bf2cf5 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:24 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5afcbfbda8cc2920 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:26 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f1dcaaabcc98d6a6 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:292 
    process.env.PRISMA_DISABLE_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3068eb059479cc3c Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:7 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e5c936fbae2f2fa7 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:63 
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7f590c784f3eab55 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:140 
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8a66713c7f71c258 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:241 
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #36d6239cd77a37b9 Filesystem access.
repo/packages/cli/src/__tests__/nps.test.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b18d6a78d2fd43bb Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:20 
        delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #870d38394bfd237b Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:26 
        delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #15de1c73c8475498 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:28 
        process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b2d9799674811f1b Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:40 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2bbf253eccd83d40 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:65 
    process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a7aff512063be98f Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:134 
    process.env.KUBERNETES_SERVICE_HOST = '10.96.0.1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #fe7ca594321f76af Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:155 
    process.env.GIT_EXEC_PATH = '/nix/store/9z3jhc0rlj3zaw8nd1zka9vli6w0q11g-git-2.47.2/libexec/git-core'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c6dda6185894d69 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:176 
    process.env.npm_command = 'install'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f3e37614780b853d Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:177 
    process.env.npm_lifecycle_event = 'prepare'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8e4bb44a2af0032e Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:32 
  originalPrismaHideUpdateMessageEnv = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b76a672ced402048 Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:33 
  delete process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e8755360c8e62edc Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:38 
  process.env.PRISMA_HIDE_UPDATE_MESSAGE = originalPrismaHideUpdateMessageEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d29a4539b96a5091 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:11 
    originalPrismaHideUpdateMessageEnv = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d8a1315c1cd8ec04 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:12 
    delete process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9bb7184e40c1f313 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:16 
    process.env.PRISMA_HIDE_UPDATE_MESSAGE = originalPrismaHideUpdateMessageEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e5f6f4d34aca2fd0 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:144 
    process.env.PRISMA_HIDE_UPDATE_MESSAGE = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #151cc7c4a5ab8488 Filesystem access.
repo/packages/cli/src/bootstrap/Bootstrap.ts:288 
          const envContent = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #df0299669f817c44 Environment-variable access.
repo/packages/cli/src/bootstrap/Bootstrap.ts:294 
        process.env.DATABASE_URL = databaseUrl

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #253ba07e407e8f1a Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:160 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d769514f9b8468b6 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:206 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #932a3faa77e05389 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:234 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7eb90c5d4fcb5323 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:266 
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), 'datasource db { provider = "postgresql" }', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #14cbb7bd43ef0f0f Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:293 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db { provider = "postgresql" }
model User { id Int @id }
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8776ea17c8d36e19 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:324 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e1fba709933beb97 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:327 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #33bff6493061fe16 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:363 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e762b9bfa17e491f Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:366 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f9d0f23ef05e0624 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:396 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0ff96adca5e04fd2 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:399 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b38e167ee32a78f0 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:430 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #892cb26429da0be3 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:437 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f6628426630e2c52 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:464 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f2ccddb41e2c7081 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:471 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3e5ece61c44f2042 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:503 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d05af56b670f9ed2 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:510 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0d4a4b55d70dd004 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:542 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ceb5a54b2a125aee Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:549 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f160ea2c25749db1 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:582 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a59551fa6d24ac8d Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:32 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b0c349a588a5673b Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:41 
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #db9eff8ef62dffad Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:49 
    fs.writeFileSync(path.join(tmpDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1ca3e797a151ba4f Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:58 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db {
  provider = "postgresql"
  url = env("DATABASE_URL")
}

model User {
  id   Int    @id @default(autoincrement())
  name String
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #78f3bc3c847c3746 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:79 
    fs.writeFileSync(path.join(tmpDir, 'prisma.config.ts'), 'export default {}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dc0b20a76293c186 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:86 
    fs.writeFileSync(path.join(tmpDir, '.env'), 'DATABASE_URL=test', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f776986741f84640 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:93 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #285d570df87371b3 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:104 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), JSON.stringify({ prisma: { seed: '' } }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #32d4ea189f74aa92 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:111 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), JSON.stringify({ name: 'test' }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #19bfcf77deba8f77 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:118 
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `import { defineConfig } from 'prisma/config'\nexport default defineConfig({ migrations: { seed: 'tsx ./prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6b03bdb198e751e5 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:129 
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({\n  migrations: {\n    seed: "npx tsx prisma/seed.ts",\n  },\n})`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c9113975bbaa2891 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:140 
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { path: 'prisma/migrations' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0aa9e43d1423c77d Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:159 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db { provider = "postgresql" }

model User {
  id   Int    @id
  name String
  posts Post[]
}

model Post {
  id     Int    @id
  title  String
  author User   @relation(fields: [authorId], references: [id])
  authorId Int
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0765e0ad8708f341 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:186 
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b4a2dcde10bffa5e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:198 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #339dff880eecb891 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:208 
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { seed: 'npx tsx prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e380ad3922b337ec Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:218 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7fe32ab064d84f21 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:223 
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { seed: 'npx tsx prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b88f19e551cf88a7 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:36 
    fs.writeFileSync(path.join(tmpDir, 'pnpm-lock.yaml'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8f9c899831b1a57e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:41 
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8a1af1697f4dbd21 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:50 
    fs.writeFileSync(path.join(tmpDir, 'pnpm-lock.yaml'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6c1e6af03d064c09 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:51 
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #354852da2541450e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:56 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #93dbac5ce5ae40b0 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:61 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a319013e7ba15f17 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:66 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2efbabf2beb0c66e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:71 
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7437d81b29c4682d Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:72 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #60add18e0ced0776 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:34 
    const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fcefec7f2c3f0dcf Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:48 
    const content = fs.readFileSync(configPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #018849e3a2df4280 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:59 
    const content = fs.readFileSync(schemaPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #93cab12a3c7e3bfd Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:71 
      const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #044901a168718ca8 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:81 
      const content = fs.readFileSync(configPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f22ec0aa23741229 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:97 
      const content = fs.readFileSync(schemaPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a8e04045bcf162d1 Environment-variable access.
repo/packages/cli/src/bootstrap/telemetry.ts:6 
  return Boolean(process.env.CHECKPOINT_DISABLE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low egress production #0e22374f71a2bc94 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/bootstrap/template-scaffold.ts:54 
  const response = await fetch(PRISMA_EXAMPLES_TARBALL_URL, {
    headers: { Accept: 'application/vnd.github+json', 'User-Agent': 'prisma-cli' },
    redirect: 'follow',
    signal: AbortSignal.timeout(120_000),
  })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low env_fs production #dfa54f91e5dad1f4 Filesystem access.
repo/packages/cli/src/bootstrap/template-scaffold.ts:82 
        fs.writeFileSync(destPath, tarBuffer.subarray(offset, offset + header.size))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8c2a46587ac62e3e Filesystem access.
repo/packages/cli/src/bootstrap/template-scaffold.ts:161 
      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8ecaf5335c46b688 Filesystem access.
repo/packages/cli/src/generate/introspectSql.ts:4 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #239bc7913b5afb3c Filesystem access.
repo/packages/cli/src/generate/introspectSql.ts:39 
    const source = await fs.readFile(path.join(typedSqlDirPath, fileName), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ff06f6d59d89a889 Filesystem access.
repo/packages/cli/src/init/file-writer.ts:17 
    fs.writeFileSync(absPath, content, options)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9da27a564fa2a7bd Environment-variable access.
repo/packages/cli/src/postgres/link/Link.ts:43 
  return process.env.PRISMA_MANAGEMENT_API_URL ?? DEFAULT_MANAGEMENT_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f75dc15354abf740 Environment-variable access.
repo/packages/cli/src/postgres/link/Link.ts:182 
    const apiKey = explicitApiKey ?? (databaseId ? process.env.PRISMA_API_KEY : undefined)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7855a607e44f7cdd Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:119 
    const envContent = fs.readFileSync(path.join(tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #809c6902e5708325 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:139 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db {
  provider = "postgresql"
  url      = env("DATABASE_URL")
}

model User {
  id    Int    @id @default(autoincrement())
  name  String
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6cbc6f8a9f4ce366 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:198 
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7efc1f2f9c339cf3 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:216 
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5551ea8a3f6b8815 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:31 
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a5cde255d9b6b034 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:37 
    fs.writeFileSync(envPath, 'EXISTING_VAR="hello"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e89be33bcd074d4e Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:47 
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0f665f6f349f3667 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:53 
    fs.writeFileSync(envPath, 'DATABASE_URL="old-value"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #99ea005a49131769 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:63 
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9aa588ce09949e41 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:69 
    fs.writeFileSync(envPath, 'DATABASE_URL="old-value"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #28edb18e01444394 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:79 
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a8381465df07115c Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:90 
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #44d7203657bb08e5 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:101 
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), 'node_modules\n.env\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d963eba060bee584 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:106 
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), '/.env\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9f111f37a55ae17f Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:111 
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), 'node_modules\ndist\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #098616b899732913 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:126 
    const envContent = fs.readFileSync(path.join(tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9b8804813c5b3c9f Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:137 
    fs.writeFileSync(path.join(tmpDir, '.env'), "DATABASE_URL='postgres://localhost:5432/mydb'\n", 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f82cbdf2d120e63b Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:142 
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7453c38653a9d292 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:151 
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #26d8f2eea27e01a4 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:160 
    fs.writeFileSync(path.join(tmpDir, '.env'), "OTHER_VAR='value'\n", 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fdfa0c73e775e0dc Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:22 
    fs.writeFileSync(envPath, lines.join('\n') + '\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #878c2bae188900a1 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:28 
  let content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #22bad5f58a7c3335 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:46 
  fs.writeFileSync(envPath, content, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9ce3e7926f53af6d Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:61 
  const content = fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #6bdcf59d0fb18158 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:87 
  const parsed = dotenv.parse(fs.readFileSync(envPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low egress production #5f7d7abb43221143 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/status-page.ts:156 
    const response = await fetch(SUMMARY_API_URL, { signal: AbortSignal.timeout(10_000) })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low env_fs production #15eadb1d8c5e11ef Environment-variable access.
repo/packages/cli/src/utils/checkpoint.ts:37 
  if (process.env['CHECKPOINT_DISABLE']) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a5808f76f13a1c93 Environment-variable access.
repo/packages/cli/src/utils/checkpoint.ts:94 
      information: args['--telemetry-information'] || process.env.PRISMA_TELEMETRY_INFORMATION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #43aa0a9f7bbc0eaa Filesystem access.
repo/packages/cli/src/utils/commandState.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #d52a2e530e6d1f8c Filesystem access.
repo/packages/cli/src/utils/commandState.ts:19 
  const data = await fs.promises
    .readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #03b595aab039558c Filesystem access.
repo/packages/cli/src/utils/commandState.ts:25 
    await fs.promises.writeFile(filePath, JSON.stringify(state))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #52ea1cd1f9b63a89 Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2b7455faa92186cd Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:23 
    const pkgJsonString = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #304aab08adf4cfd4 Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:47 
    const pkgJsonString = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low egress production #cab9276fadb5593a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/utils/nps/capture.ts:11 
const posthogCaptureUrl = new URL('https://proxyhog.prisma-data.net/capture')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low egress production #5f52d4d9bb14251c Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/utils/nps/status.ts:14 
const npsStatusUrl = new URL('https://pub-833f4cf4b3dc4d17a6db4981affc9fbb.r2.dev/timeframe.json')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low env_fs production #dc5be218d477138f Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:5 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c55d5df01db769cf Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:165 
  const data = await fs.promises
    .readFile(getConfigPath(), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #60deed3a4a487bb2 Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:187 
  await fs.promises.writeFile(configPath, JSON.stringify(config))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #311cb3207bc7024f Environment-variable access.
repo/packages/cli/src/utils/printUpdateMessage.ts:8 
  const shouldHide = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5f6ac1efdd046cf0 Filesystem access.
repo/packages/cli/src/utils/prompt/utils/isDirEmpty.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b97cf251dc74d4f7 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:13 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a18122baccb3e2e7 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:378 
  await fs.writeFile(schemaTargetPath, datamodel, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #305ff0495d889bef Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:393 
    await fs.writeFile(path.join(outputDir, `${filename}.wasm`), Buffer.from(wasmBase64, 'base64'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #057b961237f85668 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:403 
    await fs.writeFile(signalsPath, Date.now().toString())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4e1c97df2f817102 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:416 
        await fs.writeFile(absolutePath, content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #da845a160db6d4ea Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:559 
    content = await fs.readFile(path.join(directory, 'package.json'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ce8876185a492d71 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:633 
        const content = await fs.readFile(sourcePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #159a8a9f980c5132 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:634 
        await fs.writeFile(targetPath, addPreamble(content))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ac9c70b797db1f26 Environment-variable access.
repo/packages/client-generator-js/src/generator.ts:80 
      copyRuntimeSourceMaps: Boolean(process.env.PRISMA_COPY_RUNTIME_SOURCEMAPS),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a4a964fc9d70dd9d Environment-variable access.
repo/packages/client-generator-ts/src/file-extensions.ts:15 
  if (!recommended.includes(extension) && !process.env.PRISMA_DISABLE_WARNINGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #687b2a864b86ce4e Filesystem access.
repo/packages/client-generator-ts/src/generateClient.ts:245 
        await fs.writeFile(absolutePath, content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1927f296345181c4 Filesystem access.
repo/packages/client-generator-ts/src/utils/wasm.ts:125 
    return fs.readFileSync(bundledLocation)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8807e8ed989bd606 Filesystem access.
repo/packages/client-generator-ts/src/utils/wasm.ts:129 
    return fs.readFileSync(sourceLocation)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b17991e32e00f7ac Filesystem access.
repo/packages/client/helpers/build.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #612d8e5c1566abf6 Environment-variable access.
repo/packages/client/helpers/build.ts:31 
const shouldMinify = !process.env.DEV && process.env.MINIFY !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #612d8e5c1566abf6 Environment-variable access.
repo/packages/client/helpers/build.ts:31 
const shouldMinify = !process.env.DEV && process.env.MINIFY !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #6be439e4d804315b Filesystem access.
repo/packages/client/helpers/build.ts:178 
                  const wasmBuffer = fs.readFileSync(wasmFilePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b5af2092335ea927 Filesystem access.
repo/packages/client/helpers/build.ts:185 
                    fs.writeFileSync(base64FilePath, base64Content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9e67b08cf53186bb Filesystem access.
repo/packages/client/helpers/build.ts:211 
  fs.writeFileSync(path.join(runtimeDir, fileName), 'export * from "./client"\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #386efae0833a8502 Environment-variable access.
repo/packages/client/helpers/jestSetup.js:1 
process.env.PRISMA_HIDE_PREVIEW_FLAG_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4429ca627b1122ee Filesystem access.
repo/packages/client/helpers/new-test/new-test.ts:2 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7bc70f42aee8768d Filesystem access.
repo/packages/client/helpers/new-test/new-test.ts:116 
  await fs.writeFile(at, template(relImport))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #82326582c61c27f8 Environment-variable access.
repo/packages/client/scripts/colors.js:14 
    colors.enabled = process.env.FORCE_COLOR !== '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #39f79433ea3e0378 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/builder.ts:3 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #863d214804be4c49 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/builder.ts:10 
  fs.writeFileSync(location, data, {})

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3299748cf74b4133 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/huge-schema.bench.ts:26 
if (!process.env.CODSPEED_BENCHMARK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #24a0d9aa210f145f Filesystem access.
repo/packages/client/src/__tests__/benchmarks/lots-of-relations/builder.ts:1 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5b57885ea2707f1c Filesystem access.
repo/packages/client/src/__tests__/benchmarks/lots-of-relations/builder.ts:39 
  await fs.writeFile('schema.prisma', str)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #37d863cf98e8b246 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/query-performance/caching.bench.ts:18 
const BENCHMARK_DATAMODEL = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ed2414ee64f3dc43 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:16 
        if (process.env.LOCAL_QC_BUILD_DIRECTORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4dc22996ea07b519 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:17 
          runtimePath = path.join(process.env.LOCAL_QC_BUILD_DIRECTORY, provider, 'query_compiler_fast_bg.js')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #64b3562965c76354 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:25 
        if (process.env.LOCAL_QC_BUILD_DIRECTORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8fc8699d0f91b78b Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:26 
          const wasmPath = path.join(process.env.LOCAL_QC_BUILD_DIRECTORY, provider, 'query_compiler_fast_bg.wasm')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #81643d4a84c96469 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:27 
          moduleBytes = await fs.promises.readFile(wasmPath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #528b677e063933c4 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/query-performance.bench.ts:257 
  if (process.env.CODSPEED_BENCHMARK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e98057f31135bcc5 Filesystem access.
repo/packages/client/src/__tests__/dmmfTypes.test.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #12725a84cfcf86e5 Filesystem access.
repo/packages/client/src/__tests__/dmmfTypes.test.ts:33 
  fs.writeFileSync(target, file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #186d54e146a42969 Environment-variable access.
repo/packages/client/src/__tests__/integration/__helpers__/migrateDb.ts:10 
  const databaseUrl = process.env.DATABASE_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #88e28e54b8d93e56 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-execute-raw-alter')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #88e28e54b8d93e56 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-execute-raw-alter')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #11cd115402aafa0b Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts:12 
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bbdb57deff2355c3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/int-errors/test.ts:12 
    let connectionString = process.env.TEST_MYSQL_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8ec1b87adae7b429 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:18 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-multischema')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8ec1b87adae7b429 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:18 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-multischema')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7816f6115eb22096 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:19 
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a718fffd5b2fc6d7 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:21 
      connectionString: process.env.DATABASE_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #44e42c8fd116baf1 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-mysql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #44e42c8fd116baf1 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-mysql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9b8e98d69dd830ca Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-mysql/test.ts:12 
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #365aee70bd6a14f3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-postgresql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #365aee70bd6a14f3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-postgresql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1ed4af69f29fe970 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-postgresql/test.ts:15 
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bec5960e8af85219 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:10 
describeIf(!process.env.TEST_SKIP_MSSQL)('referentialActions-onDelete-default-foreign-key-error(sqlserver)', () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #813a266713d9ee8d Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:12 
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #404f9db448c4630d Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:15 
    process.env.DATABASE_URL = process.env.TEST_MSSQL_JDBC_URI.replace('master', 'referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #404f9db448c4630d Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:15 
    process.env.DATABASE_URL = process.env.TEST_MSSQL_JDBC_URI.replace('master', 'referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #36854cfb95c0ec50 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-mysql/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-wrong-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #36854cfb95c0ec50 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-mysql/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-wrong-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #596320228e77b403 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-mysql/test.ts:12 
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #77acf79673aff0ac Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-postgres/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-wrong-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #77acf79673aff0ac Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-postgres/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-wrong-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b348c8c3e04c612b Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-postgres/test.ts:12 
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b51a0215a7e47724 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/insensitive-postgresql-feature-flag/test.ts:7 
  const connectionString = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-insensitive-postgresql-feature-flag')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b25181ea6f2638b2 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/insensitive-postgresql/test.ts:7 
  const connectionString = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-insensitive-postgresql')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #258c568c27252378 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-mysql/test.ts:13 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #258c568c27252378 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-mysql/test.ts:13 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b98d6bdcdf0de91f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-mysql/test.ts:14 
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #fda1e1a880f34a37 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:12 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #09b83fbd6be4fa98 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:19 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #09b83fbd6be4fa98 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:19 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a289939a5c2d3829 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:20 
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #504074d96985573b Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/mysql-binary-id/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-mysql-binary-id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #504074d96985573b Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/mysql-binary-id/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-mysql-binary-id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f4015f7105a06229 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/mysql-binary-id/test.ts:9 
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7301893ca06f9aa9 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-mysql/test.ts:9 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7301893ca06f9aa9 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-mysql/test.ts:9 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #53f4ebfdaae2ddd7 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-mysql/test.ts:10 
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8bb41ceab9dc549d Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-postgres/test.ts:9 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8bb41ceab9dc549d Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-postgres/test.ts:9 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #17d8bc354fa6e319 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-postgres/test.ts:10 
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1084d56b8829baac Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4e4921505b4eea89 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:6 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f66055d8e44ac75e Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:20 
  const generatedTypeScript = fs.readFileSync(path.join(clientDir, './node_modules/.prisma/client/index.d.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9ad47706f2f37152 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:21 
  const generatedBrowserJS = fs.readFileSync(
    path.join(clientDir, './node_modules/.prisma/client/index-browser.js'),
    'utf-8',
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4bfc30fc026ec4b7 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f1172dd7094e7765 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:17 
  const datamodel = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e69e49a56d45b7e5 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:21 
  fs.writeFileSync(
    dmmfFile,
    `import type * as DMMF from '@prisma/dmmf'

  const dmmf: DMMF.Document = ${JSON.stringify(dmmf, null, 2)}`,
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #53d3a41088b65498 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b5041ac5889188af Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:6 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #58b8da2458fcb2b9 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:20 
  const generatedTypeScript = fs.readFileSync(path.join(clientDir, './node_modules/.prisma/client/index.d.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #08a71405f344418b Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:21 
  const generatedBrowserJS = fs.readFileSync(
    path.join(clientDir, './node_modules/.prisma/client/index-browser.js'),
    'utf-8',
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e98e548aac1d8f56 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #60c350e11d77c2d3 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:17 
  const datamodel = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8af8dcdd603b0279 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:21 
  fs.writeFileSync(
    dmmfFile,
    `import type * as DMMF from '@prisma/dmmf'

  const dmmf: DMMF.Document = ${JSON.stringify(dmmf, null, 2)}`,
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #205af53c57213b8f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/postgres-json-list/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-postgres')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #205af53c57213b8f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/postgres-json-list/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-postgres')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #835166fb52e08357 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/postgres-json-list/test.ts:9 
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ab36e7a7d3f01645 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-mysql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-Cascade')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ab36e7a7d3f01645 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-mysql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-Cascade')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2133c0ba32cf7b75 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-mysql/test.ts:12 
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1999f149a275a69f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-postgresql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1999f149a275a69f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-postgresql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7b76b3f26b15c5f7 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-postgresql/test.ts:15 
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #388c7ffc7088988c Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-sqlserver/test.ts:9 
describeIf(!process.env.TEST_SKIP_MSSQL)('referentialActions(sqlserver)', () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9bd6ca99da869d23 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-sqlserver/test.ts:11 
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ebddf9f6291217f1 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/scalar-list/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-scalar-list-test')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ebddf9f6291217f1 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/scalar-list/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-scalar-list-test')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a9f4bb49514ef2b1 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/scalar-list/test.ts:9 
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #20270fe6da111999 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/sqlite-variable-limit/test.ts:5 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #20270fe6da111999 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/sqlite-variable-limit/test.ts:5 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6d5f3d552876c38d Filesystem access.
repo/packages/client/src/__tests__/integration/happy/transaction/test.ts:3 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #db21fcbcb0f7ee6c Filesystem access.
repo/packages/client/src/__tests__/integration/happy/uncheckedScalarInputs/test.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c6c8d5294d31ed4c Filesystem access.
repo/packages/client/src/__tests__/typeDeclaration.test.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2d341ad2736b5f67 Filesystem access.
repo/packages/client/src/__tests__/typeDeclaration.test.ts:10 
      const dtsContents = fs.readFileSync(path.join(runtimeDir, file), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1e8432d7abf5d541 Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:15 
    globalEngineTypeOverride = process.env.PRISMA_CLIENT_ENGINE_TYPE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9eb721a8bc5d1e17 Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:16 
    delete process.env.PRISMA_CLIENT_ENGINE_TYPE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dc01aaed7e75d07b Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:21 
      process.env.PRISMA_CLIENT_ENGINE_TYPE = globalEngineTypeOverride

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f7235d19744d1e08 Environment-variable access.
repo/packages/client/src/runtime/RequestHandler.ts:171 
    if (process.env.PRISMA_CLIENT_GET_TIME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f3c33ab4aaaafd11 Environment-variable access.
repo/packages/client/src/runtime/core/engines/accelerate/getUrlAndApiKey.ts:52 
  if (process.env.TEST_CLIENT_ENGINE_REMOTE_EXECUTOR && url.searchParams.has('use_http')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #98fcadd4940c96e7 Environment-variable access.
repo/packages/client/src/runtime/getPrismaClient.ts:463 
        } else if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #41a13e2c6c69c911 Environment-variable access.
repo/packages/client/src/runtime/getPrismaClient.ts:465 
        } else if (process.env.NO_COLOR) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e3c32651c9610679 Filesystem access.
repo/packages/client/src/runtime/utils/SourceFileSlice.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #d786f45f29dfb92f Filesystem access.
repo/packages/client/src/runtime/utils/SourceFileSlice.ts:22 
      content = fs.readFileSync(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0a9d4bf45616dcad Environment-variable access.
repo/packages/client/src/runtime/utils/createErrorMessageWithContext.ts:86 
  if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b5feaeefd97214cf Filesystem access.
repo/packages/client/src/utils/setupMSSQL.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #d79512505ba10ec2 Filesystem access.
repo/packages/client/src/utils/setupMSSQL.ts:30 
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9e851a9d66ad0a29 Filesystem access.
repo/packages/client/src/utils/setupMysql.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9c9e9a9984b7bd21 Filesystem access.
repo/packages/client/src/utils/setupMysql.ts:14 
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #07c3dabbe684c48e Filesystem access.
repo/packages/client/src/utils/setupPostgres.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cd6698a2cb78f636 Filesystem access.
repo/packages/client/src/utils/setupPostgres.ts:14 
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bcbe1d3a1f94e7ba Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:6 
const originalValue = process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #29ebaa6a6970f036 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:10 
    delete process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c222d0a5a40b1d1 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:15 
      delete process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7f027b0bdbb30601 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:17 
      process.env[VAR_NAME] = originalValue

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e5c69127dfeec1f1 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:22 
    process.env[VAR_NAME] = 'postgresql://example'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e2f5a7f477db2dc1 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:34 
    process.env[VAR_NAME] = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #551d9c3a5b468e26 Environment-variable access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/datasource-url-undefined/prisma.config.ts:5 
    url: process.env['UNDEFINED_VARIABLE'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #86e5bfbc51f5d15a Filesystem access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/env-load-esm/prisma.config.ts:7 
const env = await fs.readFile('.env', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0be6afb5007a2e79 Environment-variable access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/env-load-esm/prisma.config.ts:21 
  process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ca402b06d134613f Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:742 
      expect(process.env.TEST_CONNECTION_STRING).toBeUndefined()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4aea8dc791e71d96 Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:753 
      expect(process.env.TEST_CONNECTION_STRING).toEqual('postgres://test-connection-string-from-env-cjs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b90ef857150a8434 Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:765 
      expect(process.env.TEST_CONNECTION_STRING).toEqual('postgres://test-connection-string-from-env-esm')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a1387fae1e141040 Environment-variable access.
repo/packages/config/src/env.ts:15 
  const value = process.env[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #431ca2c97743f069 Environment-variable access.
repo/packages/config/vitest.setup.ts:13 
  process.env['JITI_ALIAS'] = JSON.stringify({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c2111e16a46dc480 Environment-variable access.
repo/packages/config/vitest.setup.ts:19 
  delete process.env['JITI_ALIAS']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3e816cb4a3bcc947 Filesystem access.
repo/packages/credentials-store/src/index.ts:1 
import { chmod, mkdir, readFile, writeFile } from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1ed26194122a1001 Environment-variable access.
repo/packages/credentials-store/src/index.ts:31 
      process.env.PRISMA_PLATFORM_AUTH_FILE ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3be732271ff2665e Filesystem access.
repo/packages/credentials-store/src/index.ts:38 
      const content = await readFile(this.authFilePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9b5f4f8af1a9f3b1 Filesystem access.
repo/packages/credentials-store/src/index.ts:82 
    await writeFile(this.authFilePath, JSON.stringify(data, null, 2), { mode: 0o600 })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4fba5caad9d4ebd1 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:13 
  delete process.env.DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #78633d630604273e Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:14 
  delete process.env.DEBUG_COLORS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6f3d98599ffe754f Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:29 
  process.env.DEBUG = 'test'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #529b834d280526e8 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:30 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e106da2c3314a7ed Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:43 
  process.env.DEBUG = 'test2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #46368a2d407f1764 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:44 
  process.env.FORCE_COLOR = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #27e7c5bd33029782 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:45 
  process.env.DEBUG_COLORS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3bc3c49bbf0fbe3b Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:59 
  process.env.DEBUG = 'test3:*:*:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8a05ce3f49babb0a Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:60 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d1ecfcfd3d806041 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:73 
  process.env.DEBUG = 'test4:*:query-engine:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e84e0105636df9b0 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:74 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #db1d8ea3937349f5 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:89 
  process.env.DEBUG = 'test5:*:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5272b19caa801312 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:90 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1a69b3ca2dcc1136 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:106 
  process.env.DEBUG = 'test6:client:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d44569dee8e06370 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:107 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1756080fc08b80a8 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:122 
  process.env.DEBUG = 'test7:*:*,-test7:*:*:init'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #21a2b35d2cd661f8 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:123 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #133e37c83f2cb951 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:138 
  process.env.DEBUG = 'test8:*:*,-test8:*:*:init,-test8:pool:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4a2a02534fca7eb5 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:139 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #baf03821fc1c5b3e Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:153 
  process.env.DEBUG = 'test9:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #45f606d60443998c Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:154 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c1a2cf7e5622eeb2 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:169 
  process.env.DEBUG = 'test10:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #168b01d9fea5bb18 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:170 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4d960554afa5e8ba Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:195 
  process.env.DEBUG = 'test11:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #93de80cc3722f4ee Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:196 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #911c42a06cf3be6a Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:210 
  process.env.DEBUG = 'test12:client*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #69f436f4c81852b2 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:211 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dbee5da99a601a95 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:228 
  process.env.DEBUG = 'test13:client*init'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0da40422ff81349f Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:229 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c04b630fcda87d45 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:249 
  process.env.DEBUG = 'test14:*:query-engine:*,-*init,*:result'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #acc9ba9fa1a59de0 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:250 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #126fb9e449fab6f6 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:271 
  process.env.DEBUG = 'test15:\\w+'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #85448929a151228d Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:272 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e9998c42edf7b2af Environment-variable access.
repo/packages/debug/src/__tests__/env-disabled.test.ts:9 
    process.env.DEBUG = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dc6d8d147ef225b7 Environment-variable access.
repo/packages/debug/src/__tests__/env-enabled.test.ts:9 
    process.env.DEBUG = 'my-namespace'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8015529eace547d8 Environment-variable access.
repo/packages/engines/src/index.ts:26 
  const binaryTargets = process.env.PRISMA_CLI_BINARY_TARGETS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #106be0cca9b1b67d Environment-variable access.
repo/packages/engines/src/index.ts:27 
    ? (process.env.PRISMA_CLI_BINARY_TARGETS.split(',') as BinaryTarget[])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e55b701203f0543a Filesystem access.
repo/packages/engines/src/scripts/localinstall.ts:5 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5a6cb6617c9fad3b Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:5 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #acdc18b59588dc1c Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:16 
  if (fs.existsSync(lockFile) && parseInt(fs.readFileSync(lockFile, 'utf-8'), 10) > Date.now() - 20_000) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3d5c758d18e42b94 Environment-variable access.
repo/packages/engines/src/scripts/postinstall.ts:21 
    if (process.env.PRISMA_CLI_BINARY_TARGETS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ed58660cb06c28a1 Environment-variable access.
repo/packages/engines/src/scripts/postinstall.ts:22 
      binaryTargets = process.env.PRISMA_CLI_BINARY_TARGETS.split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #458d4b5c79a6d14d Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:43 
  fs.writeFileSync(lockFile, Date.now().toString())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c07c4458e3cc3b85 Environment-variable access.
repo/packages/fetch-engine/src/__tests__/download.test.ts:25 
const usesCustomEngines = process.env.PRISMA_SCHEMA_ENGINE_BINARY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e7e08f1de7d24c29 Environment-variable access.
repo/packages/fetch-engine/src/download.ts:119 
  if (process.env.BINARY_DOWNLOAD_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #25196509b4b23627 Environment-variable access.
repo/packages/fetch-engine/src/download.ts:120 
    debug(`process.env.BINARY_DOWNLOAD_VERSION is set to "${process.env.BINARY_DOWNLOAD_VERSION}"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #40dfc34b6c6eb66d Environment-variable access.
repo/packages/fetch-engine/src/download.ts:121 
    opts.version = process.env.BINARY_DOWNLOAD_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7cdb889d672b0c23 Filesystem access.
repo/packages/fetch-engine/src/download.ts:274 
      const sha256File = await fs.promises.readFile(sha256FilePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b5ea07510afd0ef6 Environment-variable access.
repo/packages/fetch-engine/src/download.ts:295 
    } else if (process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4a4647bf7d9ae53f Filesystem access.
repo/packages/fetch-engine/src/download.ts:441 
      await fs.promises.writeFile(cachedSha256Path, sha256)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3cf2bad117c72819 Filesystem access.
repo/packages/fetch-engine/src/download.ts:444 
      await fs.promises.writeFile(cachedSha256ZippedPath, zippedSha256)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cc209bc991fc4abc Filesystem access.
repo/packages/fetch-engine/src/download.ts:460 
    const data = await fs.promises.readFile(file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #18f652c152afd62a Filesystem access.
repo/packages/fetch-engine/src/download.ts:461 
    await fs.promises.writeFile(target, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #481bd0f227e37a54 Environment-variable access.
repo/packages/fetch-engine/src/downloadZip.ts:32 
      if (!process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1f81809b9eb36b5f Environment-variable access.
repo/packages/fetch-engine/src/downloadZip.ts:49 
    if (process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #83a698c15234acac Environment-variable access.
repo/packages/fetch-engine/src/env.ts:27 
  if (process.env[envVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4a1d07bb21b83445 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:28 
    const envVarPath = path.resolve(process.cwd(), process.env[envVar]!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3c7a0e6917b556f8 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:31 
        `Env var ${bold(envVar)} is provided but provided path ${underline(process.env[envVar]!)} can't be resolved.`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fe0e3a63f0c867fe Environment-variable access.
repo/packages/fetch-engine/src/env.ts:36 
        process.env[envVar]!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0a361bd786cfe379 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:52 
  if (deprecatedEnvVar && process.env[deprecatedEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4ef1d9d726c5b85f Environment-variable access.
repo/packages/fetch-engine/src/env.ts:53 
    if (process.env[envVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #eee13605b121c8b5 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:54 
  const noProxy = process.env.NO_PROXY || process.env.no_proxy || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #eee13605b121c8b5 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:54 
  const noProxy = process.env.NO_PROXY || process.env.no_proxy || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a46eef0758c1f461 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:70 
    const httpProxy = process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a46eef0758c1f461 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:70 
    const httpProxy = process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cc5d8af7eb22b2cc Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:77 
      process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cc5d8af7eb22b2cc Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:77 
      process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cc5d8af7eb22b2cc Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:77 
      process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cc5d8af7eb22b2cc Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:77 
      process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #491d05ef3db90f4b Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:18 
    if (process.env.APPDATA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #19249b50b7d6b02a Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:19 
      return path.join(process.env.APPDATA, 'Prisma')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #757349aa8ee6abc7 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:23 
  if (process.env.AWS_LAMBDA_FUNCTION_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1d26be5ad912c209 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:31 
  return process.env.XDG_CACHE_HOME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e01a33df33255c32 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:32 
    ? path.join(process.env.XDG_CACHE_HOME, 'prisma')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #40b90aa7a308685f Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:68 
    process.env.PRISMA_BINARIES_MIRROR || // TODO: remove this

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a4a4fd0c8e83be4b Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:69 
    process.env.PRISMA_ENGINES_MIRROR ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e8079e33bf79eda0 Environment-variable access.
repo/packages/get-dmmf/src/index.ts:32 
    noColor: Boolean(process.env.NO_COLOR),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #490d49ccbce32812 Environment-variable access.
repo/packages/get-dmmf/src/index.ts:37 
    if (process.env.FORCE_PANIC_GET_DMMF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #6e8c5913753dd0f9 Filesystem access.
repo/packages/get-platform/src/getPlatform.ts:3 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #df4f421d9ecad521 Filesystem access.
repo/packages/get-platform/src/getPlatform.ts:232 
    const osReleaseInput = await fs.readFile(osReleaseFile, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ca3cfaf6d0f6d55c Environment-variable access.
repo/packages/get-platform/src/logger.ts:7 
  warn: () => !process.env.PRISMA_DISABLE_WARNINGS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9a734501896d2af2 Environment-variable access.
repo/packages/get-platform/src/test-utils/jestSnapshotSerializer.js:37 
  if (process.env.TEMP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #52e60bb3f675f3cb Environment-variable access.
repo/packages/get-platform/src/test-utils/jestSnapshotSerializer.js:38 
    const escapedPath = process.env.TEMP.replaceAll('\\', '\\\\')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4c957c878683a7f6 Environment-variable access.
repo/packages/get-platform/src/test-utils/vitest-snapshot-serializer.ts:38 
  if (process.env.TEMP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b7feb9bcbed7b321 Environment-variable access.
repo/packages/get-platform/src/test-utils/vitest-snapshot-serializer.ts:39 
    const escapedPath = process.env.TEMP.replaceAll('\\', '\\\\')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #05c847ceba4599d8 Environment-variable access.
repo/packages/instrumentation/src/ActiveTracingHelper.ts:21 
const showAllTraces = process.env.PRISMA_SHOW_ALL_TRACES === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1b191839e4712ef9 Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mariadb/__database.ts:35 
  const connectionString = process.env.TEST_MARIADB_URI!.replace('tests', ctx.id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #365ea55757e34371 Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mssql/__database.ts:34 
  const serviceConnectionString = process.env.TEST_MSSQL_URI!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #edeeae31164baccb Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mysql/__database.ts:34 
  const connectionString = process.env.TEST_MYSQL_URI!.replace('tests', ctx.id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ecd474cb21ac24e3 Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/postgresql/__database.ts:28 
  return process.env.TEST_POSTGRES_URI + `?schema=${ctx.id}&connection_limit=1`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a4b85bfe1aede0f6 Filesystem access.
repo/packages/internals/helpers/build.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #23e73d1d78dd22d8 Filesystem access.
repo/packages/internals/src/WasmSchemaEngineLoader.ts:10 
  const schemaEngineWasmFileBytes = await fs.readFile(schemaEngineWasmFilePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #37801ee20793e01f Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/formatSchema.test.ts:12 
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dd14e89c58e08669 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getConfig.test.ts:64 
    process.env.TEST_POSTGRES_URI_FOR_DATASOURCE = 'postgres://user:password@something:5432/db'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5a232b02d960153a Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:13 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #63bb6b380606e087 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:19 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #fe9f6a67a24a2dc0 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:21 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8c54b19082dff31a Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:26 
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8d5ee151194e6820 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:41 
      delete process.env.NO_COLOR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ae143fddb072272e Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:42 
      process.env.FORCE_COLOR = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #50c2c91f85902df8 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:43 
      process.env.CI = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #64a30062ae2a311a Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:83 
      process.env.NO_COLOR = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #edb3cd9919bc6a08 Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:528 
      const file = await fs.promises.readFile(path.join(fixturesPath, 'chinook.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #39441a84ff0b8867 Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:537 
      const file = await fs.promises.readFile(path.join(fixturesPath, 'odoo.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e9ec1a458897aa2d Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:546 
      const file = await fs.promises.readFile(path.join(fixturesPath, 'bigschema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4d88e9040e1d7727 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getEngineVersion.test.ts:9 
  testIf(!process.env.PRISMA_SCHEMA_ENGINE_BINARY)('Schema Engine', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7aa885871c037251 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:15 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b0e90beea37c9fee Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:21 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #587b9207498cb713 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:23 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #04d9a87e99bc07c7 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:29 
  testTimeout: process.env.CI ? 60_000 : 10_000,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0141552e05d427ca Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:42 
      delete process.env.NO_COLOR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2ac9df08a0f8cd4e Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:43 
      process.env.FORCE_COLOR = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c5ce2595f064ca99 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:44 
      process.env.CI = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #98399bca1349c7c1 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:85 
      process.env.NO_COLOR = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #519143c07c195c40 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:16 
  testTimeout: process.env.CI ? 60_000 : 20_000,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #757d73c0d98b8f91 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:52 
    delete process.env.BINARY_TARGETS_ENV_VAR_TEST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c83914224e3c9444 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:212 
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '"native"'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cd6415ebd6159708 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:295 
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '["native"]'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #533735c1ce3c5a56 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:378 
    process.env.BINARY_TARGETS_ENV_VAR_TEST =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3613ec9989717b2e Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:477 
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '["linux-musl"]'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7cbb6d369345aab3 Environment-variable access.
repo/packages/internals/src/__tests__/getPackedPackage.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8e535511b6b470a2 Environment-variable access.
repo/packages/internals/src/__tests__/getSchema.test.ts:9 
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #900889f7712b689b Environment-variable access.
repo/packages/internals/src/__tests__/getSchema.test.ts:15 
process.env.npm_config_user_agent = 'yarn/1.22.4 npm/? node/v12.18.3 darwin x64'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c902bc22b849c931 Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:51 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bdb33ae97341e6c7 Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:57 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6b63be90eea118af Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:59 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #06d34d62d680e094 Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:76 
    process.env.GITHUB_ACTIONS = 'true' // simulate CI environment

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #99b6eba2ffedd8b1 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:8 
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c2956d1dd4918bd6 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:69 
  testIf(!process.env.PRISMA_SCHEMA_ENGINE_BINARY)(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #932bbf14c475c9f0 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:85 
    const uri = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-createDatabase')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #beb74fd03dd4c577 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:105 
    const uri = process.env.TEST_POSTGRES_URI!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #00b376f743257d3b Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:113 
    const uri = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-createDatabase')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #abd4f2413f10b4e8 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:124 
    const uri = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-createDatabase-already-exists')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2881cf46f1f6ff7f Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:136 
  testIf(!process.env.TEST_SKIP_MSSQL)('sqlserver - create database', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cf094b6363841be8 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:137 
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4e6244ce4c458f51 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:140 
    const connectionString = process.env.TEST_MSSQL_JDBC_URI.replace(/database=(.*?);/, 'database=can-create-a-db;')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6f26a886fa5dae5a Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:147 
  testIf(!process.env.TEST_SKIP_MSSQL)('sqlserver - database already exists', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3fecb46d6fc29648 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:148 
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a87534d39ae5cfe3 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:151 
    const connectionString = process.env.TEST_MSSQL_JDBC_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4377efbfaddda2fa Filesystem access.
repo/packages/internals/src/cli/getSchema.ts:10 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #babcf39bb5c69524 Environment-variable access.
repo/packages/internals/src/engine-commands/formatSchema.ts:17 
  if (process.env.FORCE_PANIC_PRISMA_SCHEMA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c752dc20d81cb4c7 Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:78 
        if (process.env.FORCE_PANIC_GET_CONFIG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c74e45779177881a Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:172 
    if (binaryTarget.fromEnvVar && process.env[binaryTarget.fromEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0c0b00e6465c704a Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:173 
      const value = JSON.parse(process.env[binaryTarget.fromEnvVar]!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5ef4dcb741642641 Filesystem access.
repo/packages/internals/src/engine-commands/queryEngineCommons.ts:4 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #84f7a569c3719313 Environment-variable access.
repo/packages/internals/src/engine-commands/validate.ts:58 
        if (process.env.FORCE_PANIC_GET_DMMF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1413aefe2525edd9 Environment-variable access.
repo/packages/internals/src/engine-commands/validate.ts:65 
          noColor: Boolean(process.env.NO_COLOR),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low egress production #eccd324959b00b46 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/internals/src/errorReporting.ts:69 
  return await fetch(url, {
    method: 'POST',
    agent: getProxyAgent(url),
    body,
    headers: {
      Accept: 'application/json',
      'Content-Type': 'application/json',
    },
  })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low env_fs production #a2e3c356241c9939 Environment-variable access.
repo/packages/internals/src/get-generators/utils/getBinaryPathsByVersion.ts:46 
    if (process.env.NETLIFY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #16df43715a22a2d0 Filesystem access.
repo/packages/internals/src/getPackedPackage.ts:2 
import fs, { readFileSync } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2ca166a3a1b41715 Filesystem access.
repo/packages/internals/src/getPackedPackage.ts:16 
      const pkgJson = JSON.parse(readFileSync(pkgPath, { encoding: 'utf-8' }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #048d94a0e6161370 Environment-variable access.
repo/packages/internals/src/logger.ts:10 
  warn: () => !process.env.PRISMA_DISABLE_WARNINGS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ed802988c0039cf4 Filesystem access.
repo/packages/internals/src/resolveBinary.ts:5 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #195142bc57446197 Filesystem access.
repo/packages/internals/src/resolveBinary.ts:88 
    const data = await fs.promises.readFile(file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b5d238acbd973a23 Filesystem access.
repo/packages/internals/src/resolveBinary.ts:89 
    await fs.promises.writeFile(target, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f6852d13e4e0df31 Filesystem access.
repo/packages/internals/src/resolveOutput.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #42ba172a5a425dfd Environment-variable access.
repo/packages/internals/src/schemaEngineCommands.ts:188 
          RUST_BACKTRACE: process.env.RUST_BACKTRACE ?? '1',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #63349fa807c3a5df Environment-variable access.
repo/packages/internals/src/schemaEngineCommands.ts:189 
          RUST_LOG: process.env.RUST_LOG ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #20501e2fd212b8aa Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:11 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6f0b8c530b833584 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:17 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #62015fe8ee4144f2 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:19 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e926eedf654b8fb5 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:36 
      delete process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3c2edacae9818439 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:37 
      delete process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dba41a1c4a095d5e Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:48 
      delete process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #95512fd683bcb884 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:49 
      delete process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #34eb4522746a1828 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:54 
      process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #03386dd8a2b42ce4 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:59 
      process.env.GITHUB_ACTIONS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #07d2d447bff3a0e4 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:10 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #997a11d6faf971e5 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:16 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #62a39bd64c6b4d85 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:18 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #34832a81facf0de4 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:38 
      process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9e26b962f626bce0 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:50 
      process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5907c0d13e1a5254 Filesystem access.
repo/packages/internals/src/utils/chmodPlusX.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #01ad2c1c70d5b7e1 Filesystem access.
repo/packages/internals/src/utils/fs-functional.ts:4 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #845c65a707fa730e Filesystem access.
repo/packages/internals/src/utils/fs-functional.ts:12 
  TE.tryCatch(() => fsUtils.writeFile(params), createTaggedSystemError('fs-write-file', params))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #335c476d87707f80 Filesystem access.
repo/packages/internals/src/utils/fs-utils.ts:1 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a149d63af006a5b3 Filesystem access.
repo/packages/internals/src/utils/fs-utils.ts:21 
  return fs.writeFile(path, content, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3c5df357cc6bc8bd Filesystem access.
repo/packages/internals/src/utils/isCurrentBinInstalledGlobally.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #17edc8fb4b46aecb Environment-variable access.
repo/packages/internals/src/utils/isInContainer.ts:13 
      process.env.KUBERNETES_SERVICE_HOST !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f45f09a56cc07fb8 Environment-variable access.
repo/packages/internals/src/utils/isInNpmLifecycleHook.ts:5 
  return process.env.npm_lifecycle_event !== undefined && process.env.npm_command !== 'run-script'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f45f09a56cc07fb8 Environment-variable access.
repo/packages/internals/src/utils/isInNpmLifecycleHook.ts:5 
  return process.env.npm_lifecycle_event !== undefined && process.env.npm_command !== 'run-script'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #16e5704020c68e66 Environment-variable access.
repo/packages/internals/src/utils/isInteractive.ts:9 
  return Boolean(stream && stream.isTTY && process.env.TERM !== 'dumb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #efe608426e154927 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:11 
    process.env.GIT_EXEC_PATH !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2addaae4c6cb5bc9 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:12 
    process.env.GIT_DIR !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7e1cda2b2e59ed53 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:13 
    process.env.GIT_INDEX_FILE !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8c982fc067034eb8 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:14 
    process.env.GIT_PREFIX !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #534a2b29daaf8096 Environment-variable access.
repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:2 
  const runtimeEnvVar = process.env.AWS_LAMBDA_JS_RUNTIME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8d2d321e603e4a25 Environment-variable access.
repo/packages/internals/src/utils/parseEnvValue.ts:13 
    const value = process.env[object.fromEnvVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e5c5df3a770e56c6 Environment-variable access.
repo/packages/internals/src/utils/parseEnvValue.ts:39 
    const value = process.env[object.fromEnvVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0aba9f33a4558ca5 Environment-variable access.
repo/packages/migrate/src/SchemaEngineCLI.ts:514 
    if (process.env.FORCE_PANIC_SCHEMA_ENGINE && request.method !== 'getDatabaseVersion') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3653b68d07ef768c Environment-variable access.
repo/packages/migrate/src/SchemaEngineWasm.ts:86 
    if (process.env.FORCE_PANIC_SCHEMA_ENGINE && command !== 'debugPanic') return this.debugPanic()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4db553b45f5c6edb Environment-variable access.
repo/packages/migrate/src/__tests__/Baseline.test.ts:20 
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #992e377715a4d904 Filesystem access.
repo/packages/migrate/src/__tests__/DbDrop.test.ts:124 
    await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3cdd82bdfca0319b Environment-variable access.
repo/packages/migrate/src/__tests__/DbDrop.test.ts:159 
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ded5752ddd0e9393 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:37 
      fs.writeFileSync('script.sql', '-- noop')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bae08306a6b4ac42 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:85 
      fs.writeFileSync('script.js', 'Something for MongoDB')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #07171e64c2313726 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:123 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #99cce6d57f4c0cfa Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:131 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7b801e56dc27d746 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:139 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6f85f1f8940b94f1 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:156 
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0a727517e659417a Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:165 
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #159df76542c094a3 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:174 
        fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #57b370ecb6acff86 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:185 
        fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8c1814f74b7754ee Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:203 
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3b5ed6b801419445 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:216 
      fs.writeFileSync('script.sql', 'DROP TABLE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9c0b65394daca441 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:228 
      fs.writeFileSync('script.sql', 'ThisisnotSQL,itshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e8e9b3ba91fcfc9d Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:239 
    const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-execute')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #807fcd2e6896879f Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:274 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #eee6362d86536e9f Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:282 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cdcb0f030292a171 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:290 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3c1116fa892e724b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:307 
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ec4aa72c10bed408 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:320 
      fs.writeFileSync(
        'script.sql',
        `-- Drop & Create & Drop
      DROP DATABASE IF EXISTS "test-dbexecute";
      CREATE DATABASE "test-dbexecute";
      DROP DATABASE "test-dbexecute";`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e1c87abaaea5c8a9 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:339 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #277ca3ad8d96efe1 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:358 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #da745150d6627846 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:378 
      if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5355a3f5ae64eb8a Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:382 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3bf2e8af2caf8798 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:403 
      fs.writeFileSync('script.sql', 'DROP DATABASE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #05d2726b063bd191 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:420 
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5d72620e5b377f45 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:431 
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5d72620e5b377f45 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:431 
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #768a7d28b695916f Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:436 
    const connectionString = (process.env.TEST_COCKROACH_URI_MIGRATE || '').replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #28d520ba9e9f4d9d Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:474 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #42fca966456f6848 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:482 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0a6df6d93b7f7eb9 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:490 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #673b81e941345b6a Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:507 
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f4e75f53123f3fec Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:518 
      fs.writeFileSync(
        'script.sql',
        `-- Drop & Create & Drop
      DROP DATABASE IF EXISTS "test-dbexecute";
      CREATE DATABASE "test-dbexecute";
      DROP DATABASE "test-dbexecute";`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #05c23517417ee5c7 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:536 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1710605f1a3e390c Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:555 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6dcf20719d91cfa0 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:574 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e1034bbeb52d82df Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:594 
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #76eda9614f56efec Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:608 
    const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-execute')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c32789e6ae59b7f Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:643 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #280d9e343c696185 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:651 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6223d66e50a40629 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:660 
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ddb22c8ba250da8c Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:672 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
START TRANSACTION;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #630ed71bb76e39d6 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:690 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c1078030a01873cb Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:708 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bbe12468e8345c17 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:727 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7d0b221c9ac2df00 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:747 
      fs.writeFileSync('script.sql', 'DROP DATABASE `test-doesnotexists`;')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e475f3b1c4fd6607 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:759 
      fs.writeFileSync('script.sql', 'This is not SQL, it should fail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #86c5bb1e76db8cba Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:770 
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #86c5bb1e76db8cba Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:770 
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c51caeb5fca8542 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:774 
    const jdbcConnectionString = process.env.TEST_MSSQL_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c2815f81e34ee52d Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:781 
      connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #becc316967fc2530 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:796 
      const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #effadfd50f2e78df Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:817 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ab043ee4fe703489 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:825 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #de56548382c51108 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:833 
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5ea442e1655d3fbb Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:841 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN TRANSACTION;

SELECT 1

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e80043c0dce41a5b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:860 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN TRANSACTION;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #033f0e27748289d7 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:882 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6d02d41c2144b41c Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:903 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0409677cf0f1e61e Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:922 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #950beb272016c0e3 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:944 
      fs.writeFileSync('script.sql', 'DROP DATABASE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dd147da05566123f Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:956 
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3d2b5d19f106cc63 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #56a264e3af10a6b3 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:16 
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #56a264e3af10a6b3 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:16 
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f0c5d9fd7679939d Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:19 
  const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4d24905edc4627b7 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mongodb.test.ts:5 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #41d02ff208da163f Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:9 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #629c99d6506f0ad9 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:17 
  const connectionString = process.env.TEST_MYSQL_URI!.replace('tests-migrate', 'tests-migrate-db-pull-mysql')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5242995dfe8cd7a3 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:20 
    connectionString: process.env.TEST_MYSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6b7538abdbdff49f Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-extensions.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #559b6acb670a1bd6 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-extensions.test.ts:16 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2c9e1c308697af5c Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-missing-database.test.ts:5 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4bc34d9b3dfca183 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-missing-database.test.ts:13 
  const defaultConnectionString = process.env.TEST_POSTGRES_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1ab6a447ba5dae68 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-multischema.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b7de1fd8be31adb7 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-multischema.test.ts:16 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #89c10c18de048db9 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-views.test.ts:10 
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0fbf413b9c652675 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-views.test.ts:19 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3929105099ad5f61 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6d7b27232bd70568 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql.test.ts:16 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7498e1dea58f2fb2 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/schema-folder.test.ts:4 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6cf64e5e0e2fbadd Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlite.test.ts:5 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #04ee1e2ea365a383 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:9 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ef55a3590cdc0806 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:33 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ef55a3590cdc0806 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:33 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #789faf4c2b2b9a0b Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:36 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #789faf4c2b2b9a0b Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:36 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9251a1598e527470 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:42 
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c402d9dc1d75946 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:58 
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8b9c5c8ed24f0687 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:59 
    const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #70a7291184ef0f71 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:97 
  if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3d4c47b468fcb170 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:104 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3d4c47b468fcb170 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:104 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c5889dbeee95ae64 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:107 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c5889dbeee95ae64 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:107 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #37794a29094344ac Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:114 
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2a072288a9171cd5 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:131 
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #32fa5fac93a2386a Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:14 
  const inDockerIt = process.env.TEST_NO_DOCKER ? it.skip : it

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b4430dc2432e7509 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:107 
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7ce9dbb729bb7571 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:227 
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5af3c1cbcc3b5088 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:273 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-push')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #65d9e1e7f74504e1 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:338 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9c10a1321c9a0bff Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:388 
  if (!process.env.TEST_SKIP_MONGODB && !process.env.TEST_MONGO_URI_MIGRATE_EXISTING_DB) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9c10a1321c9a0bff Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:388 
  if (!process.env.TEST_SKIP_MONGODB && !process.env.TEST_MONGO_URI_MIGRATE_EXISTING_DB) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #47cca89a20b41fdc Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:392 
    connectionString: process.env.TEST_MONGO_URI_MIGRATE_EXISTING_DB!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ccb08da44e1c0ff9 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDeploy.test.ts:179 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-deploy')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2a6b92843e935a00 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:32 
  process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b684d7a6fe32f63c Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:834 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5a0bea2cba33a749 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1181 
  testIf(!process.env.CI || process.platform !== 'darwin')('external tables', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e58bf7cef0dc699c Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1246 
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e58bf7cef0dc699c Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1246 
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a5133d5f27a3d365 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1249 
  const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #08437041280ac9c7 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1414 
  const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #16d6ad8b7a7f0502 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1601 
  if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #af79467a0880c3bd Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1610 
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #44803af5a6bf54c6 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1625 
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7ca489e0efeba8b9 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1626 
    const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ee4e780e474ddd37 Filesystem access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:490 
        await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bdfb63e66a71186e Filesystem access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:508 
        await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #623afbc7be25e4d0 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:693 
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #623afbc7be25e4d0 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:693 
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7d6fc92eca740eb9 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:696 
    const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f5c3b657cf6b4534 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:745 
    const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #405ace66b57f897c Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:804 
    const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cc4cf0ba0501c13d Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:854 
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cc4cf0ba0501c13d Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:854 
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1130c6f5498806f3 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:858 
    const jdbcConnectionString = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e7d047257905ffa3 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:861 
      connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a6c9e20fa3110c84 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:876 
      const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ce8255192e2e30b8 Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:90 
  if (matrix.providers.cockroachdb && process.env.TEST_SKIP_COCKROACHDB) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d3a78d29815a1358 Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:91 
  if (matrix.providers.sqlserver && process.env.TEST_SKIP_MSSQL) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #540a28748e41554c Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:92 
  if (matrix.providers.mongodb && process.env.TEST_SKIP_MONGODB) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2b42b685a736feff Environment-variable access.
repo/packages/migrate/src/__tests__/handlePanic.introspect.test.ts:11 
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #da67f69170e1a0a0 Environment-variable access.
repo/packages/migrate/src/__tests__/handlePanic.migrate.test.ts:17 
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #04fd7f874e0668ad Filesystem access.
repo/packages/migrate/src/__tests__/introspection/introspection.test.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e25591603d15f3a2 Filesystem access.
repo/packages/migrate/src/__tests__/introspection/introspection.test.ts:14 
  const schemaContent = await fs.promises.readFile(schemaPath, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dfd636a84304aacb Environment-variable access.
repo/packages/migrate/src/__tests__/rpc.test.ts:502 
        url: process.env.TEST_POSTGRES_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #94de0760635b9df3 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:7 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e2bad919a744c3d5 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:13 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cd8ce4e88e9a8c44 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:15 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #258e89bdf9c0ce95 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:24 
  process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ccfaf84054d20fdc Filesystem access.
repo/packages/migrate/src/commands/DbExecute.ts:14 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ff6ff34e2a74c9bd Filesystem access.
repo/packages/migrate/src/commands/DbExecute.ts:118 
        script = fs.readFileSync(path.resolve(args['--file']), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fd2b2db1b946725b Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:42 
  if (process.env[userConsentEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7ccff10f1a159306 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:52 
    'Claude Code': process.env.CLAUDECODE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #32bb5ec453468f75 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:53 
    'Gemini CLI or Qwen Code': process.env.GEMINI_CLI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0dc5fb820c2c143e Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:54 
    Cursor: process.env.CURSOR_AGENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0dc22549f47ea2ef Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:55 
    Aider: process.env.OR_APP_NAME === 'Aider',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a66472e66fb62978 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:56 
    Replit: process.env.REPLIT_CLI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cbcc5c9b6ecea5cf Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:57 
    'Codex CLI': process.env.CODEX_SANDBOX === 'seatbelt',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e536938bed69bc8f Filesystem access.
repo/packages/migrate/src/utils/createMigration.ts:36 
  await fs.promises.writeFile(path.join(baseDir, migrationName, `migration.${extension}`), script, {
    encoding: 'utf-8',
  })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #926a6dab130fb191 Filesystem access.
repo/packages/migrate/src/utils/createMigration.ts:52 
  await fs.promises.writeFile(path.join(baseDir, lockfile.path), lockfileContent, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1763fe90c742392b Filesystem access.
repo/packages/migrate/src/utils/listMigrations.ts:21 
  const lockfileContent = await fs
    .readFile(path.join(migrationsDirectoryPath, lockfileName), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #361c6fd6f090a58c Filesystem access.
repo/packages/migrate/src/utils/listMigrations.ts:56 
    const migrationFileContent = await fs
      .readFile(path.join(migrationPath, migrationFileName), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bd8e943db868bfdb Filesystem access.
repo/packages/migrate/src/utils/saveSchemaFiles.ts:6 
  await Promise.all(schemas.files.map((file) => fs.writeFile(file.path, file.content, 'utf8')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9fdb24d601d31f16 Filesystem access.
repo/packages/migrate/src/utils/setupCockroach.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bb65da1d3e72d6d5 Filesystem access.
repo/packages/migrate/src/utils/setupCockroach.ts:28 
    await db.query(fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a6ee4056c29a8c53 Filesystem access.
repo/packages/migrate/src/utils/setupMSSQL.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #58c495565990d08a Filesystem access.
repo/packages/migrate/src/utils/setupMSSQL.ts:46 
    schema += fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7be2cf6a8b51cf8e Filesystem access.
repo/packages/migrate/src/utils/setupMysql.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #23c0b17f10428233 Filesystem access.
repo/packages/migrate/src/utils/setupMysql.ts:42 
    await db.query(fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5c462208e65af587 Filesystem access.
repo/packages/migrate/src/utils/setupPostgres.ts:29 
    const migrationScript = await fs.readFile(path.join(dirname, 'setup.sql'), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #39a05ec60646b792 Environment-variable access.
repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:12 
  const result = await canConnectToDatabase(process.env.TEST_CONNECTION_STRING!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #446c3b0229488144 Environment-variable access.
repo/packages/query-plan-executor/examples/server.ts:12 
  const databaseUrl = process.env.TEST_POSTGRES_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #deeaab9c4d51d5e8 Filesystem access.
repo/packages/schema-files-loader/src/resolver/realFsResolver.ts:26 
    return fs.readFile(path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #24aa0a72a479cdbe Filesystem access.
repo/packages/schema-files-loader/src/testUtils.ts:16 
  return [filePath, fs.readFileSync(filePath, 'utf8')]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3cb54136824976a1 Environment-variable access.
repo/packages/type-benchmark-tests/huge-schema/prisma.config.ts:5 
    url: process.env.DATABASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a20338ea80460c22 Environment-variable access.
repo/packages/type-benchmark-tests/lots-of-relations/prisma.config.ts:5 
    url: process.env.DATABASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #dac48f9676dd29cc Environment-variable access.
repo/sandbox/basic-postgres/index.ts:6 
  const prisma = new PrismaClient({ adapter: new PrismaPg({ connectionString: process.env.TEST_POSTGRES_URI }) })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9b47d2904b632fd2 Environment-variable access.
repo/sandbox/driver-adapters/src/neon.http.ts:5 
  const connectionString = `${process.env.JS_NEON_DATABASE_URL as string}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a23afda4a92ed044 Environment-variable access.
repo/sandbox/driver-adapters/src/neon.ws.ts:12 
  const connectionString = `${process.env.JS_NEON_DATABASE_URL as string}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #196bb4e541fdcf83 Environment-variable access.
repo/sandbox/driver-adapters/src/pg.ts:6 
  const connectionString = `${process.env.JS_PG_DATABASE_URL as string}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5cc48e0bbda7c259 Environment-variable access.
repo/sandbox/driver-adapters/src/planetscale.ts:5 
  const connectionString = `${process.env.JS_PLANETSCALE_DATABASE_URL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #21f7891766660df5 Environment-variable access.
repo/sandbox/driver-adapters/src/ppg.ts:5 
  const connectionString = `${process.env.JS_PPG_DATABASE_URL as string}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bd83955fa2a25236 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:12 
if (process.env.PROVIDER === 'postgres') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #022f1f611320c5d7 Filesystem access.
repo/sandbox/studio/prisma.config.ts:15 
  const sql = await readFile(join(__dirname, 'postgres.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #61acc104da7c9cf4 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:17 
  const pool = postgres(process.env.DATABASE_URL_POSTGRES!, { max: 1 })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #82f28c7c39b25991 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:22 
if (process.env.PROVIDER === 'mysql') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #732b62f4ef9507db Filesystem access.
repo/sandbox/studio/prisma.config.ts:25 
  const sql = await readFile(join(__dirname, 'mysql.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9a0a48f0c4b0748f Environment-variable access.
repo/sandbox/studio/prisma.config.ts:29 
    uri: process.env.DATABASE_URL_MYSQL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2635759a966b4fcc Environment-variable access.
repo/sandbox/studio/prisma.config.ts:35 
if (process.env.PROVIDER === 'sqlite') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4fe3250fd764f5f5 Filesystem access.
repo/sandbox/studio/prisma.config.ts:57 
  const sql = await readFile(join(__dirname, 'sqlite.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #79417a7b1116eb43 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:70 
        const url = new URL(process.env.DATABASE_URL_MYSQL!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #06e03a186450c627 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:74 
      postgres: () => process.env.DATABASE_URL_POSTGRES!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7d4e149eccba1476 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:76 
    }[process.env.PROVIDER || 'postgres'](),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ce4e4d5a76c45f27 Environment-variable access.
repo/scripts/ci/publish.ts:15 
const onlyPackages = process.env.ONLY_PACKAGES ? process.env.ONLY_PACKAGES.split(',') : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ce4e4d5a76c45f27 Environment-variable access.
repo/scripts/ci/publish.ts:15 
const onlyPackages = process.env.ONLY_PACKAGES ? process.env.ONLY_PACKAGES.split(',') : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ec70d6c6b2da73f3 Environment-variable access.
repo/scripts/ci/publish.ts:16 
const skipPackages = process.env.SKIP_PACKAGES ? process.env.SKIP_PACKAGES.split(',') : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ec70d6c6b2da73f3 Environment-variable access.
repo/scripts/ci/publish.ts:16 
const skipPackages = process.env.SKIP_PACKAGES ? process.env.SKIP_PACKAGES.split(',') : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3588e2226b1cd392 Environment-variable access.
repo/scripts/ci/publish.ts:19 
  if (process.env.GITHUB_CONTEXT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a9b0a2cb24fae4a4 Environment-variable access.
repo/scripts/ci/publish.ts:20 
    const context = JSON.parse(process.env.GITHUB_CONTEXT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7a3b762ec158bbb3 Filesystem access.
repo/scripts/ci/publish.ts:94 
      packageJson: JSON.parse(await fs.promises.readFile(p, 'utf-8')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a60bdf80109f6722 Environment-variable access.
repo/scripts/ci/publish.ts:468 
  if (!process.env.GITHUB_REF_NAME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7801a5878844001e Environment-variable access.
repo/scripts/ci/publish.ts:472 
  if (process.env.DRY_RUN === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f9562db9039aa0be Environment-variable access.
repo/scripts/ci/publish.ts:479 
  if (args['--publish'] && process.env.RELEASE_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2d8cb1fb19e28818 Environment-variable access.
repo/scripts/ci/publish.ts:484 
    console.log(`Setting --release to RELEASE_VERSION = ${process.env.RELEASE_VERSION}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f90e1cd96b44fb5e Environment-variable access.
repo/scripts/ci/publish.ts:485 
    args['--release'] = process.env.RELEASE_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ec4c3fd680e988ef Environment-variable access.
repo/scripts/ci/publish.ts:490 
  if (process.env.CUSTOM_DIST_TAG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #72792f2127818c1b Environment-variable access.
repo/scripts/ci/publish.ts:491 
    args['--custom-dist-tag'] = process.env.CUSTOM_DIST_TAG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #148641c5aebb641b Environment-variable access.
repo/scripts/ci/publish.ts:538 
  if (branch && (process.env.FORCE_INTEGRATION_RELEASE === 'true' || branch.startsWith('integration/'))) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #58b27771b8655eaf Environment-variable access.
repo/scripts/ci/publish.ts:573 
  if (typeof process.env.GITHUB_OUTPUT == 'string' && process.env.GITHUB_OUTPUT.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #58b27771b8655eaf Environment-variable access.
repo/scripts/ci/publish.ts:573 
  if (typeof process.env.GITHUB_OUTPUT == 'string' && process.env.GITHUB_OUTPUT.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0de9a8ac0a402fa3 Environment-variable access.
repo/scripts/ci/publish.ts:574 
    fs.appendFileSync(process.env.GITHUB_OUTPUT, `patchBranch=${patchBranch}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0594ccec850bd565 Environment-variable access.
repo/scripts/ci/publish.ts:575 
    fs.appendFileSync(process.env.GITHUB_OUTPUT, `tag=${tag}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #eaa55d58ec870e47 Environment-variable access.
repo/scripts/ci/publish.ts:576 
    fs.appendFileSync(process.env.GITHUB_OUTPUT, `tagForEcosystemTestsCheck=${tagForEcosystemTestsCheck}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1378e854caeef676 Environment-variable access.
repo/scripts/ci/publish.ts:577 
    fs.appendFileSync(process.env.GITHUB_OUTPUT, `prismaVersion=${prismaVersion}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8f71d0e2d280ddef Environment-variable access.
repo/scripts/ci/publish.ts:595 
      if (!passing && process.env.SKIP_ECOSYSTEMTESTS_CHECK !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #97c4944a7ff9e7d1 Environment-variable access.
repo/scripts/ci/publish.ts:617 
    if (typeof process.env.GITHUB_OUTPUT == 'string' && process.env.GITHUB_OUTPUT.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #97c4944a7ff9e7d1 Environment-variable access.
repo/scripts/ci/publish.ts:617 
    if (typeof process.env.GITHUB_OUTPUT == 'string' && process.env.GITHUB_OUTPUT.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #6f72213bd50a95b6 Environment-variable access.
repo/scripts/ci/publish.ts:618 
      fs.appendFileSync(process.env.GITHUB_OUTPUT, `enginesCommitHash=${enginesCommitHash}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f57a4b3a3122c296 Environment-variable access.
repo/scripts/ci/publish.ts:619 
      fs.appendFileSync(process.env.GITHUB_OUTPUT, `prismaCommitHash=${prismaCommitHash}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fbf1119c825f642b Filesystem access.
repo/scripts/ci/publish.ts:836 
  const file = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0c2692a33561c431 Filesystem access.
repo/scripts/ci/publish.ts:845 
    await fs.promises.writeFile(pkgJsonPath, JSON.stringify(packageJson, null, 2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #734181e573d28af8 Filesystem access.
repo/scripts/ci/publish.ts:851 
  const file = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f5b6507cc31c2ad1 Filesystem access.
repo/scripts/ci/publish.ts:857 
    await fs.promises.writeFile(pkgJsonPath, JSON.stringify(packageJson, null, 2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9ea61b843f68460a Environment-variable access.
repo/scripts/ci/publish.ts:862 
  if (process.env.GITHUB_REF_NAME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b4b3acda06d1e543 Environment-variable access.
repo/scripts/ci/publish.ts:863 
    return process.env.GITHUB_REF_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f872802e5955495c Environment-variable access.
repo/scripts/ci/publish.ts:887 
  if (process.env.GITHUB_REF_NAME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c28ffda718a3be98 Environment-variable access.
repo/scripts/ci/publish.ts:888 
    const versions = getSemverFromPatchBranch(process.env.GITHUB_REF_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3e3fa0692b7679fd Environment-variable access.
repo/scripts/ci/publish.ts:892 
      return process.env.GITHUB_REF_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #347b2f6ec8472163 Environment-variable access.
repo/scripts/ci/publish.ts:913 
  const webhook = new IncomingWebhook(process.env.SLACK_RELEASE_FEED_WEBHOOK!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1bd5fb9d9017d2e6 Filesystem access.
repo/scripts/graph-dependencies.ts:1 
import { readdirSync, statSync } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #62b3e34e992fbafc Environment-variable access.
repo/scripts/only-allow-pnpm.js:6 
  if (!process.env.npm_config_user_agent) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7004e86e9735e13c Environment-variable access.
repo/scripts/only-allow-pnpm.js:9 
  return pmFromUserAgent(process.env.npm_config_user_agent)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #145f58f117aebd25 Environment-variable access.
repo/scripts/run-studio.ts:20 
  const url = process.env.STUDIO_DATABASE_URL ?? process.argv[2]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #22e2aff67071a63c Environment-variable access.
repo/scripts/run-studio.ts:21 
  const port = process.env.STUDIO_PORT ?? process.argv[3] ?? '5555'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #84dcbf3e2a804056 Environment-variable access.
repo/scripts/run-studio.ts:22 
  const browser = process.env.STUDIO_BROWSER ?? process.argv[4] ?? 'none'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/fetch-engine

npm first-party
medium pii_flow production #ddbd7f940141ece1 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/fetch-engine/src/download.ts:125 · flow /tmp/closeopen-17zukif3/repo/packages/fetch-engine/src/download.ts:121 → /tmp/closeopen-17zukif3/repo/packages/fetch-engine/src/download.ts:125 
    console.log(`version: ${opts.version}`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 33 low-confidence finding(s)
low env_fs test-only #c07c4458e3cc3b85 Environment-variable access.
repo/packages/fetch-engine/src/__tests__/download.test.ts:25 
const usesCustomEngines = process.env.PRISMA_SCHEMA_ENGINE_BINARY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e7e08f1de7d24c29 Environment-variable access.
repo/packages/fetch-engine/src/download.ts:119 
  if (process.env.BINARY_DOWNLOAD_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #25196509b4b23627 Environment-variable access.
repo/packages/fetch-engine/src/download.ts:120 
    debug(`process.env.BINARY_DOWNLOAD_VERSION is set to "${process.env.BINARY_DOWNLOAD_VERSION}"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #40dfc34b6c6eb66d Environment-variable access.
repo/packages/fetch-engine/src/download.ts:121 
    opts.version = process.env.BINARY_DOWNLOAD_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7cdb889d672b0c23 Filesystem access.
repo/packages/fetch-engine/src/download.ts:274 
      const sha256File = await fs.promises.readFile(sha256FilePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b5ea07510afd0ef6 Environment-variable access.
repo/packages/fetch-engine/src/download.ts:295 
    } else if (process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4a4647bf7d9ae53f Filesystem access.
repo/packages/fetch-engine/src/download.ts:441 
      await fs.promises.writeFile(cachedSha256Path, sha256)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3cf2bad117c72819 Filesystem access.
repo/packages/fetch-engine/src/download.ts:444 
      await fs.promises.writeFile(cachedSha256ZippedPath, zippedSha256)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cc209bc991fc4abc Filesystem access.
repo/packages/fetch-engine/src/download.ts:460 
    const data = await fs.promises.readFile(file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #18f652c152afd62a Filesystem access.
repo/packages/fetch-engine/src/download.ts:461 
    await fs.promises.writeFile(target, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #481bd0f227e37a54 Environment-variable access.
repo/packages/fetch-engine/src/downloadZip.ts:32 
      if (!process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1f81809b9eb36b5f Environment-variable access.
repo/packages/fetch-engine/src/downloadZip.ts:49 
    if (process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #83a698c15234acac Environment-variable access.
repo/packages/fetch-engine/src/env.ts:27 
  if (process.env[envVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4a1d07bb21b83445 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:28 
    const envVarPath = path.resolve(process.cwd(), process.env[envVar]!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3c7a0e6917b556f8 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:31 
        `Env var ${bold(envVar)} is provided but provided path ${underline(process.env[envVar]!)} can't be resolved.`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fe0e3a63f0c867fe Environment-variable access.
repo/packages/fetch-engine/src/env.ts:36 
        process.env[envVar]!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0a361bd786cfe379 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:52 
  if (deprecatedEnvVar && process.env[deprecatedEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4ef1d9d726c5b85f Environment-variable access.
repo/packages/fetch-engine/src/env.ts:53 
    if (process.env[envVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #eee13605b121c8b5 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:54 
  const noProxy = process.env.NO_PROXY || process.env.no_proxy || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #eee13605b121c8b5 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:54 
  const noProxy = process.env.NO_PROXY || process.env.no_proxy || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a46eef0758c1f461 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:70 
    const httpProxy = process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a46eef0758c1f461 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:70 
    const httpProxy = process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cc5d8af7eb22b2cc Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:77 
      process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cc5d8af7eb22b2cc Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:77 
      process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cc5d8af7eb22b2cc Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:77 
      process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cc5d8af7eb22b2cc Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:77 
      process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #491d05ef3db90f4b Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:18 
    if (process.env.APPDATA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #19249b50b7d6b02a Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:19 
      return path.join(process.env.APPDATA, 'Prisma')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #757349aa8ee6abc7 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:23 
  if (process.env.AWS_LAMBDA_FUNCTION_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1d26be5ad912c209 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:31 
  return process.env.XDG_CACHE_HOME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e01a33df33255c32 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:32 
    ? path.join(process.env.XDG_CACHE_HOME, 'prisma')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #40b90aa7a308685f Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:68 
    process.env.PRISMA_BINARIES_MIRROR || // TODO: remove this

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a4a4fd0c8e83be4b Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:69 
    process.env.PRISMA_ENGINES_MIRROR ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/internals

npm first-party
medium pii_flow production #eeabe5d665af5ed7 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:12 · flow /tmp/closeopen-17zukif3/repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:2 → /tmp/closeopen-17zukif3/repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:12 
    console.error(
      `We could not parse the AWS_LAMBDA_JS_RUNTIME env var with the following value: ${runtimeEnvVar}. This was silently ignored.`,
    )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 99 low-confidence finding(s)
low env_fs production #a4b85bfe1aede0f6 Filesystem access.
repo/packages/internals/helpers/build.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #23e73d1d78dd22d8 Filesystem access.
repo/packages/internals/src/WasmSchemaEngineLoader.ts:10 
  const schemaEngineWasmFileBytes = await fs.readFile(schemaEngineWasmFilePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #37801ee20793e01f Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/formatSchema.test.ts:12 
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dd14e89c58e08669 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getConfig.test.ts:64 
    process.env.TEST_POSTGRES_URI_FOR_DATASOURCE = 'postgres://user:password@something:5432/db'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5a232b02d960153a Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:13 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #63bb6b380606e087 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:19 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #fe9f6a67a24a2dc0 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:21 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8c54b19082dff31a Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:26 
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8d5ee151194e6820 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:41 
      delete process.env.NO_COLOR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ae143fddb072272e Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:42 
      process.env.FORCE_COLOR = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #50c2c91f85902df8 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:43 
      process.env.CI = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #64a30062ae2a311a Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:83 
      process.env.NO_COLOR = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #edb3cd9919bc6a08 Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:528 
      const file = await fs.promises.readFile(path.join(fixturesPath, 'chinook.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #39441a84ff0b8867 Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:537 
      const file = await fs.promises.readFile(path.join(fixturesPath, 'odoo.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e9ec1a458897aa2d Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:546 
      const file = await fs.promises.readFile(path.join(fixturesPath, 'bigschema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4d88e9040e1d7727 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getEngineVersion.test.ts:9 
  testIf(!process.env.PRISMA_SCHEMA_ENGINE_BINARY)('Schema Engine', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7aa885871c037251 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:15 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b0e90beea37c9fee Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:21 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #587b9207498cb713 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:23 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #04d9a87e99bc07c7 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:29 
  testTimeout: process.env.CI ? 60_000 : 10_000,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0141552e05d427ca Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:42 
      delete process.env.NO_COLOR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2ac9df08a0f8cd4e Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:43 
      process.env.FORCE_COLOR = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c5ce2595f064ca99 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:44 
      process.env.CI = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #98399bca1349c7c1 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:85 
      process.env.NO_COLOR = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #519143c07c195c40 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:16 
  testTimeout: process.env.CI ? 60_000 : 20_000,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #757d73c0d98b8f91 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:52 
    delete process.env.BINARY_TARGETS_ENV_VAR_TEST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c83914224e3c9444 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:212 
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '"native"'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cd6415ebd6159708 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:295 
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '["native"]'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #533735c1ce3c5a56 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:378 
    process.env.BINARY_TARGETS_ENV_VAR_TEST =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3613ec9989717b2e Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:477 
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '["linux-musl"]'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7cbb6d369345aab3 Environment-variable access.
repo/packages/internals/src/__tests__/getPackedPackage.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8e535511b6b470a2 Environment-variable access.
repo/packages/internals/src/__tests__/getSchema.test.ts:9 
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #900889f7712b689b Environment-variable access.
repo/packages/internals/src/__tests__/getSchema.test.ts:15 
process.env.npm_config_user_agent = 'yarn/1.22.4 npm/? node/v12.18.3 darwin x64'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c902bc22b849c931 Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:51 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bdb33ae97341e6c7 Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:57 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6b63be90eea118af Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:59 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #06d34d62d680e094 Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:76 
    process.env.GITHUB_ACTIONS = 'true' // simulate CI environment

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #99b6eba2ffedd8b1 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:8 
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c2956d1dd4918bd6 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:69 
  testIf(!process.env.PRISMA_SCHEMA_ENGINE_BINARY)(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #932bbf14c475c9f0 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:85 
    const uri = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-createDatabase')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #beb74fd03dd4c577 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:105 
    const uri = process.env.TEST_POSTGRES_URI!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #00b376f743257d3b Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:113 
    const uri = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-createDatabase')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #abd4f2413f10b4e8 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:124 
    const uri = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-createDatabase-already-exists')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2881cf46f1f6ff7f Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:136 
  testIf(!process.env.TEST_SKIP_MSSQL)('sqlserver - create database', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cf094b6363841be8 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:137 
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4e6244ce4c458f51 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:140 
    const connectionString = process.env.TEST_MSSQL_JDBC_URI.replace(/database=(.*?);/, 'database=can-create-a-db;')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6f26a886fa5dae5a Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:147 
  testIf(!process.env.TEST_SKIP_MSSQL)('sqlserver - database already exists', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3fecb46d6fc29648 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:148 
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a87534d39ae5cfe3 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:151 
    const connectionString = process.env.TEST_MSSQL_JDBC_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4377efbfaddda2fa Filesystem access.
repo/packages/internals/src/cli/getSchema.ts:10 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #babcf39bb5c69524 Environment-variable access.
repo/packages/internals/src/engine-commands/formatSchema.ts:17 
  if (process.env.FORCE_PANIC_PRISMA_SCHEMA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c752dc20d81cb4c7 Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:78 
        if (process.env.FORCE_PANIC_GET_CONFIG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c74e45779177881a Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:172 
    if (binaryTarget.fromEnvVar && process.env[binaryTarget.fromEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0c0b00e6465c704a Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:173 
      const value = JSON.parse(process.env[binaryTarget.fromEnvVar]!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5ef4dcb741642641 Filesystem access.
repo/packages/internals/src/engine-commands/queryEngineCommons.ts:4 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #84f7a569c3719313 Environment-variable access.
repo/packages/internals/src/engine-commands/validate.ts:58 
        if (process.env.FORCE_PANIC_GET_DMMF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1413aefe2525edd9 Environment-variable access.
repo/packages/internals/src/engine-commands/validate.ts:65 
          noColor: Boolean(process.env.NO_COLOR),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low egress production #eccd324959b00b46 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/internals/src/errorReporting.ts:69 
  return await fetch(url, {
    method: 'POST',
    agent: getProxyAgent(url),
    body,
    headers: {
      Accept: 'application/json',
      'Content-Type': 'application/json',
    },
  })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low env_fs production #a2e3c356241c9939 Environment-variable access.
repo/packages/internals/src/get-generators/utils/getBinaryPathsByVersion.ts:46 
    if (process.env.NETLIFY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #16df43715a22a2d0 Filesystem access.
repo/packages/internals/src/getPackedPackage.ts:2 
import fs, { readFileSync } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2ca166a3a1b41715 Filesystem access.
repo/packages/internals/src/getPackedPackage.ts:16 
      const pkgJson = JSON.parse(readFileSync(pkgPath, { encoding: 'utf-8' }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #048d94a0e6161370 Environment-variable access.
repo/packages/internals/src/logger.ts:10 
  warn: () => !process.env.PRISMA_DISABLE_WARNINGS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ed802988c0039cf4 Filesystem access.
repo/packages/internals/src/resolveBinary.ts:5 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #195142bc57446197 Filesystem access.
repo/packages/internals/src/resolveBinary.ts:88 
    const data = await fs.promises.readFile(file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b5d238acbd973a23 Filesystem access.
repo/packages/internals/src/resolveBinary.ts:89 
    await fs.promises.writeFile(target, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f6852d13e4e0df31 Filesystem access.
repo/packages/internals/src/resolveOutput.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #42ba172a5a425dfd Environment-variable access.
repo/packages/internals/src/schemaEngineCommands.ts:188 
          RUST_BACKTRACE: process.env.RUST_BACKTRACE ?? '1',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #63349fa807c3a5df Environment-variable access.
repo/packages/internals/src/schemaEngineCommands.ts:189 
          RUST_LOG: process.env.RUST_LOG ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #20501e2fd212b8aa Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:11 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6f0b8c530b833584 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:17 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #62015fe8ee4144f2 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:19 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e926eedf654b8fb5 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:36 
      delete process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3c2edacae9818439 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:37 
      delete process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dba41a1c4a095d5e Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:48 
      delete process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #95512fd683bcb884 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:49 
      delete process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #34eb4522746a1828 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:54 
      process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #03386dd8a2b42ce4 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:59 
      process.env.GITHUB_ACTIONS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #07d2d447bff3a0e4 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:10 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #997a11d6faf971e5 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:16 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #62a39bd64c6b4d85 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:18 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #34832a81facf0de4 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:38 
      process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9e26b962f626bce0 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:50 
      process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5907c0d13e1a5254 Filesystem access.
repo/packages/internals/src/utils/chmodPlusX.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #01ad2c1c70d5b7e1 Filesystem access.
repo/packages/internals/src/utils/fs-functional.ts:4 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #845c65a707fa730e Filesystem access.
repo/packages/internals/src/utils/fs-functional.ts:12 
  TE.tryCatch(() => fsUtils.writeFile(params), createTaggedSystemError('fs-write-file', params))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #335c476d87707f80 Filesystem access.
repo/packages/internals/src/utils/fs-utils.ts:1 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a149d63af006a5b3 Filesystem access.
repo/packages/internals/src/utils/fs-utils.ts:21 
  return fs.writeFile(path, content, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3c5df357cc6bc8bd Filesystem access.
repo/packages/internals/src/utils/isCurrentBinInstalledGlobally.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #17edc8fb4b46aecb Environment-variable access.
repo/packages/internals/src/utils/isInContainer.ts:13 
      process.env.KUBERNETES_SERVICE_HOST !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f45f09a56cc07fb8 Environment-variable access.
repo/packages/internals/src/utils/isInNpmLifecycleHook.ts:5 
  return process.env.npm_lifecycle_event !== undefined && process.env.npm_command !== 'run-script'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f45f09a56cc07fb8 Environment-variable access.
repo/packages/internals/src/utils/isInNpmLifecycleHook.ts:5 
  return process.env.npm_lifecycle_event !== undefined && process.env.npm_command !== 'run-script'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #16e5704020c68e66 Environment-variable access.
repo/packages/internals/src/utils/isInteractive.ts:9 
  return Boolean(stream && stream.isTTY && process.env.TERM !== 'dumb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #efe608426e154927 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:11 
    process.env.GIT_EXEC_PATH !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2addaae4c6cb5bc9 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:12 
    process.env.GIT_DIR !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7e1cda2b2e59ed53 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:13 
    process.env.GIT_INDEX_FILE !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8c982fc067034eb8 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:14 
    process.env.GIT_PREFIX !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #534a2b29daaf8096 Environment-variable access.
repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:2 
  const runtimeEnvVar = process.env.AWS_LAMBDA_JS_RUNTIME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8d2d321e603e4a25 Environment-variable access.
repo/packages/internals/src/utils/parseEnvValue.ts:13 
    const value = process.env[object.fromEnvVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e5c5df3a770e56c6 Environment-variable access.
repo/packages/internals/src/utils/parseEnvValue.ts:39 
    const value = process.env[object.fromEnvVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/migrate

npm first-party
medium pii_flow production #16f7285477810708 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:13 · flow /tmp/closeopen-17zukif3/repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:12 → /tmp/closeopen-17zukif3/repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:13 
  console.log(result)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 167 low-confidence finding(s)
low env_fs production #0aba9f33a4558ca5 Environment-variable access.
repo/packages/migrate/src/SchemaEngineCLI.ts:514 
    if (process.env.FORCE_PANIC_SCHEMA_ENGINE && request.method !== 'getDatabaseVersion') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3653b68d07ef768c Environment-variable access.
repo/packages/migrate/src/SchemaEngineWasm.ts:86 
    if (process.env.FORCE_PANIC_SCHEMA_ENGINE && command !== 'debugPanic') return this.debugPanic()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4db553b45f5c6edb Environment-variable access.
repo/packages/migrate/src/__tests__/Baseline.test.ts:20 
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #992e377715a4d904 Filesystem access.
repo/packages/migrate/src/__tests__/DbDrop.test.ts:124 
    await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3cdd82bdfca0319b Environment-variable access.
repo/packages/migrate/src/__tests__/DbDrop.test.ts:159 
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ded5752ddd0e9393 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:37 
      fs.writeFileSync('script.sql', '-- noop')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bae08306a6b4ac42 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:85 
      fs.writeFileSync('script.js', 'Something for MongoDB')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #07171e64c2313726 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:123 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #99cce6d57f4c0cfa Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:131 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7b801e56dc27d746 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:139 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6f85f1f8940b94f1 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:156 
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0a727517e659417a Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:165 
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #159df76542c094a3 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:174 
        fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #57b370ecb6acff86 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:185 
        fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8c1814f74b7754ee Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:203 
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3b5ed6b801419445 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:216 
      fs.writeFileSync('script.sql', 'DROP TABLE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9c0b65394daca441 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:228 
      fs.writeFileSync('script.sql', 'ThisisnotSQL,itshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e8e9b3ba91fcfc9d Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:239 
    const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-execute')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #807fcd2e6896879f Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:274 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #eee6362d86536e9f Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:282 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cdcb0f030292a171 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:290 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3c1116fa892e724b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:307 
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ec4aa72c10bed408 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:320 
      fs.writeFileSync(
        'script.sql',
        `-- Drop & Create & Drop
      DROP DATABASE IF EXISTS "test-dbexecute";
      CREATE DATABASE "test-dbexecute";
      DROP DATABASE "test-dbexecute";`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e1c87abaaea5c8a9 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:339 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #277ca3ad8d96efe1 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:358 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #da745150d6627846 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:378 
      if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5355a3f5ae64eb8a Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:382 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3bf2e8af2caf8798 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:403 
      fs.writeFileSync('script.sql', 'DROP DATABASE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #05d2726b063bd191 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:420 
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5d72620e5b377f45 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:431 
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5d72620e5b377f45 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:431 
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #768a7d28b695916f Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:436 
    const connectionString = (process.env.TEST_COCKROACH_URI_MIGRATE || '').replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #28d520ba9e9f4d9d Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:474 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #42fca966456f6848 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:482 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0a6df6d93b7f7eb9 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:490 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #673b81e941345b6a Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:507 
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f4e75f53123f3fec Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:518 
      fs.writeFileSync(
        'script.sql',
        `-- Drop & Create & Drop
      DROP DATABASE IF EXISTS "test-dbexecute";
      CREATE DATABASE "test-dbexecute";
      DROP DATABASE "test-dbexecute";`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #05c23517417ee5c7 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:536 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1710605f1a3e390c Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:555 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6dcf20719d91cfa0 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:574 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e1034bbeb52d82df Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:594 
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #76eda9614f56efec Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:608 
    const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-execute')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c32789e6ae59b7f Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:643 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #280d9e343c696185 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:651 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6223d66e50a40629 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:660 
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ddb22c8ba250da8c Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:672 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
START TRANSACTION;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #630ed71bb76e39d6 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:690 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c1078030a01873cb Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:708 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bbe12468e8345c17 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:727 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7d0b221c9ac2df00 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:747 
      fs.writeFileSync('script.sql', 'DROP DATABASE `test-doesnotexists`;')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e475f3b1c4fd6607 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:759 
      fs.writeFileSync('script.sql', 'This is not SQL, it should fail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #86c5bb1e76db8cba Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:770 
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #86c5bb1e76db8cba Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:770 
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c51caeb5fca8542 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:774 
    const jdbcConnectionString = process.env.TEST_MSSQL_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c2815f81e34ee52d Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:781 
      connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #becc316967fc2530 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:796 
      const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #effadfd50f2e78df Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:817 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ab043ee4fe703489 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:825 
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #de56548382c51108 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:833 
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5ea442e1655d3fbb Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:841 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN TRANSACTION;

SELECT 1

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e80043c0dce41a5b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:860 
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN TRANSACTION;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #033f0e27748289d7 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:882 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6d02d41c2144b41c Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:903 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0409677cf0f1e61e Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:922 
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #950beb272016c0e3 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:944 
      fs.writeFileSync('script.sql', 'DROP DATABASE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dd147da05566123f Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:956 
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3d2b5d19f106cc63 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #56a264e3af10a6b3 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:16 
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #56a264e3af10a6b3 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:16 
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f0c5d9fd7679939d Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:19 
  const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4d24905edc4627b7 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mongodb.test.ts:5 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #41d02ff208da163f Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:9 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #629c99d6506f0ad9 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:17 
  const connectionString = process.env.TEST_MYSQL_URI!.replace('tests-migrate', 'tests-migrate-db-pull-mysql')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5242995dfe8cd7a3 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:20 
    connectionString: process.env.TEST_MYSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6b7538abdbdff49f Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-extensions.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #559b6acb670a1bd6 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-extensions.test.ts:16 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2c9e1c308697af5c Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-missing-database.test.ts:5 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4bc34d9b3dfca183 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-missing-database.test.ts:13 
  const defaultConnectionString = process.env.TEST_POSTGRES_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1ab6a447ba5dae68 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-multischema.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b7de1fd8be31adb7 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-multischema.test.ts:16 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #89c10c18de048db9 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-views.test.ts:10 
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0fbf413b9c652675 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-views.test.ts:19 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3929105099ad5f61 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6d7b27232bd70568 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql.test.ts:16 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7498e1dea58f2fb2 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/schema-folder.test.ts:4 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6cf64e5e0e2fbadd Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlite.test.ts:5 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #04ee1e2ea365a383 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:9 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ef55a3590cdc0806 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:33 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ef55a3590cdc0806 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:33 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #789faf4c2b2b9a0b Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:36 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #789faf4c2b2b9a0b Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:36 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9251a1598e527470 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:42 
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c402d9dc1d75946 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:58 
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8b9c5c8ed24f0687 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:59 
    const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #70a7291184ef0f71 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:97 
  if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3d4c47b468fcb170 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:104 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3d4c47b468fcb170 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:104 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c5889dbeee95ae64 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:107 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c5889dbeee95ae64 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:107 
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #37794a29094344ac Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:114 
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2a072288a9171cd5 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:131 
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #32fa5fac93a2386a Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:14 
  const inDockerIt = process.env.TEST_NO_DOCKER ? it.skip : it

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b4430dc2432e7509 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:107 
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7ce9dbb729bb7571 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:227 
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5af3c1cbcc3b5088 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:273 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-push')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #65d9e1e7f74504e1 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:338 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9c10a1321c9a0bff Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:388 
  if (!process.env.TEST_SKIP_MONGODB && !process.env.TEST_MONGO_URI_MIGRATE_EXISTING_DB) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9c10a1321c9a0bff Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:388 
  if (!process.env.TEST_SKIP_MONGODB && !process.env.TEST_MONGO_URI_MIGRATE_EXISTING_DB) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #47cca89a20b41fdc Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:392 
    connectionString: process.env.TEST_MONGO_URI_MIGRATE_EXISTING_DB!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ccb08da44e1c0ff9 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDeploy.test.ts:179 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-deploy')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2a6b92843e935a00 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:32 
  process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b684d7a6fe32f63c Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:834 
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5a0bea2cba33a749 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1181 
  testIf(!process.env.CI || process.platform !== 'darwin')('external tables', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e58bf7cef0dc699c Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1246 
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e58bf7cef0dc699c Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1246 
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a5133d5f27a3d365 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1249 
  const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #08437041280ac9c7 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1414 
  const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #16d6ad8b7a7f0502 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1601 
  if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #af79467a0880c3bd Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1610 
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #44803af5a6bf54c6 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1625 
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7ca489e0efeba8b9 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1626 
    const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ee4e780e474ddd37 Filesystem access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:490 
        await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bdfb63e66a71186e Filesystem access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:508 
        await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #623afbc7be25e4d0 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:693 
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #623afbc7be25e4d0 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:693 
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7d6fc92eca740eb9 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:696 
    const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f5c3b657cf6b4534 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:745 
    const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #405ace66b57f897c Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:804 
    const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cc4cf0ba0501c13d Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:854 
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cc4cf0ba0501c13d Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:854 
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1130c6f5498806f3 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:858 
    const jdbcConnectionString = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e7d047257905ffa3 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:861 
      connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a6c9e20fa3110c84 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:876 
      const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ce8255192e2e30b8 Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:90 
  if (matrix.providers.cockroachdb && process.env.TEST_SKIP_COCKROACHDB) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d3a78d29815a1358 Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:91 
  if (matrix.providers.sqlserver && process.env.TEST_SKIP_MSSQL) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #540a28748e41554c Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:92 
  if (matrix.providers.mongodb && process.env.TEST_SKIP_MONGODB) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2b42b685a736feff Environment-variable access.
repo/packages/migrate/src/__tests__/handlePanic.introspect.test.ts:11 
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #da67f69170e1a0a0 Environment-variable access.
repo/packages/migrate/src/__tests__/handlePanic.migrate.test.ts:17 
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #04fd7f874e0668ad Filesystem access.
repo/packages/migrate/src/__tests__/introspection/introspection.test.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e25591603d15f3a2 Filesystem access.
repo/packages/migrate/src/__tests__/introspection/introspection.test.ts:14 
  const schemaContent = await fs.promises.readFile(schemaPath, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dfd636a84304aacb Environment-variable access.
repo/packages/migrate/src/__tests__/rpc.test.ts:502 
        url: process.env.TEST_POSTGRES_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #94de0760635b9df3 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:7 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e2bad919a744c3d5 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:13 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cd8ce4e88e9a8c44 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:15 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #258e89bdf9c0ce95 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:24 
  process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ccfaf84054d20fdc Filesystem access.
repo/packages/migrate/src/commands/DbExecute.ts:14 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ff6ff34e2a74c9bd Filesystem access.
repo/packages/migrate/src/commands/DbExecute.ts:118 
        script = fs.readFileSync(path.resolve(args['--file']), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fd2b2db1b946725b Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:42 
  if (process.env[userConsentEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7ccff10f1a159306 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:52 
    'Claude Code': process.env.CLAUDECODE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #32bb5ec453468f75 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:53 
    'Gemini CLI or Qwen Code': process.env.GEMINI_CLI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0dc5fb820c2c143e Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:54 
    Cursor: process.env.CURSOR_AGENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0dc22549f47ea2ef Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:55 
    Aider: process.env.OR_APP_NAME === 'Aider',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a66472e66fb62978 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:56 
    Replit: process.env.REPLIT_CLI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cbcc5c9b6ecea5cf Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:57 
    'Codex CLI': process.env.CODEX_SANDBOX === 'seatbelt',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e536938bed69bc8f Filesystem access.
repo/packages/migrate/src/utils/createMigration.ts:36 
  await fs.promises.writeFile(path.join(baseDir, migrationName, `migration.${extension}`), script, {
    encoding: 'utf-8',
  })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #926a6dab130fb191 Filesystem access.
repo/packages/migrate/src/utils/createMigration.ts:52 
  await fs.promises.writeFile(path.join(baseDir, lockfile.path), lockfileContent, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1763fe90c742392b Filesystem access.
repo/packages/migrate/src/utils/listMigrations.ts:21 
  const lockfileContent = await fs
    .readFile(path.join(migrationsDirectoryPath, lockfileName), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #361c6fd6f090a58c Filesystem access.
repo/packages/migrate/src/utils/listMigrations.ts:56 
    const migrationFileContent = await fs
      .readFile(path.join(migrationPath, migrationFileName), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bd8e943db868bfdb Filesystem access.
repo/packages/migrate/src/utils/saveSchemaFiles.ts:6 
  await Promise.all(schemas.files.map((file) => fs.writeFile(file.path, file.content, 'utf8')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9fdb24d601d31f16 Filesystem access.
repo/packages/migrate/src/utils/setupCockroach.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bb65da1d3e72d6d5 Filesystem access.
repo/packages/migrate/src/utils/setupCockroach.ts:28 
    await db.query(fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a6ee4056c29a8c53 Filesystem access.
repo/packages/migrate/src/utils/setupMSSQL.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #58c495565990d08a Filesystem access.
repo/packages/migrate/src/utils/setupMSSQL.ts:46 
    schema += fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7be2cf6a8b51cf8e Filesystem access.
repo/packages/migrate/src/utils/setupMysql.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #23c0b17f10428233 Filesystem access.
repo/packages/migrate/src/utils/setupMysql.ts:42 
    await db.query(fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5c462208e65af587 Filesystem access.
repo/packages/migrate/src/utils/setupPostgres.ts:29 
    const migrationScript = await fs.readFile(path.join(dirname, 'setup.sql'), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #39a05ec60646b792 Environment-variable access.
repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:12 
  const result = await canConnectToDatabase(process.env.TEST_CONNECTION_STRING!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/cli

npm first-party
expand_more 222 low-confidence finding(s)
low env_fs production #94afb6fab7d251bd Filesystem access.
repo/packages/cli/helpers/build.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1e8230dc2daba853 Environment-variable access.
repo/packages/cli/helpers/build.ts:153 
const optionalPlugins = process.env.DEV === 'true' ? [] : [cliTypesBuildConfig, cliConfigBuildConfig]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a2f4fb199edd622d Environment-variable access.
repo/packages/cli/jest.setup.js:11 
  process.env['JITI_ALIAS'] = JSON.stringify({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fd89757a0715d676 Environment-variable access.
repo/packages/cli/jest.setup.js:18 
  delete process.env['JITI_ALIAS']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5853537728a737c5 Environment-variable access.
repo/packages/cli/src/DebugInfo.ts:66 
      const value = process.env[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4496ba711e0e06d3 Filesystem access.
repo/packages/cli/src/Format.ts:106 
      await fs.writeFile(filename, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1989cf0f287bb4ab Filesystem access.
repo/packages/cli/src/Generate.ts:23 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low egress production #80b6a7d9011110aa Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/Init.ts:467 
              await fetch(`https://prisma-generate-server.prisma.workers.dev/`, {
                method: 'POST',
                headers: {
                  'Content-Type': 'application/json',
                },
                body: JSON.stringify({
                  description: prompt,
                }),
              })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low env_fs production #0ac457220b4ec4b0 Filesystem access.
repo/packages/cli/src/Init.ts:656 
      const envFile = fs.readFileSync(envPath, { encoding: 'utf8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2666df20738cb4b0 Environment-variable access.
repo/packages/cli/src/Studio.ts:320 
        const browser = args['--browser'] || process.env.BROWSER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a5ad620432816b5b Filesystem access.
repo/packages/cli/src/Studio.ts:644 
      return await readFile(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a2fa50b6369c8e3d Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:3 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #218e9957742399f4 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:15 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #957714230c753e72 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:19 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4e84a24a60a5bcfa Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:22 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #73635f27a4f95d45 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:48 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c75133707a5bd298 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:56 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7f67cc1742bcb785 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:68 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a0e702a2fb957695 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:96 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #227af07bde03b7fb Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:104 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a819307b2db5258e Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:116 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #738065b6713f9313 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:144 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4345ee190929a3b0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:152 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4197a0b494206631 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:164 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3ebbcf4a46a885dc Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:179 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d95237e379d75ac3 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:187 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e08de06debee2d2f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:199 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #22a9e38285bdf851 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:209 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #82387afceeda4742 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:217 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2a56063d5ba74ac7 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:229 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c47b6b6c16be6d0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:239 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ac5a8c0a32608d01 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:247 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1d7c2cfe3e0b189a Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:259 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #22f03523e775d6ea Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:271 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7134cfc131caa6c2 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:279 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2bf582156ecd0413 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:291 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6a1732b29e58e118 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:301 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7c61eb5c7030f18b Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:309 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1947fa36556aec65 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:321 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #aa788e88fd1332c0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:336 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cad04ca3f29c8cab Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:340 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9bcaca41a6da8eee Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:352 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8d32b938a9bba387 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:356 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #727755fbd5f29edf Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:368 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #196de0afc0e08ba0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:372 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #08588bba6ca56f34 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:387 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9f601fa54e12d788 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:395 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #df96373dee25fd7f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:405 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e5825a25f956d3d8 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:413 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9b866c7a6f3315f7 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:425 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #35c8f955617f2c11 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:433 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7caeee068643ebac Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:443 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #cf4fd02c198e49f9 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:451 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #25ff13e7cb8ef0dd Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:457 
  fs.writeFileSync(join(ctx.tmpDir, '.env'), `DATABASE_URL="postgres://dont:overwrite@me:5432/tests"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #47f2b38cdd4b1704 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:461 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6ae24c1f879f9b3c Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:465 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d197c5c772ae5638 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:468 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a8600f3211cdd27d Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:474 
  fs.writeFileSync(join(ctx.tmpDir, '.env'), `SOMETHING="is here"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #64fc81bc2f444f19 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:478 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #885dfeeec033229e Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:482 
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a8dbbe398ca9025f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:486 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b2c6e3e7ce60f1b6 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:494 
  const gitignore = fs.readFileSync(join(ctx.tmpDir, '.gitignore'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #756dd5759a8aabab Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:497 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1212732c0c40f690 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:505 
  fs.writeFileSync(gitignorePath, `# This should not be overridden`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9935c4eb61538fb5 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:506 
  fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #73625438d28e374f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:508 
  const gitignoreAfter = fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6f8a358e395490e4 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:511 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #01e1c735b44f9489 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:519 
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6aa2c9b4eb0c8955 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:522 
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #eeaa59c583219c41 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:15 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ce0edd06307d3f29 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:21 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #22241c9aa3400018 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:23 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #99b1bf4945770a9a Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:44 
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4d8c8cca71178aa7 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:74 
    process.env.FORCE_PANIC_PRISMA_SCHEMA = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #faba879282d270de Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:100 
    process.env.FORCE_PANIC_GET_CONFIG = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #33a71507adff508e Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:126 
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a0b390b4bbca7ecc Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:144 
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f15dab6f0b2cee89 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:170 
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #533c4951d3e4b8c4 Filesystem access.
repo/packages/cli/src/__tests__/commandState.test.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #56f464bcdc49d870 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:18 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6b1f7ca0583eeb4d Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:24 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3be3df31735f7a0a Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:26 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c5153f343c488e93 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:70 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9fdc4847ce447af2 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:82 
    Object.keys(envVars).map((key) => delete process.env[key])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ed1364b3512e0a02 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:86 
    process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bc7612165ab26dbe Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:160 
    process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #558cedc5eae1c19a Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:19 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6587907595042b32 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:25 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #93f5d260630ab15b Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:27 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ef6bed4363e62417 Filesystem access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:265 
    expect(fs.readFileSync('schema.prisma', { encoding: 'utf-8' })).toMatchSnapshot()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #658e9bbcc4e12991 Filesystem access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:271 
    expect(fs.readFileSync('missing-backrelation.prisma', { encoding: 'utf-8' })).toMatchSnapshot()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2e8a24ab269b7c57 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:312 
    process.env.PRISMA_DISABLE_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d81c649bd8e96d53 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:18 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #774e0f1371bf2cf5 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:24 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5afcbfbda8cc2920 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:26 
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f1dcaaabcc98d6a6 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:292 
    process.env.PRISMA_DISABLE_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3068eb059479cc3c Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:7 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e5c936fbae2f2fa7 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:63 
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7f590c784f3eab55 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:140 
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8a66713c7f71c258 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:241 
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #36d6239cd77a37b9 Filesystem access.
repo/packages/cli/src/__tests__/nps.test.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b18d6a78d2fd43bb Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:20 
        delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #870d38394bfd237b Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:26 
        delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #15de1c73c8475498 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:28 
        process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b2d9799674811f1b Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:40 
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2bbf253eccd83d40 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:65 
    process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a7aff512063be98f Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:134 
    process.env.KUBERNETES_SERVICE_HOST = '10.96.0.1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #fe7ca594321f76af Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:155 
    process.env.GIT_EXEC_PATH = '/nix/store/9z3jhc0rlj3zaw8nd1zka9vli6w0q11g-git-2.47.2/libexec/git-core'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c6dda6185894d69 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:176 
    process.env.npm_command = 'install'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f3e37614780b853d Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:177 
    process.env.npm_lifecycle_event = 'prepare'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8e4bb44a2af0032e Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:32 
  originalPrismaHideUpdateMessageEnv = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b76a672ced402048 Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:33 
  delete process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e8755360c8e62edc Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:38 
  process.env.PRISMA_HIDE_UPDATE_MESSAGE = originalPrismaHideUpdateMessageEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d29a4539b96a5091 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:11 
    originalPrismaHideUpdateMessageEnv = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d8a1315c1cd8ec04 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:12 
    delete process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9bb7184e40c1f313 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:16 
    process.env.PRISMA_HIDE_UPDATE_MESSAGE = originalPrismaHideUpdateMessageEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e5f6f4d34aca2fd0 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:144 
    process.env.PRISMA_HIDE_UPDATE_MESSAGE = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #151cc7c4a5ab8488 Filesystem access.
repo/packages/cli/src/bootstrap/Bootstrap.ts:288 
          const envContent = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #df0299669f817c44 Environment-variable access.
repo/packages/cli/src/bootstrap/Bootstrap.ts:294 
        process.env.DATABASE_URL = databaseUrl

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #253ba07e407e8f1a Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:160 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d769514f9b8468b6 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:206 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #932a3faa77e05389 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:234 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7eb90c5d4fcb5323 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:266 
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), 'datasource db { provider = "postgresql" }', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #14cbb7bd43ef0f0f Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:293 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db { provider = "postgresql" }
model User { id Int @id }
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8776ea17c8d36e19 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:324 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e1fba709933beb97 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:327 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #33bff6493061fe16 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:363 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e762b9bfa17e491f Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:366 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f9d0f23ef05e0624 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:396 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0ff96adca5e04fd2 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:399 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b38e167ee32a78f0 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:430 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #892cb26429da0be3 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:437 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f6628426630e2c52 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:464 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f2ccddb41e2c7081 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:471 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3e5ece61c44f2042 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:503 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d05af56b670f9ed2 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:510 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0d4a4b55d70dd004 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:542 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ceb5a54b2a125aee Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:549 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f160ea2c25749db1 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:582 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a59551fa6d24ac8d Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:32 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b0c349a588a5673b Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:41 
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #db9eff8ef62dffad Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:49 
    fs.writeFileSync(path.join(tmpDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1ca3e797a151ba4f Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:58 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db {
  provider = "postgresql"
  url = env("DATABASE_URL")
}

model User {
  id   Int    @id @default(autoincrement())
  name String
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #78f3bc3c847c3746 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:79 
    fs.writeFileSync(path.join(tmpDir, 'prisma.config.ts'), 'export default {}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dc0b20a76293c186 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:86 
    fs.writeFileSync(path.join(tmpDir, '.env'), 'DATABASE_URL=test', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f776986741f84640 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:93 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #285d570df87371b3 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:104 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), JSON.stringify({ prisma: { seed: '' } }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #32d4ea189f74aa92 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:111 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), JSON.stringify({ name: 'test' }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #19bfcf77deba8f77 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:118 
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `import { defineConfig } from 'prisma/config'\nexport default defineConfig({ migrations: { seed: 'tsx ./prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6b03bdb198e751e5 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:129 
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({\n  migrations: {\n    seed: "npx tsx prisma/seed.ts",\n  },\n})`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c9113975bbaa2891 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:140 
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { path: 'prisma/migrations' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0aa9e43d1423c77d Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:159 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db { provider = "postgresql" }

model User {
  id   Int    @id
  name String
  posts Post[]
}

model Post {
  id     Int    @id
  title  String
  author User   @relation(fields: [authorId], references: [id])
  authorId Int
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0765e0ad8708f341 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:186 
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b4a2dcde10bffa5e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:198 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #339dff880eecb891 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:208 
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { seed: 'npx tsx prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e380ad3922b337ec Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:218 
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7fe32ab064d84f21 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:223 
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { seed: 'npx tsx prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b88f19e551cf88a7 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:36 
    fs.writeFileSync(path.join(tmpDir, 'pnpm-lock.yaml'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8f9c899831b1a57e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:41 
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8a1af1697f4dbd21 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:50 
    fs.writeFileSync(path.join(tmpDir, 'pnpm-lock.yaml'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6c1e6af03d064c09 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:51 
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #354852da2541450e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:56 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #93dbac5ce5ae40b0 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:61 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a319013e7ba15f17 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:66 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2efbabf2beb0c66e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:71 
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7437d81b29c4682d Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:72 
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #60add18e0ced0776 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:34 
    const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fcefec7f2c3f0dcf Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:48 
    const content = fs.readFileSync(configPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #018849e3a2df4280 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:59 
    const content = fs.readFileSync(schemaPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #93cab12a3c7e3bfd Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:71 
      const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #044901a168718ca8 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:81 
      const content = fs.readFileSync(configPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f22ec0aa23741229 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:97 
      const content = fs.readFileSync(schemaPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a8e04045bcf162d1 Environment-variable access.
repo/packages/cli/src/bootstrap/telemetry.ts:6 
  return Boolean(process.env.CHECKPOINT_DISABLE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low egress production #0e22374f71a2bc94 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/bootstrap/template-scaffold.ts:54 
  const response = await fetch(PRISMA_EXAMPLES_TARBALL_URL, {
    headers: { Accept: 'application/vnd.github+json', 'User-Agent': 'prisma-cli' },
    redirect: 'follow',
    signal: AbortSignal.timeout(120_000),
  })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low env_fs production #dfa54f91e5dad1f4 Filesystem access.
repo/packages/cli/src/bootstrap/template-scaffold.ts:82 
        fs.writeFileSync(destPath, tarBuffer.subarray(offset, offset + header.size))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8c2a46587ac62e3e Filesystem access.
repo/packages/cli/src/bootstrap/template-scaffold.ts:161 
      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8ecaf5335c46b688 Filesystem access.
repo/packages/cli/src/generate/introspectSql.ts:4 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #239bc7913b5afb3c Filesystem access.
repo/packages/cli/src/generate/introspectSql.ts:39 
    const source = await fs.readFile(path.join(typedSqlDirPath, fileName), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ff06f6d59d89a889 Filesystem access.
repo/packages/cli/src/init/file-writer.ts:17 
    fs.writeFileSync(absPath, content, options)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9da27a564fa2a7bd Environment-variable access.
repo/packages/cli/src/postgres/link/Link.ts:43 
  return process.env.PRISMA_MANAGEMENT_API_URL ?? DEFAULT_MANAGEMENT_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f75dc15354abf740 Environment-variable access.
repo/packages/cli/src/postgres/link/Link.ts:182 
    const apiKey = explicitApiKey ?? (databaseId ? process.env.PRISMA_API_KEY : undefined)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7855a607e44f7cdd Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:119 
    const envContent = fs.readFileSync(path.join(tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #809c6902e5708325 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:139 
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db {
  provider = "postgresql"
  url      = env("DATABASE_URL")
}

model User {
  id    Int    @id @default(autoincrement())
  name  String
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6cbc6f8a9f4ce366 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:198 
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7efc1f2f9c339cf3 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:216 
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5551ea8a3f6b8815 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:31 
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a5cde255d9b6b034 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:37 
    fs.writeFileSync(envPath, 'EXISTING_VAR="hello"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e89be33bcd074d4e Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:47 
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0f665f6f349f3667 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:53 
    fs.writeFileSync(envPath, 'DATABASE_URL="old-value"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #99ea005a49131769 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:63 
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9aa588ce09949e41 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:69 
    fs.writeFileSync(envPath, 'DATABASE_URL="old-value"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #28edb18e01444394 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:79 
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a8381465df07115c Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:90 
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #44d7203657bb08e5 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:101 
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), 'node_modules\n.env\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d963eba060bee584 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:106 
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), '/.env\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9f111f37a55ae17f Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:111 
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), 'node_modules\ndist\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #098616b899732913 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:126 
    const envContent = fs.readFileSync(path.join(tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9b8804813c5b3c9f Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:137 
    fs.writeFileSync(path.join(tmpDir, '.env'), "DATABASE_URL='postgres://localhost:5432/mydb'\n", 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f82cbdf2d120e63b Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:142 
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7453c38653a9d292 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:151 
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #26d8f2eea27e01a4 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:160 
    fs.writeFileSync(path.join(tmpDir, '.env'), "OTHER_VAR='value'\n", 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fdfa0c73e775e0dc Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:22 
    fs.writeFileSync(envPath, lines.join('\n') + '\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #878c2bae188900a1 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:28 
  let content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #22bad5f58a7c3335 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:46 
  fs.writeFileSync(envPath, content, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9ce3e7926f53af6d Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:61 
  const content = fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #6bdcf59d0fb18158 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:87 
  const parsed = dotenv.parse(fs.readFileSync(envPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low egress production #5f7d7abb43221143 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/status-page.ts:156 
    const response = await fetch(SUMMARY_API_URL, { signal: AbortSignal.timeout(10_000) })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low env_fs production #15eadb1d8c5e11ef Environment-variable access.
repo/packages/cli/src/utils/checkpoint.ts:37 
  if (process.env['CHECKPOINT_DISABLE']) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a5808f76f13a1c93 Environment-variable access.
repo/packages/cli/src/utils/checkpoint.ts:94 
      information: args['--telemetry-information'] || process.env.PRISMA_TELEMETRY_INFORMATION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #43aa0a9f7bbc0eaa Filesystem access.
repo/packages/cli/src/utils/commandState.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #d52a2e530e6d1f8c Filesystem access.
repo/packages/cli/src/utils/commandState.ts:19 
  const data = await fs.promises
    .readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #03b595aab039558c Filesystem access.
repo/packages/cli/src/utils/commandState.ts:25 
    await fs.promises.writeFile(filePath, JSON.stringify(state))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #52ea1cd1f9b63a89 Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2b7455faa92186cd Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:23 
    const pkgJsonString = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #304aab08adf4cfd4 Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:47 
    const pkgJsonString = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low egress production #cab9276fadb5593a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/utils/nps/capture.ts:11 
const posthogCaptureUrl = new URL('https://proxyhog.prisma-data.net/capture')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low egress production #5f52d4d9bb14251c Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/utils/nps/status.ts:14 
const npsStatusUrl = new URL('https://pub-833f4cf4b3dc4d17a6db4981affc9fbb.r2.dev/timeframe.json')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
low env_fs production #dc5be218d477138f Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:5 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c55d5df01db769cf Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:165 
  const data = await fs.promises
    .readFile(getConfigPath(), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #60deed3a4a487bb2 Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:187 
  await fs.promises.writeFile(configPath, JSON.stringify(config))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #311cb3207bc7024f Environment-variable access.
repo/packages/cli/src/utils/printUpdateMessage.ts:8 
  const shouldHide = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5f6ac1efdd046cf0 Filesystem access.
repo/packages/cli/src/utils/prompt/utils/isDirEmpty.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/client

npm first-party
expand_more 117 low-confidence finding(s)
low env_fs production #b17991e32e00f7ac Filesystem access.
repo/packages/client/helpers/build.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #612d8e5c1566abf6 Environment-variable access.
repo/packages/client/helpers/build.ts:31 
const shouldMinify = !process.env.DEV && process.env.MINIFY !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #612d8e5c1566abf6 Environment-variable access.
repo/packages/client/helpers/build.ts:31 
const shouldMinify = !process.env.DEV && process.env.MINIFY !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #6be439e4d804315b Filesystem access.
repo/packages/client/helpers/build.ts:178 
                  const wasmBuffer = fs.readFileSync(wasmFilePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b5af2092335ea927 Filesystem access.
repo/packages/client/helpers/build.ts:185 
                    fs.writeFileSync(base64FilePath, base64Content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9e67b08cf53186bb Filesystem access.
repo/packages/client/helpers/build.ts:211 
  fs.writeFileSync(path.join(runtimeDir, fileName), 'export * from "./client"\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #386efae0833a8502 Environment-variable access.
repo/packages/client/helpers/jestSetup.js:1 
process.env.PRISMA_HIDE_PREVIEW_FLAG_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4429ca627b1122ee Filesystem access.
repo/packages/client/helpers/new-test/new-test.ts:2 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #7bc70f42aee8768d Filesystem access.
repo/packages/client/helpers/new-test/new-test.ts:116 
  await fs.writeFile(at, template(relImport))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #82326582c61c27f8 Environment-variable access.
repo/packages/client/scripts/colors.js:14 
    colors.enabled = process.env.FORCE_COLOR !== '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #39f79433ea3e0378 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/builder.ts:3 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #863d214804be4c49 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/builder.ts:10 
  fs.writeFileSync(location, data, {})

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3299748cf74b4133 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/huge-schema.bench.ts:26 
if (!process.env.CODSPEED_BENCHMARK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #24a0d9aa210f145f Filesystem access.
repo/packages/client/src/__tests__/benchmarks/lots-of-relations/builder.ts:1 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5b57885ea2707f1c Filesystem access.
repo/packages/client/src/__tests__/benchmarks/lots-of-relations/builder.ts:39 
  await fs.writeFile('schema.prisma', str)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #37d863cf98e8b246 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/query-performance/caching.bench.ts:18 
const BENCHMARK_DATAMODEL = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ed2414ee64f3dc43 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:16 
        if (process.env.LOCAL_QC_BUILD_DIRECTORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4dc22996ea07b519 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:17 
          runtimePath = path.join(process.env.LOCAL_QC_BUILD_DIRECTORY, provider, 'query_compiler_fast_bg.js')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #64b3562965c76354 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:25 
        if (process.env.LOCAL_QC_BUILD_DIRECTORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8fc8699d0f91b78b Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:26 
          const wasmPath = path.join(process.env.LOCAL_QC_BUILD_DIRECTORY, provider, 'query_compiler_fast_bg.wasm')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #81643d4a84c96469 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:27 
          moduleBytes = await fs.promises.readFile(wasmPath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #528b677e063933c4 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/query-performance.bench.ts:257 
  if (process.env.CODSPEED_BENCHMARK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e98057f31135bcc5 Filesystem access.
repo/packages/client/src/__tests__/dmmfTypes.test.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #12725a84cfcf86e5 Filesystem access.
repo/packages/client/src/__tests__/dmmfTypes.test.ts:33 
  fs.writeFileSync(target, file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #186d54e146a42969 Environment-variable access.
repo/packages/client/src/__tests__/integration/__helpers__/migrateDb.ts:10 
  const databaseUrl = process.env.DATABASE_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #88e28e54b8d93e56 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-execute-raw-alter')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #88e28e54b8d93e56 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-execute-raw-alter')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #11cd115402aafa0b Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts:12 
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bbdb57deff2355c3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/int-errors/test.ts:12 
    let connectionString = process.env.TEST_MYSQL_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8ec1b87adae7b429 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:18 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-multischema')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8ec1b87adae7b429 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:18 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-multischema')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7816f6115eb22096 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:19 
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a718fffd5b2fc6d7 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:21 
      connectionString: process.env.DATABASE_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #44e42c8fd116baf1 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-mysql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #44e42c8fd116baf1 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-mysql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9b8e98d69dd830ca Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-mysql/test.ts:12 
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #365aee70bd6a14f3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-postgresql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #365aee70bd6a14f3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-postgresql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1ed4af69f29fe970 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-postgresql/test.ts:15 
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #bec5960e8af85219 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:10 
describeIf(!process.env.TEST_SKIP_MSSQL)('referentialActions-onDelete-default-foreign-key-error(sqlserver)', () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #813a266713d9ee8d Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:12 
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #404f9db448c4630d Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:15 
    process.env.DATABASE_URL = process.env.TEST_MSSQL_JDBC_URI.replace('master', 'referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #404f9db448c4630d Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:15 
    process.env.DATABASE_URL = process.env.TEST_MSSQL_JDBC_URI.replace('master', 'referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #36854cfb95c0ec50 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-mysql/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-wrong-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #36854cfb95c0ec50 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-mysql/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-wrong-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #596320228e77b403 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-mysql/test.ts:12 
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #77acf79673aff0ac Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-postgres/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-wrong-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #77acf79673aff0ac Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-postgres/test.ts:11 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-wrong-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b348c8c3e04c612b Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-postgres/test.ts:12 
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b51a0215a7e47724 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/insensitive-postgresql-feature-flag/test.ts:7 
  const connectionString = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-insensitive-postgresql-feature-flag')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b25181ea6f2638b2 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/insensitive-postgresql/test.ts:7 
  const connectionString = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-insensitive-postgresql')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #258c568c27252378 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-mysql/test.ts:13 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #258c568c27252378 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-mysql/test.ts:13 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b98d6bdcdf0de91f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-mysql/test.ts:14 
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #fda1e1a880f34a37 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:12 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #09b83fbd6be4fa98 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:19 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #09b83fbd6be4fa98 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:19 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a289939a5c2d3829 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:20 
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #504074d96985573b Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/mysql-binary-id/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-mysql-binary-id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #504074d96985573b Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/mysql-binary-id/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-mysql-binary-id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f4015f7105a06229 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/mysql-binary-id/test.ts:9 
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7301893ca06f9aa9 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-mysql/test.ts:9 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7301893ca06f9aa9 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-mysql/test.ts:9 
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #53f4ebfdaae2ddd7 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-mysql/test.ts:10 
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8bb41ceab9dc549d Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-postgres/test.ts:9 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8bb41ceab9dc549d Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-postgres/test.ts:9 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #17d8bc354fa6e319 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-postgres/test.ts:10 
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1084d56b8829baac Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4e4921505b4eea89 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:6 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f66055d8e44ac75e Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:20 
  const generatedTypeScript = fs.readFileSync(path.join(clientDir, './node_modules/.prisma/client/index.d.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9ad47706f2f37152 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:21 
  const generatedBrowserJS = fs.readFileSync(
    path.join(clientDir, './node_modules/.prisma/client/index-browser.js'),
    'utf-8',
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4bfc30fc026ec4b7 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #f1172dd7094e7765 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:17 
  const datamodel = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e69e49a56d45b7e5 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:21 
  fs.writeFileSync(
    dmmfFile,
    `import type * as DMMF from '@prisma/dmmf'

  const dmmf: DMMF.Document = ${JSON.stringify(dmmf, null, 2)}`,
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #53d3a41088b65498 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b5041ac5889188af Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:6 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #58b8da2458fcb2b9 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:20 
  const generatedTypeScript = fs.readFileSync(path.join(clientDir, './node_modules/.prisma/client/index.d.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #08a71405f344418b Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:21 
  const generatedBrowserJS = fs.readFileSync(
    path.join(clientDir, './node_modules/.prisma/client/index-browser.js'),
    'utf-8',
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e98e548aac1d8f56 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:8 
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #60c350e11d77c2d3 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:17 
  const datamodel = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8af8dcdd603b0279 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:21 
  fs.writeFileSync(
    dmmfFile,
    `import type * as DMMF from '@prisma/dmmf'

  const dmmf: DMMF.Document = ${JSON.stringify(dmmf, null, 2)}`,
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #205af53c57213b8f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/postgres-json-list/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-postgres')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #205af53c57213b8f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/postgres-json-list/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-postgres')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #835166fb52e08357 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/postgres-json-list/test.ts:9 
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ab36e7a7d3f01645 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-mysql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-Cascade')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ab36e7a7d3f01645 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-mysql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-Cascade')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2133c0ba32cf7b75 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-mysql/test.ts:12 
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1999f149a275a69f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-postgresql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1999f149a275a69f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-postgresql/test.ts:11 
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7b76b3f26b15c5f7 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-postgresql/test.ts:15 
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #388c7ffc7088988c Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-sqlserver/test.ts:9 
describeIf(!process.env.TEST_SKIP_MSSQL)('referentialActions(sqlserver)', () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9bd6ca99da869d23 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-sqlserver/test.ts:11 
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ebddf9f6291217f1 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/scalar-list/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-scalar-list-test')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ebddf9f6291217f1 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/scalar-list/test.ts:8 
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-scalar-list-test')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #a9f4bb49514ef2b1 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/scalar-list/test.ts:9 
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #20270fe6da111999 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/sqlite-variable-limit/test.ts:5 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #20270fe6da111999 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/sqlite-variable-limit/test.ts:5 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6d5f3d552876c38d Filesystem access.
repo/packages/client/src/__tests__/integration/happy/transaction/test.ts:3 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #db21fcbcb0f7ee6c Filesystem access.
repo/packages/client/src/__tests__/integration/happy/uncheckedScalarInputs/test.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c6c8d5294d31ed4c Filesystem access.
repo/packages/client/src/__tests__/typeDeclaration.test.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2d341ad2736b5f67 Filesystem access.
repo/packages/client/src/__tests__/typeDeclaration.test.ts:10 
      const dtsContents = fs.readFileSync(path.join(runtimeDir, file), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1e8432d7abf5d541 Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:15 
    globalEngineTypeOverride = process.env.PRISMA_CLIENT_ENGINE_TYPE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9eb721a8bc5d1e17 Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:16 
    delete process.env.PRISMA_CLIENT_ENGINE_TYPE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dc01aaed7e75d07b Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:21 
      process.env.PRISMA_CLIENT_ENGINE_TYPE = globalEngineTypeOverride

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f7235d19744d1e08 Environment-variable access.
repo/packages/client/src/runtime/RequestHandler.ts:171 
    if (process.env.PRISMA_CLIENT_GET_TIME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f3c33ab4aaaafd11 Environment-variable access.
repo/packages/client/src/runtime/core/engines/accelerate/getUrlAndApiKey.ts:52 
  if (process.env.TEST_CLIENT_ENGINE_REMOTE_EXECUTOR && url.searchParams.has('use_http')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #98fcadd4940c96e7 Environment-variable access.
repo/packages/client/src/runtime/getPrismaClient.ts:463 
        } else if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #41a13e2c6c69c911 Environment-variable access.
repo/packages/client/src/runtime/getPrismaClient.ts:465 
        } else if (process.env.NO_COLOR) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e3c32651c9610679 Filesystem access.
repo/packages/client/src/runtime/utils/SourceFileSlice.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #d786f45f29dfb92f Filesystem access.
repo/packages/client/src/runtime/utils/SourceFileSlice.ts:22 
      content = fs.readFileSync(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0a9d4bf45616dcad Environment-variable access.
repo/packages/client/src/runtime/utils/createErrorMessageWithContext.ts:86 
  if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b5feaeefd97214cf Filesystem access.
repo/packages/client/src/utils/setupMSSQL.ts:1 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #d79512505ba10ec2 Filesystem access.
repo/packages/client/src/utils/setupMSSQL.ts:30 
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9e851a9d66ad0a29 Filesystem access.
repo/packages/client/src/utils/setupMysql.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9c9e9a9984b7bd21 Filesystem access.
repo/packages/client/src/utils/setupMysql.ts:14 
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #07c3dabbe684c48e Filesystem access.
repo/packages/client/src/utils/setupPostgres.ts:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cd6698a2cb78f636 Filesystem access.
repo/packages/client/src/utils/setupPostgres.ts:14 
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/client-generator-js

npm first-party
expand_more 9 low-confidence finding(s)
low env_fs production #b97cf251dc74d4f7 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:13 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a18122baccb3e2e7 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:378 
  await fs.writeFile(schemaTargetPath, datamodel, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #305ff0495d889bef Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:393 
    await fs.writeFile(path.join(outputDir, `${filename}.wasm`), Buffer.from(wasmBase64, 'base64'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #057b961237f85668 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:403 
    await fs.writeFile(signalsPath, Date.now().toString())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4e1c97df2f817102 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:416 
        await fs.writeFile(absolutePath, content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #da845a160db6d4ea Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:559 
    content = await fs.readFile(path.join(directory, 'package.json'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ce8876185a492d71 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:633 
        const content = await fs.readFile(sourcePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #159a8a9f980c5132 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:634 
        await fs.writeFile(targetPath, addPreamble(content))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ac9c70b797db1f26 Environment-variable access.
repo/packages/client-generator-js/src/generator.ts:80 
      copyRuntimeSourceMaps: Boolean(process.env.PRISMA_COPY_RUNTIME_SOURCEMAPS),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/client-generator-ts

npm first-party
expand_more 4 low-confidence finding(s)
low env_fs production #a4a964fc9d70dd9d Environment-variable access.
repo/packages/client-generator-ts/src/file-extensions.ts:15 
  if (!recommended.includes(extension) && !process.env.PRISMA_DISABLE_WARNINGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #687b2a864b86ce4e Filesystem access.
repo/packages/client-generator-ts/src/generateClient.ts:245 
        await fs.writeFile(absolutePath, content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1927f296345181c4 Filesystem access.
repo/packages/client-generator-ts/src/utils/wasm.ts:125 
    return fs.readFileSync(bundledLocation)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8807e8ed989bd606 Filesystem access.
repo/packages/client-generator-ts/src/utils/wasm.ts:129 
    return fs.readFileSync(sourceLocation)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/config

npm first-party
expand_more 15 low-confidence finding(s)
low env_fs test-only #bcbe1d3a1f94e7ba Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:6 
const originalValue = process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #29ebaa6a6970f036 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:10 
    delete process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4c222d0a5a40b1d1 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:15 
      delete process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #7f027b0bdbb30601 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:17 
      process.env[VAR_NAME] = originalValue

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e5c69127dfeec1f1 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:22 
    process.env[VAR_NAME] = 'postgresql://example'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e2f5a7f477db2dc1 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:34 
    process.env[VAR_NAME] = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #551d9c3a5b468e26 Environment-variable access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/datasource-url-undefined/prisma.config.ts:5 
    url: process.env['UNDEFINED_VARIABLE'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #86e5bfbc51f5d15a Filesystem access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/env-load-esm/prisma.config.ts:7 
const env = await fs.readFile('.env', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0be6afb5007a2e79 Environment-variable access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/env-load-esm/prisma.config.ts:21 
  process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ca402b06d134613f Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:742 
      expect(process.env.TEST_CONNECTION_STRING).toBeUndefined()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4aea8dc791e71d96 Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:753 
      expect(process.env.TEST_CONNECTION_STRING).toEqual('postgres://test-connection-string-from-env-cjs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #b90ef857150a8434 Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:765 
      expect(process.env.TEST_CONNECTION_STRING).toEqual('postgres://test-connection-string-from-env-esm')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a1387fae1e141040 Environment-variable access.
repo/packages/config/src/env.ts:15 
  const value = process.env[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #431ca2c97743f069 Environment-variable access.
repo/packages/config/vitest.setup.ts:13 
  process.env['JITI_ALIAS'] = JSON.stringify({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c2111e16a46dc480 Environment-variable access.
repo/packages/config/vitest.setup.ts:19 
  delete process.env['JITI_ALIAS']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/credentials-store

npm first-party
expand_more 4 low-confidence finding(s)
low env_fs production #3e816cb4a3bcc947 Filesystem access.
repo/packages/credentials-store/src/index.ts:1 
import { chmod, mkdir, readFile, writeFile } from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1ed26194122a1001 Environment-variable access.
repo/packages/credentials-store/src/index.ts:31 
      process.env.PRISMA_PLATFORM_AUTH_FILE ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3be732271ff2665e Filesystem access.
repo/packages/credentials-store/src/index.ts:38 
      const content = await readFile(this.authFilePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9b5f4f8af1a9f3b1 Filesystem access.
repo/packages/credentials-store/src/index.ts:82 
    await writeFile(this.authFilePath, JSON.stringify(data, null, 2), { mode: 0o600 })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/debug

npm first-party
expand_more 35 low-confidence finding(s)
low env_fs test-only #4fba5caad9d4ebd1 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:13 
  delete process.env.DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #78633d630604273e Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:14 
  delete process.env.DEBUG_COLORS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #6f3d98599ffe754f Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:29 
  process.env.DEBUG = 'test'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #529b834d280526e8 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:30 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e106da2c3314a7ed Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:43 
  process.env.DEBUG = 'test2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #46368a2d407f1764 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:44 
  process.env.FORCE_COLOR = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #27e7c5bd33029782 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:45 
  process.env.DEBUG_COLORS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #3bc3c49bbf0fbe3b Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:59 
  process.env.DEBUG = 'test3:*:*:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #8a05ce3f49babb0a Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:60 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d1ecfcfd3d806041 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:73 
  process.env.DEBUG = 'test4:*:query-engine:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e84e0105636df9b0 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:74 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #db1d8ea3937349f5 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:89 
  process.env.DEBUG = 'test5:*:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #5272b19caa801312 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:90 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1a69b3ca2dcc1136 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:106 
  process.env.DEBUG = 'test6:client:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #d44569dee8e06370 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:107 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #1756080fc08b80a8 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:122 
  process.env.DEBUG = 'test7:*:*,-test7:*:*:init'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #21a2b35d2cd661f8 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:123 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #133e37c83f2cb951 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:138 
  process.env.DEBUG = 'test8:*:*,-test8:*:*:init,-test8:pool:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4a2a02534fca7eb5 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:139 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #baf03821fc1c5b3e Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:153 
  process.env.DEBUG = 'test9:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #45f606d60443998c Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:154 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c1a2cf7e5622eeb2 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:169 
  process.env.DEBUG = 'test10:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #168b01d9fea5bb18 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:170 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #4d960554afa5e8ba Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:195 
  process.env.DEBUG = 'test11:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #93de80cc3722f4ee Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:196 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #911c42a06cf3be6a Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:210 
  process.env.DEBUG = 'test12:client*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #69f436f4c81852b2 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:211 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dbee5da99a601a95 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:228 
  process.env.DEBUG = 'test13:client*init'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #0da40422ff81349f Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:229 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #c04b630fcda87d45 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:249 
  process.env.DEBUG = 'test14:*:query-engine:*,-*init,*:result'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #acc9ba9fa1a59de0 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:250 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #126fb9e449fab6f6 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:271 
  process.env.DEBUG = 'test15:\\w+'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #85448929a151228d Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:272 
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e9998c42edf7b2af Environment-variable access.
repo/packages/debug/src/__tests__/env-disabled.test.ts:9 
    process.env.DEBUG = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #dc6d8d147ef225b7 Environment-variable access.
repo/packages/debug/src/__tests__/env-enabled.test.ts:9 
    process.env.DEBUG = 'my-namespace'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/engines

npm first-party
expand_more 8 low-confidence finding(s)
low env_fs production #8015529eace547d8 Environment-variable access.
repo/packages/engines/src/index.ts:26 
  const binaryTargets = process.env.PRISMA_CLI_BINARY_TARGETS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #106be0cca9b1b67d Environment-variable access.
repo/packages/engines/src/index.ts:27 
    ? (process.env.PRISMA_CLI_BINARY_TARGETS.split(',') as BinaryTarget[])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e55b701203f0543a Filesystem access.
repo/packages/engines/src/scripts/localinstall.ts:5 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5a6cb6617c9fad3b Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:5 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #acdc18b59588dc1c Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:16 
  if (fs.existsSync(lockFile) && parseInt(fs.readFileSync(lockFile, 'utf-8'), 10) > Date.now() - 20_000) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3d5c758d18e42b94 Environment-variable access.
repo/packages/engines/src/scripts/postinstall.ts:21 
    if (process.env.PRISMA_CLI_BINARY_TARGETS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ed58660cb06c28a1 Environment-variable access.
repo/packages/engines/src/scripts/postinstall.ts:22 
      binaryTargets = process.env.PRISMA_CLI_BINARY_TARGETS.split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #458d4b5c79a6d14d Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:43 
  fs.writeFileSync(lockFile, Date.now().toString())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/get-dmmf

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #e8079e33bf79eda0 Environment-variable access.
repo/packages/get-dmmf/src/index.ts:32 
    noColor: Boolean(process.env.NO_COLOR),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #490d49ccbce32812 Environment-variable access.
repo/packages/get-dmmf/src/index.ts:37 
    if (process.env.FORCE_PANIC_GET_DMMF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/get-platform

npm first-party
expand_more 7 low-confidence finding(s)
low env_fs production #6e8c5913753dd0f9 Filesystem access.
repo/packages/get-platform/src/getPlatform.ts:3 
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #df4f421d9ecad521 Filesystem access.
repo/packages/get-platform/src/getPlatform.ts:232 
    const osReleaseInput = await fs.readFile(osReleaseFile, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ca3cfaf6d0f6d55c Environment-variable access.
repo/packages/get-platform/src/logger.ts:7 
  warn: () => !process.env.PRISMA_DISABLE_WARNINGS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9a734501896d2af2 Environment-variable access.
repo/packages/get-platform/src/test-utils/jestSnapshotSerializer.js:37 
  if (process.env.TEMP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #52e60bb3f675f3cb Environment-variable access.
repo/packages/get-platform/src/test-utils/jestSnapshotSerializer.js:38 
    const escapedPath = process.env.TEMP.replaceAll('\\', '\\\\')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4c957c878683a7f6 Environment-variable access.
repo/packages/get-platform/src/test-utils/vitest-snapshot-serializer.ts:38 
  if (process.env.TEMP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b7feb9bcbed7b321 Environment-variable access.
repo/packages/get-platform/src/test-utils/vitest-snapshot-serializer.ts:39 
    const escapedPath = process.env.TEMP.replaceAll('\\', '\\\\')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/instrumentation

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #05c847ceba4599d8 Environment-variable access.
repo/packages/instrumentation/src/ActiveTracingHelper.ts:21 
const showAllTraces = process.env.PRISMA_SHOW_ALL_TRACES === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/integration-tests

npm first-party
expand_more 4 low-confidence finding(s)
low env_fs test-only #1b191839e4712ef9 Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mariadb/__database.ts:35 
  const connectionString = process.env.TEST_MARIADB_URI!.replace('tests', ctx.id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #365ea55757e34371 Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mssql/__database.ts:34 
  const serviceConnectionString = process.env.TEST_MSSQL_URI!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #edeeae31164baccb Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mysql/__database.ts:34 
  const connectionString = process.env.TEST_MYSQL_URI!.replace('tests', ctx.id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #ecd474cb21ac24e3 Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/postgresql/__database.ts:28 
  return process.env.TEST_POSTGRES_URI + `?schema=${ctx.id}&connection_limit=1`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/query-plan-executor

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #446c3b0229488144 Environment-variable access.
repo/packages/query-plan-executor/examples/server.ts:12 
  const databaseUrl = process.env.TEST_POSTGRES_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/schema-files-loader

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #deeaab9c4d51d5e8 Filesystem access.
repo/packages/schema-files-loader/src/resolver/realFsResolver.ts:26 
    return fs.readFile(path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #24aa0a72a479cdbe Filesystem access.
repo/packages/schema-files-loader/src/testUtils.ts:16 
  return [filePath, fs.readFileSync(filePath, 'utf8')]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/type-benchmark-tests

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #3cb54136824976a1 Environment-variable access.
repo/packages/type-benchmark-tests/huge-schema/prisma.config.ts:5 
    url: process.env.DATABASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a20338ea80460c22 Environment-variable access.
repo/packages/type-benchmark-tests/lots-of-relations/prisma.config.ts:5 
    url: process.env.DATABASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

wrangler

npm dependency
high pii_flow dependency Excluded from app score #70d1bfdaf00234ab User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/templates/startDevWorker/InspectorProxyWorker.ts:306 · flow /tmp/closeopen-17zukif3/pkgs/npm/[email protected]/templates/startDevWorker/InspectorProxyWorker.ts:293 → /tmp/closeopen-17zukif3/pkgs/npm/[email protected]/templates/startDevWorker/InspectorProxyWorker.ts:306 
		const upgrade = await fetch(runtimeWebSocketUrl, {
			headers: {
				...this.proxyData.headers,
				Upgrade: "websocket",
			},
			signal: this.runtimeAbortController.signal,
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
high pii_flow dependency Excluded from app score #e69ec962354a3a51 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/wrangler-dist/InspectorProxyWorker.js:223 · flow /tmp/closeopen-17zukif3/pkgs/npm/[email protected]/wrangler-dist/InspectorProxyWorker.js:215 → /tmp/closeopen-17zukif3/pkgs/npm/[email protected]/wrangler-dist/InspectorProxyWorker.js:223 
    const upgrade = await fetch(runtimeWebSocketUrl, {
      headers: {
        ...this.proxyData.headers,
        Upgrade: "websocket"
      },
      signal: this.runtimeAbortController.signal
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

esbuild

npm dependency
medium pii_flow dependency Excluded from app score #334bc22317f6c6b5 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/install.js:248 · flow /tmp/closeopen-17zukif3/pkgs/npm/[email protected]/install.js:29 → /tmp/closeopen-17zukif3/pkgs/npm/[email protected]/install.js:248 
      console.warn(`[esbuild] Ignoring bad configuration: ESBUILD_BINARY_PATH=${ESBUILD_BINARY_PATH}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #3699bcc814fff95c PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/lib/main.js:1678 · flow /tmp/closeopen-17zukif3/pkgs/npm/[email protected]/lib/main.js:1595 → /tmp/closeopen-17zukif3/pkgs/npm/[email protected]/lib/main.js:1678 
      console.warn(`[esbuild] Ignoring bad configuration: ESBUILD_BINARY_PATH=${ESBUILD_BINARY_PATH}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 25 low-confidence finding(s)
low env_fs dependency Excluded from app score #1ba79d12fc07ee83 Filesystem access.
pkgs/npm/[email protected]/install.js:26 
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1ba79d12fc07ee83 Filesystem access.
pkgs/npm/[email protected]/install.js:26 
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9f85ed56ef899ab4 Environment-variable access.
pkgs/npm/[email protected]/install.js:29 
var ESBUILD_BINARY_PATH = process.env.ESBUILD_BINARY_PATH || ESBUILD_BINARY_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3ea7d75b3548bb19 Filesystem access.
pkgs/npm/[email protected]/install.js:88 
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3ea7d75b3548bb19 Filesystem access.
pkgs/npm/[email protected]/install.js:88 
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #176f387351e9709d Filesystem access.
pkgs/npm/[email protected]/install.js:184 
    fs2.writeFileSync(path2.join(installDir, "package.json"), "{}");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4758b3f885bd065a Filesystem access.
pkgs/npm/[email protected]/install.js:214 
  fs2.writeFileSync(toPath, `#!/usr/bin/env node
require('child_process').execFileSync(${pathString}, process.argv.slice(2), { stdio: 'inherit' });
`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e05dd4f4156dff7e Filesystem access.
pkgs/npm/[email protected]/install.js:218 
  const code = fs2.readFileSync(libMain, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ba226467dbbb3e0f Filesystem access.
pkgs/npm/[email protected]/install.js:219 
  fs2.writeFileSync(libMain, `var ESBUILD_BINARY_PATH = ${pathString};
${code}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #137384d6c00be83f Filesystem access.
pkgs/npm/[email protected]/install.js:238 
    fs2.writeFileSync(binPath, extractFileFromTarGzip(await fetch(url), subpath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1ef41587af4c7e9b Filesystem access.
pkgs/npm/[email protected]/lib/main.js:737 
            fs3.readFile(response.code, (err, contents) => {
              if (err !== null) {
                callback(err, null);
              } else {
                response.code = contents;
                next();
              }
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #84f2352e9156c1b0 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:748 
            fs3.readFile(response.map, (err, contents) => {
              if (err !== null) {
                callback(err, null);
              } else {
                response.map = contents;
                next();
              }
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #48cb75178f4f0e7a Filesystem access.
pkgs/npm/[email protected]/lib/main.js:774 
      start = () => fs3.writeFile(input, next);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #40a4cecf4a8655e9 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1429 
            contents = streamIn.readFileSync(match[1], "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b18b1a863b6d5ee8 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1592 
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b18b1a863b6d5ee8 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1592 
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8aa746d9630dab8b Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:1595 
var ESBUILD_BINARY_PATH = process.env.ESBUILD_BINARY_PATH || ESBUILD_BINARY_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #42e856767d3b4997 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1785 
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #42e856767d3b4997 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1785 
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bd4985e466fe423c Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:1789 
if (process.env.ESBUILD_WORKER_THREADS !== "0") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b77b21846a2a4c4c Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1827 
      let contents = fs2.readFileSync(tempFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0c13094692bdbb11 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1840 
      fs2.writeFileSync(tempFile, contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9bc6329312a3efc2 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1850 
      fs2.readFile(tempFile, "utf8", (err, contents) => {
        try {
          fs2.unlink(tempFile, () => callback(err, contents));
        } catch {
          callback(err, contents);
        }
      });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #92e45b009c73f7c6 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1864 
      fs2.writeFile(tempFile, contents, (err) => err !== null ? callback(null) : callback(tempFile));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #138720c8d9727d48 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:2085 
    maxBuffer: +process.env.ESBUILD_MAX_BUFFER || 16 * 1024 * 1024

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

dotenv-cli

npm dependency
medium pii_flow dependency Excluded from app score #e67aaffca6c5d918 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/cli.js:100 · flow /tmp/closeopen-17zukif3/pkgs/npm/[email protected]/cli.js:96 → /tmp/closeopen-17zukif3/pkgs/npm/[email protected]/cli.js:100 
  console.log(value != null ? value : '')

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #38064aae5fe9b6e9 Environment-variable access.
pkgs/npm/[email protected]/cli.js:96 
  let value = process.env[argv.p]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@eslint/eslintrc

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #ab10d688b86b3399 Filesystem access.
pkgs/npm/@[email protected]/lib/config-array-factory.js:154 
    return fs.readFileSync(filePath, "utf8").replace(/^\ufeff/u, "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@microsoft/api-extractor

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #466223c354354ee5 Filesystem access.
pkgs/npm/@[email protected]/lib/analyzer/PackageMetadataManager.js:199 
        node_core_library_1.FileSystem.writeFile(tsdocMetadataPath, fileContent, {
            convertLineEndings: newlineKind,
            ensureFolderExists: true
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3e1eb97bd2a0a007 Filesystem access.
pkgs/npm/@[email protected]/lib/api/Extractor.js:233 
        node_core_library_1.FileSystem.writeFile(actualApiReportPath, actualApiReportContent, {
            ensureFolderExists: true,
            convertLineEndings: extractorConfig.newlineKind
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2c941d8a4dd23fdf Filesystem access.
pkgs/npm/@[email protected]/lib/api/Extractor.js:239 
            const expectedApiReportContent = node_core_library_1.FileSystem.readFile(expectedApiReportPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3db9aed694044a7b Filesystem access.
pkgs/npm/@[email protected]/lib/api/Extractor.js:252 
                    node_core_library_1.FileSystem.writeFile(expectedApiReportPath, actualApiReportContent, {
                        ensureFolderExists: true,
                        convertLineEndings: extractorConfig.newlineKind
                    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #589201942b08e0cc Filesystem access.
pkgs/npm/@[email protected]/lib/api/Extractor.js:283 
                    node_core_library_1.FileSystem.writeFile(expectedApiReportPath, actualApiReportContent, {
                        convertLineEndings: extractorConfig.newlineKind
                    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4af88e858f7f2e21 Filesystem access.
pkgs/npm/@[email protected]/lib/collector/SourceMapper.js:91 
                originalFileInfo.maxColumnForLine = node_core_library_1.FileSystem.readFile(mappedFilePath, {
                    convertLineEndings: node_core_library_1.NewlineKind.Lf
                })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fa170e42d5500609 Filesystem access.
pkgs/npm/@[email protected]/lib/generators/DtsRollupGenerator.js:90 
        node_core_library_1.FileSystem.writeFile(dtsFilename, writer.toString(), {
            convertLineEndings: newlineKind,
            ensureFolderExists: true
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@neondatabase/serverless

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #1f6616290d7f0f48 Filesystem access.
pkgs/npm/@[email protected]/index.js:857 
(t.ssl.cert=gr.readFileSync(t.sslcert).toString()),t.sslkey&&(t.ssl.key=gr.readFileSync(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #67d3db356711ac81 Filesystem access.
pkgs/npm/@[email protected]/index.js:857 
(t.ssl.cert=gr.readFileSync(t.sslcert).toString()),t.sslkey&&(t.ssl.key=gr.readFileSync(
t.sslkey).toString()),t.sslrootcert&&(t.ssl.ca=gr.readFileSync(t.sslrootcert).toString()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4e408551a7b924cf Filesystem access.
pkgs/npm/@[email protected]/index.js:858 
t.sslkey).toString()),t.sslrootcert&&(t.ssl.ca=gr.readFileSync(t.sslrootcert).toString()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d1f5494ab0086221 Filesystem access.
pkgs/npm/@[email protected]/index.mjs:857 
(t.ssl.cert=mr.readFileSync(t.sslcert).toString()),t.sslkey&&(t.ssl.key=mr.readFileSync(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a9ac124ae62cd12d Filesystem access.
pkgs/npm/@[email protected]/index.mjs:857 
(t.ssl.cert=mr.readFileSync(t.sslcert).toString()),t.sslkey&&(t.ssl.key=mr.readFileSync(
t.sslkey).toString()),t.sslrootcert&&(t.ssl.ca=mr.readFileSync(t.sslrootcert).toString()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #70d41ce98f598d45 Filesystem access.
pkgs/npm/@[email protected]/index.mjs:858 
t.sslkey).toString()),t.sslrootcert&&(t.ssl.ca=mr.readFileSync(t.sslrootcert).toString()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@prisma/prisma-schema-wasm

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #dfb40abf70cf6abe Filesystem access.
pkgs/npm/@prisma__prisma-schema-wasm@7.8.0-6.3c6e192761c0362d496ed980de936e2f3cebcd3a/src/prisma_schema_build.js:535 
const wasmBytes = require('fs').readFileSync(wasmPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dfb40abf70cf6abe Filesystem access.
pkgs/npm/@prisma__prisma-schema-wasm@7.8.0-6.3c6e192761c0362d496ed980de936e2f3cebcd3a/src/prisma_schema_build.js:535 
const wasmBytes = require('fs').readFileSync(wasmPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@swc/core

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #9c749bf4b98d0a07 Filesystem access.
pkgs/npm/@[email protected]/binding.js:5 
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9c749bf4b98d0a07 Filesystem access.
pkgs/npm/@[email protected]/binding.js:5 
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f78964f3f0a54c43 Filesystem access.
pkgs/npm/@[email protected]/binding.js:28 
    return readFileSync('/usr/bin/ldd', 'utf-8').includes('musl')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4354e770455d2b07 Environment-variable access.
pkgs/npm/@[email protected]/binding.js:304 
if (!nativeBinding || process.env.NAPI_RS_FORCE_WASI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #727986dd254759da Environment-variable access.
pkgs/npm/@[email protected]/binding.js:308 
    if (process.env.NAPI_RS_FORCE_WASI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e50ed21ccdc57207 Environment-variable access.
pkgs/npm/@[email protected]/binding.js:316 
      if (process.env.NAPI_RS_FORCE_WASI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b5b9d656338dbe51 Environment-variable access.
pkgs/npm/@[email protected]/index.js:54 
const bindingsOverride = process.env["SWC_BINARY_PATH"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #39366bc556a582c2 Filesystem access.
pkgs/npm/@[email protected]/postinstall.js:41 
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #39366bc556a582c2 Filesystem access.
pkgs/npm/@[email protected]/postinstall.js:41 
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7833ee6db06bfb03 Filesystem access.
pkgs/npm/@[email protected]/postinstall.js:45 
const fs = __importStar(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a76e7c45e63fc5e4 Environment-variable access.
pkgs/npm/@[email protected]/postinstall.js:69 
        const { name } = require(path.resolve(process.env.INIT_CWD, "package.json"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3f802691bfd1dcc7 Environment-variable access.
pkgs/npm/@[email protected]/postinstall.js:100 
    if (!!process.env["SWC_BINARY_PATH"]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #977edfffcccb61fe Filesystem access.
pkgs/npm/@[email protected]/postinstall.js:122 
        fs.writeFileSync(path.join(installDir, "package.json"), "{}");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4b642549750885af Environment-variable access.
pkgs/npm/@[email protected]/postinstall.js:128 
        fs.renameSync(installedBinPath, path.resolve(process.env.INIT_CWD, "node_modules", `@swc/wasm`));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@swc/jest

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #26fcec049f0d0808 Filesystem access.
pkgs/npm/@[email protected]/index.js:55 
var fs = __importStar(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c7df414fb57c4d9b Filesystem access.
pkgs/npm/@[email protected]/index.js:106 
        var options = (0, jsonc_parser_1.parse)(fs.readFileSync(swcrc, "utf-8"), errors);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@types/fs-extra

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #f7ce5dcd5852e8a1 Filesystem access.
pkgs/npm/@[email protected]/index.d.ts:3 
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chokidar

npm dependency
expand_more 16 low-confidence finding(s)
low env_fs dependency Excluded from app score #662963e4ef142faf Filesystem access.
pkgs/npm/[email protected]/esm/handler.d.ts:1 
import type { WatchEventType, Stats, FSWatcher as NativeFsWatcher } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #009577b9f3690e76 Filesystem access.
pkgs/npm/[email protected]/esm/handler.js:1 
import { watchFile, unwatchFile, watch as fs_watch } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7575d543897e55ed Filesystem access.
pkgs/npm/[email protected]/esm/handler.js:2 
import { open, stat, lstat, realpath as fsrealpath } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #43fd7aadc4a411bc Filesystem access.
pkgs/npm/[email protected]/esm/index.d.ts:2 
import { Stats } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0c5cdde37f5261b7 Filesystem access.
pkgs/npm/[email protected]/esm/index.js:2 
import { stat as statcb } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3e04f8c692a157a5 Filesystem access.
pkgs/npm/[email protected]/esm/index.js:3 
import { stat, readdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fb33026084871c73 Environment-variable access.
pkgs/npm/[email protected]/esm/index.js:260 
        const envPoll = process.env.CHOKIDAR_USEPOLLING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #68b92bb090aa27a6 Environment-variable access.
pkgs/npm/[email protected]/esm/index.js:270 
        const envInterval = process.env.CHOKIDAR_INTERVAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #57adcdb87ac4f310 Filesystem access.
pkgs/npm/[email protected]/handler.d.ts:1 
import type { WatchEventType, Stats, FSWatcher as NativeFsWatcher } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dc5f05b804f2a696 Filesystem access.
pkgs/npm/[email protected]/handler.js:4 
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dc5f05b804f2a696 Filesystem access.
pkgs/npm/[email protected]/handler.js:4 
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0bb4aa4764378379 Filesystem access.
pkgs/npm/[email protected]/index.d.ts:2 
import { Stats } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7c976c78bbf74dd8 Filesystem access.
pkgs/npm/[email protected]/index.js:6 
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7c976c78bbf74dd8 Filesystem access.
pkgs/npm/[email protected]/index.js:6 
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2bc4f6c509efc110 Environment-variable access.
pkgs/npm/[email protected]/index.js:265 
        const envPoll = process.env.CHOKIDAR_USEPOLLING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3724d20ec39c3687 Environment-variable access.
pkgs/npm/[email protected]/index.js:275 
        const envInterval = process.env.CHOKIDAR_INTERVAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

dotenv

npm dependency
expand_more 20 low-confidence finding(s)
low env_fs dependency Excluded from app score #d15c657e163b23cc Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:4 
if (process.env.DOTENV_CONFIG_ENCODING != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #adc24f2513a82322 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:5 
  options.encoding = process.env.DOTENV_CONFIG_ENCODING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #51acacd55ba771e6 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:8 
if (process.env.DOTENV_CONFIG_PATH != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dae2533f77a8ebe0 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:9 
  options.path = process.env.DOTENV_CONFIG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #94c139d640d379ac Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:12 
if (process.env.DOTENV_CONFIG_QUIET != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #525b949be4d76d49 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:13 
  options.quiet = process.env.DOTENV_CONFIG_QUIET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9c50de88d1345b6b Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:16 
if (process.env.DOTENV_CONFIG_DEBUG != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #05f2465545eccef5 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:17 
  options.debug = process.env.DOTENV_CONFIG_DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3dc63bcf2f535502 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:20 
if (process.env.DOTENV_CONFIG_OVERRIDE != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b8850c500bc09447 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:21 
  options.override = process.env.DOTENV_CONFIG_OVERRIDE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4a6d682c949632a1 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:24 
if (process.env.DOTENV_CONFIG_DOTENV_KEY != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c3c68e79475e6a28 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:25 
  options.DOTENV_KEY = process.env.DOTENV_CONFIG_DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0932f37ef51d051f Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0932f37ef51d051f Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1a1da518efca2d89 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:152 
  if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1a1da518efca2d89 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:152 
  if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5a02a99b3cc91edb Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:153 
    return process.env.DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3628d67a851b44c1 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:232 
  const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || (options && options.debug))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c998f7ee4e2eb4c9 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:233 
  const quiet = parseBoolean(process.env.DOTENV_CONFIG_QUIET || (options && options.quiet))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #15f2407e19ece08c Filesystem access.
pkgs/npm/[email protected]/lib/main.js:288 
      const parsed = DotenvModule.parse(fs.readFileSync(path, { encoding }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #5b14c24e49d05926 Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/cli-engine.js:736 
            fs.writeFileSync(result.filePath, result.output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d0adb47edffbf0a0 Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/cli-engine.js:846 
                text: fs.readFileSync(filePath, "utf8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #89a23549cc863fd1 Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:149 
            results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e9f2be0404d57ada Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:560 
                .map(r => fs.writeFile(r.filePath, r.output))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #50c3656f2273efa8 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:806 
                return retrier.retry(() => fs.readFile(filePath, { encoding: "utf8", signal: controller.signal })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3d529b5191fbded8 Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:1113 
    return (process.env.ESLINT_USE_FLAT_CONFIG !== "false");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4f1a9acdd4a95182 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:44 
const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #08230e0b203a0c90 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:56 
    if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e17edd27f69bbae3 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:60 
    if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9c50ea0df2c62c8b Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:64 
    const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-config-prettier

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #ea70af3f4a9e3b88 Environment-variable access.
pkgs/npm/[email protected]/bin/cli.js:45 
      switch (process.env.ESLINT_USE_FLAT_CONFIG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fb6732238d369130 Environment-variable access.
pkgs/npm/[email protected]/index.js:3 
const includeDeprecated = !process.env.ESLINT_CONFIG_PRETTIER_NO_DEPRECATED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-plugin-import-x

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #483beeb305c7da69 Filesystem access.
pkgs/npm/[email protected]/lib/rules/no-extraneous-dependencies.js:18 
        return JSON.parse(node_fs_1.default.readFileSync(jsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e746c719f7f54fcc Filesystem access.
pkgs/npm/[email protected]/lib/utils/export-map.js:58 
        const content = node_fs_1.default.readFileSync(filepath, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7cc9455a8d703cad Filesystem access.
pkgs/npm/[email protected]/lib/utils/read-pkg-up.js:17 
            pkg: JSON.parse(stripBOM(node_fs_1.default.readFileSync(fp, { encoding: 'utf8' }))),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-plugin-jest

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #1bf90e8b121c7d9e Filesystem access.
pkgs/npm/[email protected]/lib/index.js:3 
var _fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1bf90e8b121c7d9e Filesystem access.
pkgs/npm/[email protected]/lib/index.js:3 
var _fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

execa

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #a6e82b319c947e8c Filesystem access.
pkgs/npm/[email protected]/lib/stream.js:19 
	return readFileSync(inputFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fast-glob

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #622b67efb8fcd946 Filesystem access.
pkgs/npm/[email protected]/out/readers/reader.d.ts:2 
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b47600d4580f9bc1 Filesystem access.
pkgs/npm/[email protected]/out/settings.js:4 
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b47600d4580f9bc1 Filesystem access.
pkgs/npm/[email protected]/out/settings.js:4 
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #04be0c73ff8d5218 Filesystem access.
pkgs/npm/[email protected]/out/utils/fs.d.ts:2 
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fs-extra

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #bfe14891140f35c2 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:24 
      await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0190c28ecfd42d6a Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:32 
    await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #620bf91a4c0619b1 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:60 
  fs.writeFileSync(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e7ed520534fd64fa Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:16 
  return fs.writeFile(file, data, encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d2ef9ede06481022 Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:25 
  fs.writeFileSync(file, ...args)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fs-jetpack

npm dependency
expand_more 17 low-confidence finding(s)
low env_fs dependency Excluded from app score #986e2c8fdda51486 Filesystem access.
pkgs/npm/[email protected]/lib/copy.js:100 
  const data = fs.readFileSync(srcPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b7a69829b09b789a Filesystem access.
pkgs/npm/[email protected]/lib/copy.js:102 
    fs.writeFileSync(destPath, data, { mode, flag: "wx" });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1a88826c8f1a1323 Filesystem access.
pkgs/npm/[email protected]/lib/copy.js:108 
        fs.writeFileSync(destPath, data, { mode });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #cf1014d07af1481c Filesystem access.
pkgs/npm/[email protected]/lib/inspect.js:88 
  const data = fs.readFileSync(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b13dba341bf4d3fb Filesystem access.
pkgs/npm/[email protected]/lib/read.js:60 
    data = fs.readFileSync(path, { encoding });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6068fe210847d975 Filesystem access.
pkgs/npm/[email protected]/lib/read.js:95 
    fs.readFile(path, { encoding })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #433df9a3435f1979 Filesystem access.
pkgs/npm/[email protected]/lib/streams.js:3 
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #433df9a3435f1979 Filesystem access.
pkgs/npm/[email protected]/lib/streams.js:3 
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #143fffb2831a2567 Filesystem access.
pkgs/npm/[email protected]/lib/utils/fs.js:5 
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #143fffb2831a2567 Filesystem access.
pkgs/npm/[email protected]/lib/utils/fs.js:5 
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #02d644aefb71948d Filesystem access.
pkgs/npm/[email protected]/lib/utils/tree_walker.js:3 
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #02d644aefb71948d Filesystem access.
pkgs/npm/[email protected]/lib/utils/tree_walker.js:3 
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9bc1dda26ef1a30b Filesystem access.
pkgs/npm/[email protected]/lib/write.js:46 
    fs.writeFileSync(path, data, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3d97ce8e67ce4e99 Filesystem access.
pkgs/npm/[email protected]/lib/write.js:51 
      fs.writeFileSync(path, data, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bef92d4343e6f8b9 Filesystem access.
pkgs/npm/[email protected]/lib/write.js:84 
    fs.writeFile(path, data, options)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #da6750337e3c45a4 Filesystem access.
pkgs/npm/[email protected]/lib/write.js:94 
              return fs.writeFile(path, data, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1f824ea18797f9e9 Filesystem access.
pkgs/npm/[email protected]/types.d.ts:5 
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

globby

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #e240f00fc39e776c Filesystem access.
pkgs/npm/[email protected]/gitignore.js:3 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e240f00fc39e776c Filesystem access.
pkgs/npm/[email protected]/gitignore.js:3 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2295af5b5086f073 Filesystem access.
pkgs/npm/[email protected]/gitignore.js:78 
	const content = fs.readFileSync(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #40c3035e98e0c65e Filesystem access.
pkgs/npm/[email protected]/index.js:2 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #40c3035e98e0c65e Filesystem access.
pkgs/npm/[email protected]/index.js:2 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

graphviz-mit

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #92f721c7f2098bcd Filesystem access.
pkgs/npm/[email protected]/lib/deps/core_ext/fs-ext.js:1 
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #92f721c7f2098bcd Filesystem access.
pkgs/npm/[email protected]/lib/deps/core_ext/fs-ext.js:1 
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e3da4dd456b9ec88 Filesystem access.
pkgs/npm/[email protected]/lib/graphviz.js:4 
var path = require('path'),
  spawn = require('child_process').spawn,
  temp = require('temp'),
  which = require('which'),
  fs = require('fs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ef83ae0a9e480dc2 Filesystem access.
pkgs/npm/[email protected]/lib/graphviz.js:8 
  fs = require('fs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

husky

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #e17d073cdafb47da Filesystem access.
pkgs/npm/[email protected]/bin.js:2 
import f, { writeFileSync as w } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ba207820577c910c Filesystem access.
pkgs/npm/[email protected]/bin.js:12 
	s = f.readFileSync(n)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e7a187df461c3c4c Filesystem access.
pkgs/npm/[email protected]/bin.js:15 
	w(n, JSON.stringify(o, 0, /\t/.test(s) ? '\t' : 2) + '\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #43023c89b7517dc0 Filesystem access.
pkgs/npm/[email protected]/bin.js:18 
	w('.husky/pre-commit', (p.env.npm_config_user_agent?.split('/')[0] ?? 'npm') + ' test\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #23d923f27853cc2a Filesystem access.
pkgs/npm/[email protected]/index.js:2 
import f, { readdir, writeFileSync as w } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #14e0e951de4dc0d7 Environment-variable access.
pkgs/npm/[email protected]/index.js:9 
	if (process.env.HUSKY === '0') return 'HUSKY=0 skip install'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4737a1e9b1f1bbe1 Filesystem access.
pkgs/npm/[email protected]/index.js:20 
	w(_('.gitignore'), '*')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #049570c6ad51e2c3 Filesystem access.
pkgs/npm/[email protected]/index.js:22 
	l.forEach(h => w(_(h), `#!/usr/bin/env sh\n. "\$(dirname "\$0")/h"`, { mode: 0o755 }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e52512fe34d4692b Filesystem access.
pkgs/npm/[email protected]/index.js:23 
	w(_('husky.sh'), msg)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

jest-junit

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #7cd36a88a1be4988 Filesystem access.
pkgs/npm/[email protected]/index.js:5 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7cd36a88a1be4988 Filesystem access.
pkgs/npm/[email protected]/index.js:5 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4e0d0375d27a6ec0 Filesystem access.
pkgs/npm/[email protected]/index.js:38 
  fs.writeFileSync(outputPath, xml(jsonResults, { indent: '  ', declaration: true }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f8a57abcbdbfef29 Filesystem access.
pkgs/npm/[email protected]/utils/buildJsonResults.js:6 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f8a57abcbdbfef29 Filesystem access.
pkgs/npm/[email protected]/utils/buildJsonResults.js:6 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8fd6e8d0ac4d48ce Filesystem access.
pkgs/npm/[email protected]/utils/getOptions.js:4 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8fd6e8d0ac4d48ce Filesystem access.
pkgs/npm/[email protected]/utils/getOptions.js:4 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #618fdc949ffe1e1a Environment-variable access.
pkgs/npm/[email protected]/utils/getOptions.js:15 
    if (process.env[name]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1682cfd534a3ca4f Environment-variable access.
pkgs/npm/[email protected]/utils/getOptions.js:16 
      options[constants.ENVIRONMENT_CONFIG_MAP[name]] = process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

lint-staged

npm dependency
expand_more 17 low-confidence finding(s)
low env_fs dependency Excluded from app score #8988063fb25c0535 Environment-variable access.
pkgs/npm/[email protected]/bin/lint-staged.js:16 
  process.env.FORCE_COLOR = supportsColor.level.toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ae393f602b486fbe Filesystem access.
pkgs/npm/[email protected]/lib/file.js:16 
    return await fs.readFile(filename)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #28ebd76404e12038 Filesystem access.
pkgs/npm/[email protected]/lib/file.js:52 
  await fs.writeFile(filename, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #026f22d11ded8e60 Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:134 
      readFile(this.mergeHeadFilename).then((buffer) => (this.mergeHeadBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1fc4450470333dea Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:135 
      readFile(this.mergeModeFilename).then((buffer) => (this.mergeModeBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5ac4873a326c98e3 Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:136 
      readFile(this.mergeMsgFilename).then((buffer) => (this.mergeMsgBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fd348044c8454f80 Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:148 
        this.mergeHeadBuffer && writeFile(this.mergeHeadFilename, this.mergeHeadBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dccf47559b53ecc8 Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:149 
        this.mergeModeBuffer && writeFile(this.mergeModeFilename, this.mergeModeBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #83f65374092e4c08 Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:150 
        this.mergeMsgBuffer && writeFile(this.mergeMsgFilename, this.mergeMsgBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e9c68e1797b43a68 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:124 
  debugLog('Unset GIT_LITERAL_PATHSPECS (was `%s`)', process.env.GIT_LITERAL_PATHSPECS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #50d2957c727a5842 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:125 
  delete process.env.GIT_LITERAL_PATHSPECS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dd957609f981a067 Filesystem access.
pkgs/npm/[email protected]/lib/loadConfig.js:74 
  return fs.readFile(absolutePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #32a7524ff6c8f2f7 Environment-variable access.
pkgs/npm/[email protected]/lib/resolveGitRepo.js:48 
    debugLog('Unset GIT_DIR (was `%s`)', process.env.GIT_DIR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f72ef5ede0af9dc3 Environment-variable access.
pkgs/npm/[email protected]/lib/resolveGitRepo.js:49 
    delete process.env.GIT_DIR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5c530771b529689b Environment-variable access.
pkgs/npm/[email protected]/lib/resolveGitRepo.js:50 
    debugLog('Unset GIT_WORK_TREE (was `%s`)', process.env.GIT_WORK_TREE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1b07628f492c5f04 Environment-variable access.
pkgs/npm/[email protected]/lib/resolveGitRepo.js:51 
    delete process.env.GIT_WORK_TREE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ed643c5ce62a69b3 Filesystem access.
pkgs/npm/[email protected]/lib/version.js:4 
  const packageJson = JSON.parse(await fs.readFile(new URL('../package.json', import.meta.url)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mariadb

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #7b1f360f0216434e Filesystem access.
pkgs/npm/[email protected]/lib/cmd/handshake/auth/caching-sha2-password-auth.js:5 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7b1f360f0216434e Filesystem access.
pkgs/npm/[email protected]/lib/cmd/handshake/auth/caching-sha2-password-auth.js:5 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #96a47d3a46b0f526 Filesystem access.
pkgs/npm/[email protected]/lib/cmd/handshake/auth/caching-sha2-password-auth.js:75 
                  key = fs.readFileSync(key, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9feda9e1a388f9c2 Filesystem access.
pkgs/npm/[email protected]/lib/cmd/handshake/auth/sha256-password-auth.js:5 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9feda9e1a388f9c2 Filesystem access.
pkgs/npm/[email protected]/lib/cmd/handshake/auth/sha256-password-auth.js:5 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9fb01d17e6ea002e Filesystem access.
pkgs/npm/[email protected]/lib/cmd/handshake/auth/sha256-password-auth.js:52 
              key = fs.readFileSync(key, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5fe9f4a4c5a8cca2 Filesystem access.
pkgs/npm/[email protected]/lib/cmd/parser.js:10 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5fe9f4a4c5a8cca2 Filesystem access.
pkgs/npm/[email protected]/lib/cmd/parser.js:10 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d71e0a8be18fb316 Environment-variable access.
pkgs/npm/[email protected]/lib/config/connection-options.js:30 
    this.user = opts.user || process.env.USERNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8168d0a8c8ea6d3c Filesystem access.
pkgs/npm/[email protected]/lib/connection.js:35 
const fsPromises = require('fs').promises;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mysql2

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #74981bea948eb087 Environment-variable access.
pkgs/npm/[email protected]/lib/packets/index.js:58 
  if (process.env.NODE_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pg

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #072518966645a27a Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:15 
    envVar = process.env['PG' + key.toUpperCase()]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #32a1829956918227 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:19 
    envVar = process.env[envVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c83c63f292094f88 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:26 
  switch (process.env.PGSSLMODE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ff3f4abdcd2f5915 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:127 
      this.connect_timeout = process.env.PGCONNECT_TIMEOUT || 0

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4b29e106b2e1527d Environment-variable access.
pkgs/npm/[email protected]/lib/defaults.js:5 
  user = process.platform === 'win32' ? process.env.USERNAME : process.env.USER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4b29e106b2e1527d Environment-variable access.
pkgs/npm/[email protected]/lib/defaults.js:5 
  user = process.platform === 'win32' ? process.env.USERNAME : process.env.USER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #33b21bb4fbf67ab7 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:41 
  forceNative = !!process.env.NODE_PG_FORCE_NATIVE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

postgres

npm dependency
expand_more 15 low-confidence finding(s)
low env_fs dependency Excluded from app score #89b05f11b2207796 Filesystem access.
pkgs/npm/[email protected]/cf/src/index.js:133 
        fs.readFile(path, 'utf8', (err, string) => {
          if (err)
            return query.reject(err)

          query.strings = [string]
          handler(query)
        })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bd690bbfdd3ca93b Environment-variable access.
pkgs/npm/[email protected]/cf/src/index.js:565 
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bd690bbfdd3ca93b Environment-variable access.
pkgs/npm/[email protected]/cf/src/index.js:565 
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bd690bbfdd3ca93b Environment-variable access.
pkgs/npm/[email protected]/cf/src/index.js:565 
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dc1af16bcfce4516 Filesystem access.
pkgs/npm/[email protected]/cjs/src/index.js:2 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dc1af16bcfce4516 Filesystem access.
pkgs/npm/[email protected]/cjs/src/index.js:2 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6c63478855b71509 Filesystem access.
pkgs/npm/[email protected]/cjs/src/index.js:132 
        fs.readFile(path, 'utf8', (err, string) => {
          if (err)
            return query.reject(err)

          query.strings = [string]
          handler(query)
        })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #85acc85638dbf679 Environment-variable access.
pkgs/npm/[email protected]/cjs/src/index.js:564 
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #85acc85638dbf679 Environment-variable access.
pkgs/npm/[email protected]/cjs/src/index.js:564 
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #85acc85638dbf679 Environment-variable access.
pkgs/npm/[email protected]/cjs/src/index.js:564 
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c1395a3e82c15b91 Filesystem access.
pkgs/npm/[email protected]/src/index.js:2 
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #10e7ffc01718e96f Filesystem access.
pkgs/npm/[email protected]/src/index.js:132 
        fs.readFile(path, 'utf8', (err, string) => {
          if (err)
            return query.reject(err)

          query.strings = [string]
          handler(query)
        })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0c41a26ffa846497 Environment-variable access.
pkgs/npm/[email protected]/src/index.js:564 
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0c41a26ffa846497 Environment-variable access.
pkgs/npm/[email protected]/src/index.js:564 
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0c41a26ffa846497 Environment-variable access.
pkgs/npm/[email protected]/src/index.js:564 
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

prettier

npm dependency
expand_more 75 low-confidence finding(s)
low env_fs dependency Excluded from app score #2e7ff56741f933ad Environment-variable access.
pkgs/npm/[email protected]/bin/prettier.cjs:66 
if (process.env.PRETTIER_EXPERIMENTAL_CLI || index !== -1) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1e209c1d4cb1b570 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:5619 
    var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1e209c1d4cb1b570 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:5619 
    var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6cd20ed34b39a69a Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6165 
    if (process.env.npm_package_name === "pseudomap" && process.env.npm_lifecycle_script === "test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6cd20ed34b39a69a Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6165 
    if (process.env.npm_package_name === "pseudomap" && process.env.npm_lifecycle_script === "test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0846bb982d750523 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6166 
      process.env.TEST_PSEUDOMAP = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8f81df5fc7aab935 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6167 
    if (typeof Map === "function" && !process.env.TEST_PSEUDOMAP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #502755806347a554 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6509 
    var hasSymbol = typeof Symbol === "function" && process.env._nodeLRUCacheForceNoSymbol !== "1";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9690ebd8183c0322 Filesystem access.
pkgs/npm/[email protected]/index.mjs:7644 
            fs4.readFile(file, "utf8", function(err, data) {
              if (err) {
                reject(err);
                return;
              }
              resolve3(parseString2(data));
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #66797dc073ec64ea Filesystem access.
pkgs/npm/[email protected]/index.mjs:7657 
      return parseString2(fs4.readFileSync(file, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8b01439ef0885174 Filesystem access.
pkgs/npm/[email protected]/index.mjs:7993 
              fs4.readFile(name, "utf8", function(err, data) {
                resolve3({
                  name,
                  contents: err ? "" : data
                });
              });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c3db47ec5ff6a743 Filesystem access.
pkgs/npm/[email protected]/index.mjs:8009 
          file = fs4.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #11c5f4753c79843a Environment-variable access.
pkgs/npm/[email protected]/index.mjs:8284 
      return typeof process === "object" && (process.env.FORCE_COLOR === "0" || process.env.FORCE_COLOR === "false") ? false : picocolors5.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #11c5f4753c79843a Environment-variable access.
pkgs/npm/[email protected]/index.mjs:8284 
      return typeof process === "object" && (process.env.FORCE_COLOR === "0" || process.env.FORCE_COLOR === "false") ? false : picocolors5.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9df7f5c58927c11f Filesystem access.
pkgs/npm/[email protected]/index.mjs:10300 
import * as fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #72a358a51e93ff55 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12225 
import fs2 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1cf27c9d834f5027 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12231 
    return await fs2.readFile(file, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c4544bf89b1cb745 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12382 
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3382f0520c5376c8 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12392 
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5493a00a468ef90e Filesystem access.
pkgs/npm/[email protected]/index.mjs:12744 
    string = fs3.readFileSync(path6.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #acb9491971999e06 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:16787 
      if (process.env.PRETTIER_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6c16681d56130381 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:12 
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #22ec5c549159132e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:395 
  return dist_default.retry.readFile(timeout)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1559856253a7a7eb Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:510 
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5c937b50dcd24210 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:520 
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ea07335f73395df2 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:872 
    string2 = fs2.readFileSync(path3.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #921a1cb86baa76c2 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1848 
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #45d00adcf70f88ff Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1925 
          const content = fs3.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4eba0fa2735fc2e4 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1931 
          return fs3.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #63bf86f6af2efe26 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:55 
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f181747fdb22e890 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:97 
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2396090f9a5310b6 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:108 
      const buffer2 = attempt(() => fs2.readFileSync(path17), Buffer2.alloc(0));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4108f4abafe2e57e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:117 
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #85017d07e96b2c67 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:615 
import fs4 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #18db8cad3a867a86 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:630 
              const content = fs4.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ba7acdb62901f04e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:636 
              return fs4.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7b3ec9a746b01de1 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2563 
import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #628f5a61087e9626 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2573 
    string2 = fs5.readFileSync(path4.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6864d8fada9c70ba Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2761 
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f853bd174425bf6f Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:3621 
import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #92c3db83415698b0 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:4668 
import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6e1c9f8329044a93 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5612 
import fs8 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #95f568539b1eb797 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5638 
          const store = JSON.parse(fs8.readFileSync(this.storePath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #766c204cacda67d7 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5653 
          fs8.writeFileSync(this.storePath, store);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #098b7141c3498c31 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5669 
          const content = fs8.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7b6a87e54a8efe1e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6237 
import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d216f1b5b7c9fed5 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6251 
        return fs9.readFile(filePath, "utf8").then(parse_default).catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #51a8700b3414722d Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6574 
import fs10 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4f00dc29e3bd2ca0 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6586 
      return fs10.readFile(filePath, "utf8").catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c8b02006ef2a2715 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11280 
import fs11 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3118143e367cd0b5 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11302 
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #29bf8db7c314fd68 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11307 
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #38580de87a3c36d7 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11313 
        const fileBuffer = fs11.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4f14914a6507fd12 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11329 
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e2e01df92a2e2c34 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11335 
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1bbbf5668a047a25 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12191 
import fs12 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e1a308d9e4857025 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12388 
  return dist_default36.retry.readFile(timeout)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0b9879014421e52a Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:13152 
import fs13 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #396b9a55943fafce Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:13220 
  const ignoreManualFilesContents = await Promise.all(ignoreManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8").catch(() => "")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #24945d17785e2a43 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:13225 
  const prettierManualFilesContents = await Promise.all(prettierManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ee11809acc0539c8 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1190 
import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ee44c83d2116912a Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1481 
import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3fd0a53f37ffafe2 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1690 
import fs4 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ada588eb18a4af2a Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1698 
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a40b48af9ffb31fb Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1706 
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #aee2ce84b862c763 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1800 
    const data = await fs4.readFile(cacheFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #38b8484edbbf7845 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1818 
import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #77a840b06076ca88 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1822 
import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fe1741a994e4b7b4 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1827 
import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0492352d2a83e3a0 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:2921 
      const data = fs5.readFileSync(pathToFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1e08ce401f992737 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:3061 
        fs5.writeFileSync(filePath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #49a28a13ec33fa1e Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:3391 
        const buffer = fs6.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3247525854114c2f Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:3635 
import fs8 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1813e656fa2b86d4 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:3897 
  writeFormattedFile: (file, data) => fs8.writeFile(file, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e0050d3dd5f39071 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4253 
      input = await fs9.readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

resolve

npm dependency
expand_more 12 low-confidence finding(s)
low env_fs dependency Excluded from app score #5f5f7ca71fe339a8 Filesystem access.
pkgs/npm/[email protected]/lib/async.js:1 
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5f5f7ca71fe339a8 Filesystem access.
pkgs/npm/[email protected]/lib/async.js:1 
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0de2877e0e7ec459 Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:8 
    var home = process.env.HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #aaaf481bafb8d46e Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:9 
    var user = process.env.LOGNAME || process.env.USER || process.env.LNAME || process.env.USERNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #aaaf481bafb8d46e Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:9 
    var user = process.env.LOGNAME || process.env.USER || process.env.LNAME || process.env.USERNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #aaaf481bafb8d46e Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:9 
    var user = process.env.LOGNAME || process.env.USER || process.env.LNAME || process.env.USERNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #aaaf481bafb8d46e Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:9 
    var user = process.env.LOGNAME || process.env.USER || process.env.LNAME || process.env.USERNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #76f069448cb2a660 Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:12 
        return process.env.USERPROFILE || process.env.HOMEDRIVE + process.env.HOMEPATH || home || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #76f069448cb2a660 Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:12 
        return process.env.USERPROFILE || process.env.HOMEDRIVE + process.env.HOMEPATH || home || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #76f069448cb2a660 Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:12 
        return process.env.USERPROFILE || process.env.HOMEDRIVE + process.env.HOMEPATH || home || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #de3a5699d24245c8 Filesystem access.
pkgs/npm/[email protected]/lib/sync.js:2 
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #de3a5699d24245c8 Filesystem access.
pkgs/npm/[email protected]/lib/sync.js:2 
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

semver

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #78b0d438f8b605b8 Environment-variable access.
pkgs/npm/[email protected]/internal/debug.js:4 
  process.env.NODE_DEBUG &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #85ef9715bcd2ae93 Environment-variable access.
pkgs/npm/[email protected]/internal/debug.js:5 
  /\bsemver\b/i.test(process.env.NODE_DEBUG)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

size-limit

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #8c32980925efda02 Filesystem access.
pkgs/npm/[email protected]/process-import.js:24 
  await writeFile(entry, loader)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e5a8794b1f8f063c Filesystem access.
pkgs/npm/[email protected]/read-pkg-up.js:7 
  return JSON.parse(await readFile(filePath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

staged-git-files

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #0c37444eec5e3b27 Filesystem access.
pkgs/npm/[email protected]/index.js:2 
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0c37444eec5e3b27 Filesystem access.
pkgs/npm/[email protected]/index.js:2 
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8c9c6a76525bc88f Filesystem access.
pkgs/npm/[email protected]/index.js:91 
    fs.readFile(sgf.cwd + "/" + filename, options, callback);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #48525d8a8b136fbc Filesystem access.
pkgs/npm/[email protected]/index.js:182 
                    result.content = fs.readFileSync(sgf.cwd + "/" + result.filename, {
                        encoding: "utf8"
                    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tempy

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #33442221e2fca37c Filesystem access.
pkgs/npm/[email protected]/index.js:2 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #33442221e2fca37c Filesystem access.
pkgs/npm/[email protected]/index.js:2 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #79c0f0042091fb64 Filesystem access.
pkgs/npm/[email protected]/index.js:66 
	fs.writeFileSync(filename, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ts-node

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #52f690ebb592a7dd Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internal-modules-cjs-loader.js:27 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #52f690ebb592a7dd Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internal-modules-cjs-loader.js:27 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ce8431d514419a47 Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internal-modules-esm-resolve.js:39 
const {
  realpathSync,
  statSync,
  Stats,
} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #46677bbb94d3914c Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internal-modules-esm-resolve.js:43 
} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #97de27aed7d0fc14 Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:1 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #97de27aed7d0fc14 Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:1 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e168eb120cb0a39e Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:13 
    string = fs.readFileSync(path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0978720242731822 Environment-variable access.
pkgs/npm/[email protected]/dist-raw/node-options.js:48 
  const envArgv = ParseNodeOptionsEnvVar(process.env.NODE_OPTIONS || '', errors);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6204273226194c93 Environment-variable access.
pkgs/npm/[email protected]/dist-raw/node-options.js:99 
  if(process.env.NODE_PENDING_DEPRECATION === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #898859412584133b Filesystem access.
pkgs/npm/[email protected]/lib/cancellationToken.js:42 
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #94600bc3c602cd4d Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42 
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

undici

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #620df2766afff1ba Environment-variable access.
pkgs/npm/[email protected]/lib/core/connect.js:21 
if (global.FinalizationRegistry && !(process.env.NODE_V8_COVERAGE || process.env.UNDICI_NO_FG)) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #620df2766afff1ba Environment-variable access.
pkgs/npm/[email protected]/lib/core/connect.js:21 
if (global.FinalizationRegistry && !(process.env.NODE_V8_COVERAGE || process.env.UNDICI_NO_FG)) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #045b44023e000856 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:64 
  const llhttpWasmData = process.env.JEST_WORKER_ID ? require('../llhttp/llhttp-wasm.js') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #daf9eab593393157 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:26 
    const HTTP_PROXY = httpProxy ?? process.env.http_proxy ?? process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #daf9eab593393157 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:26 
    const HTTP_PROXY = httpProxy ?? process.env.http_proxy ?? process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #149510cb54c5664f Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:33 
    const HTTPS_PROXY = httpsProxy ?? process.env.https_proxy ?? process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #149510cb54c5664f Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:33 
    const HTTPS_PROXY = httpsProxy ?? process.env.https_proxy ?? process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #aa0f453756c5e434 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:147 
    return process.env.no_proxy ?? process.env.NO_PROXY ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #aa0f453756c5e434 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:147 
    return process.env.no_proxy ?? process.env.NO_PROXY ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #654003d190a37525 Environment-variable access.
pkgs/npm/[email protected]/lib/mock/pending-interceptors-formatter.js:23 
        colors: !disableColors && !process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d8b23d8e66c437d5 Environment-variable access.
pkgs/npm/[email protected]/lib/web/fetch/dispatcher-weakref.js:38 
  if (process.env.NODE_V8_COVERAGE && process.version.startsWith('v18')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #d5e948587e3c89dc Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:7 
  ? transcode(readFileSync('./undici-fetch.js'), 'utf8', 'latin1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #3466de486d15dfc3 Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:8 
  : readFileSync('./undici-fetch.js')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #580ae990b20085fe Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:10 
writeFileSync('./undici-fetch.js', buffer.toString('latin1'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @prisma/debug prod — dist-only: no readable source
  • @prisma/driver-adapter-utils prod — dist-only: no readable source
  • c12 prod — dist-only: no readable source
  • deepmerge-ts prod — dist-only: no readable source
  • @prisma/dmmf prod — dist-only: no readable source
  • @planetscale/database prod — dist-only: no readable source
  • @prisma/client-common prod — dist-only: no readable source
  • @prisma/fetch-engine prod — dist-only: no readable source
  • @prisma/generator prod — dist-only: no readable source
  • @prisma/param-graph-builder prod — dist-only: no readable source
  • @prisma/ts-builders prod — dist-only: no readable source
  • @prisma/internals prod — dist-only: no readable source
  • get-tsconfig prod — dist-only: no readable source
  • ts-pattern prod — dist-only: no readable source
  • xdg-app-paths prod — dist-only: no readable source
  • @prisma/config prod — dist-only: no readable source
  • @prisma/dev prod — dist-only: no readable source
  • @prisma/studio-core prod — dist-only: no readable source
  • mssql prod — scan budget exceeded
  • pg-types prod — scan budget exceeded
  • @prisma/ppg prod — scan budget exceeded
  • @bugsnag/cuid prod — scan budget exceeded
  • @paralleldrive/cuid2 prod — scan budget exceeded
  • @prisma/client-runtime-utils prod — scan budget exceeded
  • @prisma/sqlcommenter prod — scan budget exceeded
  • @prisma/param-graph prod — scan budget exceeded
  • @prisma/json-protocol prod — scan budget exceeded
  • nanoid prod — scan budget exceeded
  • ulid prod — scan budget exceeded
  • uuid prod — scan budget exceeded
  • @ark/attest prod — scan budget exceeded
  • @prisma/adapter-d1 prod — scan budget exceeded
  • @prisma/adapter-neon prod — scan budget exceeded
  • @prisma/adapter-planetscale prod — scan budget exceeded
  • prisma prod — scan budget exceeded
  • @opentelemetry/instrumentation prod — scan budget exceeded
  • @prisma/client-generator-js prod — scan budget exceeded
  • @prisma/client-generator-ts prod — scan budget exceeded

Development

  • @slack/webhook dev — dist-only: no readable source
  • @typescript-eslint/parser dev — dist-only: no readable source
  • @typescript-eslint/utils dev — dist-only: no readable source
  • @vitest/coverage-v8 dev — dist-only: no readable source
  • batching-toposort dev — dist-only: no readable source
  • prettier2 dev — registry 404
  • spdx-exceptions dev — no javascript source
  • spdx-license-ids dev — no javascript source
  • tsx dev — dist-only: no readable source
  • turbo dev — no javascript source
  • @prisma/get-platform dev — dist-only: no readable source
  • @hono/node-server dev — dist-only: no readable source
  • @hono/zod-validator dev — dist-only: no readable source
  • @prisma/adapter-pg dev — dist-only: no readable source
  • @prisma/adapter-mariadb dev — dist-only: no readable source
  • @prisma/adapter-mssql dev — dist-only: no readable source
  • @prisma/client-engine-runtime dev — dist-only: no readable source
  • hono dev — dist-only: no readable source
  • @codspeed/benchmark.js-plugin dev — dist-only: no readable source
  • @inquirer/prompts dev — scan budget exceeded
  • @modelcontextprotocol/sdk dev — scan budget exceeded
  • @prisma/adapter-libsql dev — scan budget exceeded
  • @prisma/client dev — scan budget exceeded
  • @prisma/client-generator-registry dev — scan budget exceeded
  • @prisma/credentials-store dev — scan budget exceeded
  • @prisma/management-api-sdk dev — scan budget exceeded
  • @prisma/migrate dev — scan budget exceeded
  • @types/better-sqlite3 dev — scan budget exceeded
  • @types/react dev — scan budget exceeded
  • @types/react-dom dev — scan budget exceeded
  • async-listen dev — scan budget exceeded
  • better-sqlite3 dev — scan budget exceeded
  • checkpoint-client dev — scan budget exceeded
  • get-port-please dev — scan budget exceeded
  • jest dev — scan budget exceeded
  • line-replace dev — scan budget exceeded
  • log-update dev — scan budget exceeded
  • node-fetch dev — scan budget exceeded
  • npm-packlist dev — scan budget exceeded
  • ohash dev — scan budget exceeded
  • open dev — scan budget exceeded
  • openapi-fetch dev — scan budget exceeded
  • openapi-typescript dev — scan budget exceeded
  • ora dev — scan budget exceeded
  • pathe dev — scan budget exceeded
  • react dev — scan budget exceeded
  • react-dom dev — scan budget exceeded
  • resolve-pkg dev — scan budget exceeded
  • std-env dev — scan budget exceeded
  • strip-ansi dev — scan budget exceeded
  • webpack dev — scan budget exceeded
  • @types/mssql dev — scan budget exceeded
  • @prisma/get-dmmf dev — scan budget exceeded
  • @swc-node/register dev — scan budget exceeded
  • @types/cross-spawn dev — scan budget exceeded
  • cross-spawn dev — scan budget exceeded
  • fast-check dev — scan budget exceeded
  • @prisma/instrumentation-contract dev — scan budget exceeded
  • @faker-js/faker dev — scan budget exceeded
  • @fast-check/jest dev — scan budget exceeded
  • @jest/create-cache-key-function dev — scan budget exceeded
  • @jest/globals dev — scan budget exceeded
  • @jest/test-sequencer dev — scan budget exceeded
  • @opentelemetry/resources dev — scan budget exceeded
  • @opentelemetry/semantic-conventions dev — scan budget exceeded
  • @prisma/adapter-better-sqlite3 dev — scan budget exceeded
  • @prisma/generator-helper dev — scan budget exceeded