Close Open Privacy Scan

bolt Snapshot: commit 252d77e
science engine v2
schedule 2026-07-04T16:14:01.588654+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

App Privacy Score

37 /100
High privacy risk — application leak confirmed

High risk · 588 finding(s)

Dependency score: 37 (High risk)

bar_chart Score Breakdown

pii_flow −60
env_fs −3

list Scan Summary

10 high 0 medium 578 low
First-party packages: 8
Dependency packages: 36
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:105 repo/packages/nuxt/src/app/components/nuxt-island.ts:220
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:35 repo/scripts/release.ts:44
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:35 repo/scripts/release.ts:55
high first-party (npm): packages/nuxt User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:105 repo/packages/nuxt/src/app/components/nuxt-island.ts:220
hub Dependency data flows (6)
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:215
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:317
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:523
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:549
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:568
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:590

</> First-Party Code

first-party (npm)

npm first-party
high pii_flow production #15f45937dfdf6ddc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:220 · flow /tmp/closeopen-fiaor0c7/repo/packages/nuxt/src/app/components/nuxt-island.ts:105 → /tmp/closeopen-fiaor0c7/repo/packages/nuxt/src/app/components/nuxt-island.ts:220
      const r = await fetch(withQuery(((import.meta.dev && import.meta.client) || props.source) ? url : joinURL(config.app.baseURL ?? '', url), {
        ...props.context,
        props: props.props ? serializedProps.value : undefined,
      }))

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #db24e69f203090d9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:44 · flow /tmp/closeopen-fiaor0c7/repo/scripts/release.ts:35 → /tmp/closeopen-fiaor0c7/repo/scripts/release.ts:44
  const idTokenResponse = await fetch(idTokenUrl, {
    headers: { authorization: `Bearer ${requestToken}` },
  })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1add424904625668 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:55 · flow /tmp/closeopen-fiaor0c7/repo/scripts/release.ts:35 → /tmp/closeopen-fiaor0c7/repo/scripts/release.ts:55
  const exchangeResponse = await fetch(exchangeUrl, {
    method: 'POST',
    headers: { authorization: `Bearer ${idToken}` },
  })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 93 low-confidence finding(s)
low env_fs production #3040c31307019328 Environment-variable access.
repo/nuxt.config.ts:10
      if (!process.env.DOCS_TYPECHECK) { return }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3041f63670040844 Environment-variable access.
repo/nuxt.config.ts:51
  pages: process.env.DOCS_TYPECHECK === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40f4bac677e04175 Environment-variable access.
repo/nuxt.config.ts:61
    shim: process.env.DOCS_TYPECHECK === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b28534c6c27451b5 Filesystem access.
repo/packages/kit/src/ignore.ts:66
    const contents = readFileSync(nuxtignoreFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c79c529256914de Filesystem access.
repo/packages/kit/src/module/install.test.ts:16
    await writeFile(join(prereleaseModule, 'package.json'), JSON.stringify({
      name: 'prerelease-module',
      version: '2.0.0-beta.1',
      type: 'module',
      exports: './index.js',
    }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb2f6a65894bf856 Filesystem access.
repo/packages/kit/src/module/install.test.ts:22
    await writeFile(join(prereleaseModule, 'index.js'), `
export default Object.assign(() => {}, {
  getMeta: () => ({
    name: 'prerelease-module',
    configKey: 'prereleaseModule'
  })
})
    `)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b43a59d6d20eb2b4 Filesystem access.
repo/packages/kit/src/module/install.ts:337
      buildTimeModuleMeta = JSON.parse(await fsp.readFile(moduleMetadataPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #335ac3f279bd30e4 Environment-variable access.
repo/packages/kit/src/runtime-config.ts:20
    envExpansion: nuxt.options.nitro.experimental?.envExpansion ?? !!process.env.NITRO_ENV_EXPANSION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9fe07c6692d1b370 Filesystem access.
repo/packages/kit/src/template.ts:652
    fsp.writeFile(appTsConfigPath, JSON.stringify(tsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d5fbb0c164570ba Filesystem access.
repo/packages/kit/src/template.ts:653
    fsp.writeFile(legacyTsConfigPath, JSON.stringify(legacyTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aff3508e2c1d0542 Filesystem access.
repo/packages/kit/src/template.ts:654
    fsp.writeFile(nodeTsConfigPath, JSON.stringify(nodeTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3320c585127d95d6 Filesystem access.
repo/packages/kit/src/template.ts:655
    fsp.writeFile(sharedTsConfigPath, JSON.stringify(sharedTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4511ee872a3ac8a8 Filesystem access.
repo/packages/kit/src/template.ts:656
    fsp.writeFile(declarationPath, declaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #521381e3e2063b4f Filesystem access.
repo/packages/kit/src/template.ts:657
    fsp.writeFile(nodeDeclarationPath, nodeDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a1149878fc4a007 Filesystem access.
repo/packages/kit/src/template.ts:658
    fsp.writeFile(sharedDeclarationPath, sharedDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16cf7daef2141e66 Filesystem access.
repo/packages/nitro-server/src/index.ts:461
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify({}))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3c4fa53acacff11 Filesystem access.
repo/packages/nitro-server/src/index.ts:494
        await fsp.writeFile(join(tempDir, 'latest.json'), JSON.stringify({
          id: buildId,
          timestamp: buildTimestamp,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46afb52a573b7452 Filesystem access.
repo/packages/nitro-server/src/index.ts:498
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify(manifest))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd89b43d2e941931 Filesystem access.
repo/packages/nitro-server/src/index.ts:882
    let projectConfiguration = await readFile(join(cacheDir, 'chrome-workspace.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45638ffd8ca2ae64 Filesystem access.
repo/packages/nitro-server/src/index.ts:889
      await writeFile(join(cacheDir, 'chrome-workspace.json'), JSON.stringify(projectConfiguration), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1145bf0fab92ea80 Filesystem access.
repo/packages/nitro-server/src/index.ts:993
          nitro.options.virtual['#build/dist/server/server.mjs'] = () => memfs.readFileSync(join(nuxt.options.buildDir, 'dist/server/server.mjs'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d892f05373132224 Filesystem access.
repo/packages/nitro-server/src/index.ts:1108
      return readFileSync(spaLoadingTemplate, 'utf-8').trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c503dcad88c6ce3b Environment-variable access.
repo/packages/nitro-server/src/runtime/utils/renderer/build-files.ts:73
    if (import.meta.dev && process.env.NUXT_VITE_NODE_OPTIONS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5a9cd7c8f5466df Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:118
          const contents = await readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cb3c1c94e84ed92 Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:173
          contents = await readFile(absolutePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce3420b05830293a Filesystem access.
repo/packages/nuxt/src/core/app.ts:98
      writes.push(() => writeFileSync(fullPath, contents, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1ca5e8b0fd8f844 Filesystem access.
repo/packages/nuxt/src/core/app.ts:125
      return await fsp.readFile(template.src, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e4e979a54c3760a Filesystem access.
repo/packages/nuxt/src/core/app.ts:258
      const code = nuxt.vfs[plugin.src] ?? await fsp.readFile(plugin.src!, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb405eb355437607 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:52
      await writeFile(buildIdCacheFile, nuxt.options.buildId)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99a4f7805f30a472 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:86
  const cachedBuildId = (await readFile(buildIdCacheFile, 'utf-8')).trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bd450949fbe73c5 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:246
    const data = await fd.readFile()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd8d98f6d3f3fbdb Filesystem access.
repo/packages/nuxt/src/core/cache.ts:280
  const files = parseTar(await readFile(cacheFile))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e53082bfb5d3cb28 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:306
      await fd.writeFile(file.data!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c56a808aef0cfb1d Filesystem access.
repo/packages/nuxt/src/core/cache.ts:323
  await writeFile(cacheFile, tarData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b7ab48ffd7a7ef7 Environment-variable access.
repo/packages/nuxt/src/core/nuxt.ts:891
  if (options.telemetry !== false && !process.env.NUXT_TELEMETRY_DISABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87d64a2a17d07a78 Environment-variable access.
repo/packages/nuxt/src/core/perf.ts:141
const SLOW_HOOK_THRESHOLD_MS = Number(process.env.NUXT_PERF_SLOW_HOOK_MS) || 50

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d25cc2397060053 Filesystem access.
repo/packages/nuxt/src/core/perf.ts:707
      writeFileSync(reportPath, JSON.stringify(report, null, 2), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ee2f547de582ea7 Filesystem access.
repo/packages/nuxt/src/core/perf.ts:708
      writeFileSync(tracePath, JSON.stringify({ traceEvents: this.getTraceEvents() }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46e8157c22308016 Filesystem access.
repo/packages/nuxt/src/core/schema.ts:150
      await writeFile(
        resolve(nuxt.options.buildDir, 'schema/nuxt.schema.json'),
        JSON.stringify(schema, null, 2),
        'utf8',
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50fb5c6e9fca3e07 Filesystem access.
repo/packages/nuxt/src/core/schema.ts:180
      await writeFile(typesPath, types, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd65e78e031da206 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:13
    = process.env.https_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7843aea9040d9c70 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:14
      || process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d491bd3f600bd6e3 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:15
      || process.env.http_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca00625b55a455b7 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:16
      || process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f7149f25de3ba4e Filesystem access.
repo/packages/nuxt/src/pages/module.ts:313
        const dts = await readFile(declarationFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be9c7379686321a8 Filesystem access.
repo/packages/nuxt/src/pages/utils.ts:164
      const fileContent = vfs[route.file] ?? fs.readFileSync(ctx.fullyResolvedPaths?.has(route.file) ? route.file : await resolvePath(route.file), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb943c757917e8db Environment-variable access.
repo/packages/schema/src/config/app.ts:33
        return process.env.NUXT_APP_BASE_URL || '/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8af9ea2e79738206 Environment-variable access.
repo/packages/schema/src/config/app.ts:41
        return process.env.NUXT_APP_BUILD_ASSETS_DIR || '/_nuxt/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1c5d890609787d2 Environment-variable access.
repo/packages/schema/src/config/app.ts:50
        return process.env.NUXT_APP_CDN_URL || (typeof val === 'string' ? val : '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef5c9d6b4abeb67f Environment-variable access.
repo/packages/schema/src/config/common.ts:142
          perf: process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebaeffe85616b3af Environment-variable access.
repo/packages/schema/src/config/common.ts:147
        if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5aa0e624412f7aa Environment-variable access.
repo/packages/schema/src/config/common.ts:148
          (val as NuxtDebugOptions).perf = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b6fe0fb7f290baa Environment-variable access.
repo/packages/schema/src/config/common.ts:153
      if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3384ea98fe974b1f Environment-variable access.
repo/packages/schema/src/config/common.ts:154
        const perf: boolean | 'quiet' = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22d21a16ba92c635 Environment-variable access.
repo/packages/schema/src/config/dev.ts:8
    port: Number(process.env.NUXT_PORT || process.env.NITRO_PORT || process.env.PORT || 3000),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be6c96d7ce0084fe Environment-variable access.
repo/packages/schema/src/config/dev.ts:9
    host: process.env.NUXT_HOST || process.env.NITRO_HOST || process.env.HOST || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccce5e777711a6cb Filesystem access.
repo/packages/ui-templates/lib/dev.ts:27
      const contents = await fsp.readFile(r(page, 'index.html'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12aefb6593d37417 Filesystem access.
repo/packages/ui-templates/lib/dev.ts:29
      const messages = JSON.parse(await fsp.readFile(r(page, 'messages.json'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c382cff33f408dd3 Filesystem access.
repo/packages/ui-templates/lib/prerender.ts:16
    await fsp.writeFile(file.replace('.js', '/index.html'), updated)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0527af2b2a540d3f Filesystem access.
repo/packages/ui-templates/lib/render.ts:47
        let html = readFileSync(fileName, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #213071474148a328 Filesystem access.
repo/packages/ui-templates/lib/render.ts:68
          const svg = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99abe0b86ee818f5 Filesystem access.
repo/packages/ui-templates/lib/render.ts:83
          let contents = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caf4974e5eedca72 Filesystem access.
repo/packages/ui-templates/lib/render.ts:99
        const messages = JSON.parse(readFileSync(r(`templates/${templateName}/messages.json`), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a98189a66d7f2e97 Filesystem access.
repo/packages/ui-templates/lib/render.ts:193
        writeFileSync(fileName.replace('/index.html', '.ts'), functionalCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bce77f8303a58fa3 Filesystem access.
repo/packages/ui-templates/lib/render.ts:194
        writeFileSync(fileName.replace('/index.html', '.vue'), vueCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd8e355f72d0f84a Environment-variable access.
repo/packages/ui-templates/vite.config.ts:18
    outDir: process.env.OUTPUT_DIR || 'dist',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be5d551e9d25d96f Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:73
      const clientManifest = nuxt.options.dev ? devClientManifest : JSON.parse(readFileSync(manifestFile, 'utf-8')) as ViteClientManifest

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63263cd7ab288742 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:106
          await writeFile(resolve(serverDist, 'client.manifest.mjs'), manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15daa3c68f604cca Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:107
          await writeFile(resolve(serverDist, 'client.precomputed.mjs'), precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1166be83d4e62a8d Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:29
          readFile(id, 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4d0cde1c5bcd520 Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:30
          readFile(id + '.map.json', 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f81080a7a807c0c Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:71
        await writeFile(dest, JSON.stringify({
          file: chunk.map.file,
          mappings: chunk.map.mappings,
          names: chunk.map.names,
          sources: chunk.map.sources,
          sourcesContent: chunk.map.sourcesContent,
          version: chunk.map.version,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5baea86996cef83e Environment-variable access.
repo/packages/vite/src/plugins/vite-node.ts:342
        process.env.NUXT_VITE_NODE_OPTIONS = JSON.stringify(viteNodeServerOptions)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6afc7d16488864b4 Environment-variable access.
repo/packages/vite/src/utils/logger.ts:45
    if (typeof msg === 'string' && !process.env.DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d06b13080f72c87 Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:16
    await writeFile(join(fixtureDir, 'app/app.vue'), '<template><div/></template>')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd72def7b65557a4 Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:17
    await writeFile(join(fixtureDir, 'nuxt.config.ts'), `
export default defineNuxtConfig({
  modules: [
    (_, nuxt) => {
      nuxt.options.build.transpile.push('my-async-package')
    },
  ],
})
`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52e6e546b23736f8 Environment-variable access.
repo/packages/vite/src/vite-node.ts:9
  const envVar = process.env.NUXT_VITE_NODE_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8502126017926f8f Filesystem access.
repo/packages/webpack/src/plugins/ssr-styles.ts:51
    const src = readFileSync(filePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64acdd3db71ad54f Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:170
        await writeFile(join(this.serverDist, 'client.manifest.mjs'), this.manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3287b9672d18fec9 Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:171
        await writeFile(join(this.serverDist, 'client.precomputed.mjs'), this.precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af48e4eb9500e67a Filesystem access.
repo/scripts/_utils.ts:21
  const data = JSON.parse(await fsp.readFile(pkgPath, 'utf-8').catch(() => '{}'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b08ca9e3ae09bb8 Filesystem access.
repo/scripts/_utils.ts:22
  const save = () => fsp.writeFile(pkgPath, JSON.stringify(data, null, 2) + '\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #299f9b20009eaf2f Environment-variable access.
repo/scripts/_utils.ts:172
        'Authorization': `token ${process.env.GITHUB_TOKEN}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61d739709a7ab695 Filesystem access.
repo/scripts/release.ts:24
  return JSON.parse(readFileSync(pkgPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8bacd4d8e7269f4 Environment-variable access.
repo/scripts/release.ts:35
  const requestUrl = process.env.ACTIONS_ID_TOKEN_REQUEST_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36068ab3407f4b5b Environment-variable access.
repo/scripts/release.ts:36
  const requestToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f55f2bc2ce9d48f Environment-variable access.
repo/scripts/release.ts:97
  const tagsInput = process.env.TAG || 'latest'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0dc89b54fb84aa80 Filesystem access.
repo/scripts/release.ts:122
    const originalReadme = readFileSync('README.md', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #180144d304cb5f28 Filesystem access.
repo/scripts/release.ts:127
    writeFileSync('README.md', readme)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ecfba4a51fedd8d4 Filesystem access.
repo/scripts/release.ts:184
    writeFileSync('README.md', originalReadme)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06d4e1c8e434765d Environment-variable access.
repo/scripts/update-changelog.ts:73
        Authorization: `token ${process.env.GITHUB_TOKEN}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #672609453071c484 Environment-variable access.
repo/scripts/update-changelog.ts:89
      Authorization: `token ${process.env.GITHUB_TOKEN}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7b12b9e823076c6 Environment-variable access.
repo/vitest.config.ts:20
    appManifest: process.env.TEST_MANIFEST !== 'manifest-off',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/nuxt

npm first-party
high pii_flow production #15f45937dfdf6ddc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:220 · flow /tmp/closeopen-fiaor0c7/repo/packages/nuxt/src/app/components/nuxt-island.ts:105 → /tmp/closeopen-fiaor0c7/repo/packages/nuxt/src/app/components/nuxt-island.ts:220
      const r = await fetch(withQuery(((import.meta.dev && import.meta.client) || props.source) ? url : joinURL(config.app.baseURL ?? '', url), {
        ...props.context,
        props: props.props ? serializedProps.value : undefined,
      }))

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 23 low-confidence finding(s)
low env_fs production #d5a9cd7c8f5466df Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:118
          const contents = await readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cb3c1c94e84ed92 Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:173
          contents = await readFile(absolutePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce3420b05830293a Filesystem access.
repo/packages/nuxt/src/core/app.ts:98
      writes.push(() => writeFileSync(fullPath, contents, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1ca5e8b0fd8f844 Filesystem access.
repo/packages/nuxt/src/core/app.ts:125
      return await fsp.readFile(template.src, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e4e979a54c3760a Filesystem access.
repo/packages/nuxt/src/core/app.ts:258
      const code = nuxt.vfs[plugin.src] ?? await fsp.readFile(plugin.src!, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb405eb355437607 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:52
      await writeFile(buildIdCacheFile, nuxt.options.buildId)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99a4f7805f30a472 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:86
  const cachedBuildId = (await readFile(buildIdCacheFile, 'utf-8')).trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bd450949fbe73c5 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:246
    const data = await fd.readFile()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd8d98f6d3f3fbdb Filesystem access.
repo/packages/nuxt/src/core/cache.ts:280
  const files = parseTar(await readFile(cacheFile))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e53082bfb5d3cb28 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:306
      await fd.writeFile(file.data!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c56a808aef0cfb1d Filesystem access.
repo/packages/nuxt/src/core/cache.ts:323
  await writeFile(cacheFile, tarData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b7ab48ffd7a7ef7 Environment-variable access.
repo/packages/nuxt/src/core/nuxt.ts:891
  if (options.telemetry !== false && !process.env.NUXT_TELEMETRY_DISABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87d64a2a17d07a78 Environment-variable access.
repo/packages/nuxt/src/core/perf.ts:141
const SLOW_HOOK_THRESHOLD_MS = Number(process.env.NUXT_PERF_SLOW_HOOK_MS) || 50

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d25cc2397060053 Filesystem access.
repo/packages/nuxt/src/core/perf.ts:707
      writeFileSync(reportPath, JSON.stringify(report, null, 2), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ee2f547de582ea7 Filesystem access.
repo/packages/nuxt/src/core/perf.ts:708
      writeFileSync(tracePath, JSON.stringify({ traceEvents: this.getTraceEvents() }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46e8157c22308016 Filesystem access.
repo/packages/nuxt/src/core/schema.ts:150
      await writeFile(
        resolve(nuxt.options.buildDir, 'schema/nuxt.schema.json'),
        JSON.stringify(schema, null, 2),
        'utf8',
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50fb5c6e9fca3e07 Filesystem access.
repo/packages/nuxt/src/core/schema.ts:180
      await writeFile(typesPath, types, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd65e78e031da206 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:13
    = process.env.https_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7843aea9040d9c70 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:14
      || process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d491bd3f600bd6e3 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:15
      || process.env.http_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca00625b55a455b7 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:16
      || process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f7149f25de3ba4e Filesystem access.
repo/packages/nuxt/src/pages/module.ts:313
        const dts = await readFile(declarationFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be9c7379686321a8 Filesystem access.
repo/packages/nuxt/src/pages/utils.ts:164
      const fileContent = vfs[route.file] ?? fs.readFileSync(ctx.fullyResolvedPaths?.has(route.file) ? route.file : await resolvePath(route.file), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/kit

npm first-party
expand_more 12 low-confidence finding(s)
low env_fs production #b28534c6c27451b5 Filesystem access.
repo/packages/kit/src/ignore.ts:66
    const contents = readFileSync(nuxtignoreFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c79c529256914de Filesystem access.
repo/packages/kit/src/module/install.test.ts:16
    await writeFile(join(prereleaseModule, 'package.json'), JSON.stringify({
      name: 'prerelease-module',
      version: '2.0.0-beta.1',
      type: 'module',
      exports: './index.js',
    }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb2f6a65894bf856 Filesystem access.
repo/packages/kit/src/module/install.test.ts:22
    await writeFile(join(prereleaseModule, 'index.js'), `
export default Object.assign(() => {}, {
  getMeta: () => ({
    name: 'prerelease-module',
    configKey: 'prereleaseModule'
  })
})
    `)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b43a59d6d20eb2b4 Filesystem access.
repo/packages/kit/src/module/install.ts:337
      buildTimeModuleMeta = JSON.parse(await fsp.readFile(moduleMetadataPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #335ac3f279bd30e4 Environment-variable access.
repo/packages/kit/src/runtime-config.ts:20
    envExpansion: nuxt.options.nitro.experimental?.envExpansion ?? !!process.env.NITRO_ENV_EXPANSION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9fe07c6692d1b370 Filesystem access.
repo/packages/kit/src/template.ts:652
    fsp.writeFile(appTsConfigPath, JSON.stringify(tsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d5fbb0c164570ba Filesystem access.
repo/packages/kit/src/template.ts:653
    fsp.writeFile(legacyTsConfigPath, JSON.stringify(legacyTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aff3508e2c1d0542 Filesystem access.
repo/packages/kit/src/template.ts:654
    fsp.writeFile(nodeTsConfigPath, JSON.stringify(nodeTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3320c585127d95d6 Filesystem access.
repo/packages/kit/src/template.ts:655
    fsp.writeFile(sharedTsConfigPath, JSON.stringify(sharedTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4511ee872a3ac8a8 Filesystem access.
repo/packages/kit/src/template.ts:656
    fsp.writeFile(declarationPath, declaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #521381e3e2063b4f Filesystem access.
repo/packages/kit/src/template.ts:657
    fsp.writeFile(nodeDeclarationPath, nodeDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a1149878fc4a007 Filesystem access.
repo/packages/kit/src/template.ts:658
    fsp.writeFile(sharedDeclarationPath, sharedDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/nitro-server

npm first-party
expand_more 8 low-confidence finding(s)
low env_fs production #16cf7daef2141e66 Filesystem access.
repo/packages/nitro-server/src/index.ts:461
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify({}))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3c4fa53acacff11 Filesystem access.
repo/packages/nitro-server/src/index.ts:494
        await fsp.writeFile(join(tempDir, 'latest.json'), JSON.stringify({
          id: buildId,
          timestamp: buildTimestamp,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46afb52a573b7452 Filesystem access.
repo/packages/nitro-server/src/index.ts:498
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify(manifest))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd89b43d2e941931 Filesystem access.
repo/packages/nitro-server/src/index.ts:882
    let projectConfiguration = await readFile(join(cacheDir, 'chrome-workspace.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45638ffd8ca2ae64 Filesystem access.
repo/packages/nitro-server/src/index.ts:889
      await writeFile(join(cacheDir, 'chrome-workspace.json'), JSON.stringify(projectConfiguration), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1145bf0fab92ea80 Filesystem access.
repo/packages/nitro-server/src/index.ts:993
          nitro.options.virtual['#build/dist/server/server.mjs'] = () => memfs.readFileSync(join(nuxt.options.buildDir, 'dist/server/server.mjs'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d892f05373132224 Filesystem access.
repo/packages/nitro-server/src/index.ts:1108
      return readFileSync(spaLoadingTemplate, 'utf-8').trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c503dcad88c6ce3b Environment-variable access.
repo/packages/nitro-server/src/runtime/utils/renderer/build-files.ts:73
    if (import.meta.dev && process.env.NUXT_VITE_NODE_OPTIONS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/schema

npm first-party
expand_more 10 low-confidence finding(s)
low env_fs production #fb943c757917e8db Environment-variable access.
repo/packages/schema/src/config/app.ts:33
        return process.env.NUXT_APP_BASE_URL || '/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8af9ea2e79738206 Environment-variable access.
repo/packages/schema/src/config/app.ts:41
        return process.env.NUXT_APP_BUILD_ASSETS_DIR || '/_nuxt/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1c5d890609787d2 Environment-variable access.
repo/packages/schema/src/config/app.ts:50
        return process.env.NUXT_APP_CDN_URL || (typeof val === 'string' ? val : '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef5c9d6b4abeb67f Environment-variable access.
repo/packages/schema/src/config/common.ts:142
          perf: process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebaeffe85616b3af Environment-variable access.
repo/packages/schema/src/config/common.ts:147
        if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5aa0e624412f7aa Environment-variable access.
repo/packages/schema/src/config/common.ts:148
          (val as NuxtDebugOptions).perf = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b6fe0fb7f290baa Environment-variable access.
repo/packages/schema/src/config/common.ts:153
      if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3384ea98fe974b1f Environment-variable access.
repo/packages/schema/src/config/common.ts:154
        const perf: boolean | 'quiet' = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22d21a16ba92c635 Environment-variable access.
repo/packages/schema/src/config/dev.ts:8
    port: Number(process.env.NUXT_PORT || process.env.NITRO_PORT || process.env.PORT || 3000),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be6c96d7ce0084fe Environment-variable access.
repo/packages/schema/src/config/dev.ts:9
    host: process.env.NUXT_HOST || process.env.NITRO_HOST || process.env.HOST || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/ui-templates

npm first-party
expand_more 10 low-confidence finding(s)
low env_fs production #ccce5e777711a6cb Filesystem access.
repo/packages/ui-templates/lib/dev.ts:27
      const contents = await fsp.readFile(r(page, 'index.html'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12aefb6593d37417 Filesystem access.
repo/packages/ui-templates/lib/dev.ts:29
      const messages = JSON.parse(await fsp.readFile(r(page, 'messages.json'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c382cff33f408dd3 Filesystem access.
repo/packages/ui-templates/lib/prerender.ts:16
    await fsp.writeFile(file.replace('.js', '/index.html'), updated)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0527af2b2a540d3f Filesystem access.
repo/packages/ui-templates/lib/render.ts:47
        let html = readFileSync(fileName, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #213071474148a328 Filesystem access.
repo/packages/ui-templates/lib/render.ts:68
          const svg = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99abe0b86ee818f5 Filesystem access.
repo/packages/ui-templates/lib/render.ts:83
          let contents = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caf4974e5eedca72 Filesystem access.
repo/packages/ui-templates/lib/render.ts:99
        const messages = JSON.parse(readFileSync(r(`templates/${templateName}/messages.json`), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a98189a66d7f2e97 Filesystem access.
repo/packages/ui-templates/lib/render.ts:193
        writeFileSync(fileName.replace('/index.html', '.ts'), functionalCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bce77f8303a58fa3 Filesystem access.
repo/packages/ui-templates/lib/render.ts:194
        writeFileSync(fileName.replace('/index.html', '.vue'), vueCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd8e355f72d0f84a Environment-variable access.
repo/packages/ui-templates/vite.config.ts:18
    outDir: process.env.OUTPUT_DIR || 'dist',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/vite

npm first-party
expand_more 11 low-confidence finding(s)
low env_fs production #be5d551e9d25d96f Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:73
      const clientManifest = nuxt.options.dev ? devClientManifest : JSON.parse(readFileSync(manifestFile, 'utf-8')) as ViteClientManifest

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63263cd7ab288742 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:106
          await writeFile(resolve(serverDist, 'client.manifest.mjs'), manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15daa3c68f604cca Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:107
          await writeFile(resolve(serverDist, 'client.precomputed.mjs'), precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1166be83d4e62a8d Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:29
          readFile(id, 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4d0cde1c5bcd520 Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:30
          readFile(id + '.map.json', 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f81080a7a807c0c Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:71
        await writeFile(dest, JSON.stringify({
          file: chunk.map.file,
          mappings: chunk.map.mappings,
          names: chunk.map.names,
          sources: chunk.map.sources,
          sourcesContent: chunk.map.sourcesContent,
          version: chunk.map.version,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5baea86996cef83e Environment-variable access.
repo/packages/vite/src/plugins/vite-node.ts:342
        process.env.NUXT_VITE_NODE_OPTIONS = JSON.stringify(viteNodeServerOptions)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6afc7d16488864b4 Environment-variable access.
repo/packages/vite/src/utils/logger.ts:45
    if (typeof msg === 'string' && !process.env.DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d06b13080f72c87 Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:16
    await writeFile(join(fixtureDir, 'app/app.vue'), '<template><div/></template>')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd72def7b65557a4 Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:17
    await writeFile(join(fixtureDir, 'nuxt.config.ts'), `
export default defineNuxtConfig({
  modules: [
    (_, nuxt) => {
      nuxt.options.build.transpile.push('my-async-package')
    },
  ],
})
`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52e6e546b23736f8 Environment-variable access.
repo/packages/vite/src/vite-node.ts:9
  const envVar = process.env.NUXT_VITE_NODE_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/webpack

npm first-party
expand_more 3 low-confidence finding(s)
low env_fs production #8502126017926f8f Filesystem access.
repo/packages/webpack/src/plugins/ssr-styles.ts:51
    const src = readFileSync(filePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64acdd3db71ad54f Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:170
        await writeFile(join(this.serverDist, 'client.manifest.mjs'), this.manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3287b9672d18fec9 Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:171
        await writeFile(join(this.serverDist, 'client.precomputed.mjs'), this.precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

pkg-pr-new

npm dependency
high pii_flow dependency Excluded from app score #6556ce156ed77574 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:215 · flow /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:215
            checkResponse = await fetch(new URL("/check", apiUrl), {
              method: "POST",
              body: JSON.stringify({
                owner,
                repo,
                key,
              }),
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #1444a48ab53ba474 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:317 · flow /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:317
              const resource = await fetch(longDepUrl, {
                signal: controller.signal,
              });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #e51302f0accf57d5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:523 · flow /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:523
                const createMultipartRes = await fetch(createMultipart, {
                  method: "POST",
                  headers: {
                    "sb-key": key,
                    "sb-name": name.slice("package:".length),
                    "sb-sha": sha,
                  },
                });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #398405c9a16f82f3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:549 · flow /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:549
                  const uploadMultipartRes = await fetch(uploadMultipart, {
                    method: "PUT",
                    headers: {
                      key: uploadKey,
                      id: uploadId,
                      "part-number": `${i + 1}`,
                    },
                    body: chunk,
                  });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #b2d06cd228680b8b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:568 · flow /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:568
                const completeMultipartRes = await fetch(completeMultipart, {
                  method: "POST",
                  headers: {
                    key: uploadKey,
                    id: uploadId,
                    "uploaded-parts": JSON.stringify(uploadedParts),
                  },
                });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #9994b011c4c64d9d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:590 · flow /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-fiaor0c7/pkgs/npm/[email protected]/index.ts:590
          const res = await fetch(publishUrl, {
            method: "POST",
            headers: {
              "sb-sha": sha,
              "sb-comment": comment,
              "sb-compact": `${isCompact}`,
              "sb-key": key,
              "sb-shasums": JSON.stringify(shasums),
              "sb-run-id": GITHUB_RUN_ID,
              "sb-bin": `${isBinaryApplication}`,
              "sb-package-manager": selectedPackageManager.join(","),
              "sb-only-templates": `${isOnlyTemplates}`,
              "sb-comment-with-sha": `${isCommentWithSha}`,
              "sb-comment-with-dev": `${isCommentWithDev}`,
            },
            body: formData,
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #aa7f426672c39237 Environment-variable access.
pkgs/npm/[email protected]/index.ts:42
const apiUrl = process.env.API_URL ?? API_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ea0445ef34d1370 Environment-variable access.
pkgs/npm/[email protected]/index.ts:186
          if (!process.env.TEST && process.env.GITHUB_ACTIONS !== "true") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3ef268814c6aede Environment-variable access.
pkgs/npm/[email protected]/index.ts:240
          if (process.env.GITHUB_EVENT_NAME !== "pull_request") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5ae536a6088ef95 Filesystem access.
pkgs/npm/[email protected]/index.ts:380
              const gitignoreContent = await fs.readFile(gitignorePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af98c0ef3abbdb9a Filesystem access.
pkgs/npm/[email protected]/index.ts:394
              const file = await fs.readFile(path.join(templateDir, filePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8f7f72378113282 Filesystem access.
pkgs/npm/[email protected]/index.ts:495
              const buffer = await fs.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5157ef35f33ba242 Filesystem access.
pkgs/npm/[email protected]/index.ts:659
            await fs.writeFile(jsonFilePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #281d1f5bfd504d1d Filesystem access.
pkgs/npm/[email protected]/index.ts:714
      .update(await fs.readFile(path.resolve(p, filename)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fda57b5981cff701 Filesystem access.
pkgs/npm/[email protected]/index.ts:754
  return () => fs.writeFile(pJsonPath, pJsonContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81b6c1d698b1c868 Filesystem access.
pkgs/npm/[email protected]/index.ts:812
    return await fs.readFile(p, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19145dd7d26b7634 Environment-variable access.
pkgs/npm/[email protected]/tsup.config.ts:12
    API_URL: JSON.stringify(process.env.API_URL ?? "https://localhost:3000"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@babel/core

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #838510462e9337b2 Filesystem access.
pkgs/npm/@[email protected]/lib/config/files/index.js:20
    return fn(filepath, yield* readFile(filepath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69ac1a2adcce8e37 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/files/index.js:326
  const targetPath = process.env.BABEL_SHOW_CONFIG_FOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef88cf2c7cdc36b0 Environment-variable access.
pkgs/npm/@[email protected]/lib/index-shared.js:315
  return process.env.BABEL_ENV || process.env.NODE_ENV || defaultValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #766e05ff9f9c3099 Environment-variable access.
pkgs/npm/@[email protected]/lib/index-shared.js:1761
  if (typeof process !== "undefined" && process.env.BABEL_7_TO_8_DANGEROUSLY_DISABLE_VERSION_CHECK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3ee8b0a56d6a7e3 Filesystem access.
pkgs/npm/@[email protected]/lib/transform-file.js:12
  const code = yield* readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b85e35514da48d8f Filesystem access.
pkgs/npm/@[email protected]/lib/transformation/read-input-source-map-file.js:65
    const inputMapContent = fs.readFileSync(inputMapPath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@nuxt/cli

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #daba63f47c4f8b41 Environment-variable access.
pkgs/npm/@[email protected]/bin/nuxi.mjs:10
if (nodeModule.enableCompileCache && !process.env.NODE_DISABLE_COMPILE_CACHE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eba40fc247f4803b Environment-variable access.
pkgs/npm/@[email protected]/bin/nuxi.mjs:15
      process.env.NODE_COMPILE_CACHE ||= directory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@nuxt/friendly-errors-webpack-plugin

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #1b4fefe2cd9ec4eb Environment-variable access.
pkgs/npm/@[email protected]/src/reporters/base.js:36
        if (process.env.NODE_ENV !== 'test') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@parcel/watcher

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #f2d172a4f7ef7209 Environment-variable access.
pkgs/npm/@[email protected]/scripts/build-from-source.js:5
if (process.env.npm_config_build_from_source === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@rspack/core

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #a70d85df0767c826 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:209
else if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a04f9c1e1e8eb09 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:258
  if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || '')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b736201c7b24b3e8 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:271
if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs.__patched) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8634002a7bb8492 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:760
var platform = process.env.GRACEFUL_FS_PLATFORM || process.platform

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b90d9d7b0aa9d164 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:3032
	+process.env.WATCHPACK_WATCHER_LIMIT || (IS_OSX ? 20 : 10000);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae6fd6abd56963d3 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:3035
	process.env.WATCHPACK_RECURSIVE_WATCHER_LOGGING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd8a629949dd60a0 Filesystem access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:3490
module.exports = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@vue/compiler-core

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #42cc6d37df6c9f48 Environment-variable access.
pkgs/npm/@[email protected]/index.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@vue/language-core

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #997cdbfe23417e30 Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:18
            return host.readFile(fileName);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9acebe0d2b2802ab Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:51
                return host.readFile(fileName);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8f5a3076c05ec02 Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:174
        const packageJsonPath = this.ts.findConfigFile(folder, fileName => this.readFile(fileName) !== undefined, 'node_modules/vue/package.json');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61dea03b4d2b3930 Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:178
        const packageJsonContent = this.readFile(packageJsonPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@vue/shared

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #923f42384b5326c5 Environment-variable access.
pkgs/npm/@[email protected]/index.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

autoprefixer

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #bfe7c44911934685 Environment-variable access.
pkgs/npm/[email protected]/lib/processor.js:559
      } else if (typeof process.env.AUTOPREFIXER_GRID !== 'undefined') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6588c9d609c1667e Environment-variable access.
pkgs/npm/[email protected]/lib/processor.js:560
        if (process.env.AUTOPREFIXER_GRID === 'autoplace') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chokidar

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #01b27946a3c7e605 Environment-variable access.
pkgs/npm/[email protected]/index.js:284
        const envPoll = process.env.CHOKIDAR_USEPOLLING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c89ea63cfb45260 Environment-variable access.
pkgs/npm/[email protected]/index.js:294
        const envInterval = process.env.CHOKIDAR_INTERVAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

esbuild

npm dependency
expand_more 22 low-confidence finding(s)
low env_fs dependency Excluded from app score #1b97321adb755921 Filesystem access.
pkgs/npm/[email protected]/install.js:26
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b77fa2a136e5983 Environment-variable access.
pkgs/npm/[email protected]/install.js:29
var ESBUILD_BINARY_PATH = process.env.ESBUILD_BINARY_PATH || ESBUILD_BINARY_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6dbad11242b88316 Filesystem access.
pkgs/npm/[email protected]/install.js:89
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5ee8c6c470419d0 Filesystem access.
pkgs/npm/[email protected]/install.js:186
    fs2.writeFileSync(path2.join(installDir, "package.json"), "{}");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1276f2d103c6012e Filesystem access.
pkgs/npm/[email protected]/install.js:192
    binaryIntegrityCheck(pkg, subpath, fs2.readFileSync(installedBinPath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5676841641fa84d Filesystem access.
pkgs/npm/[email protected]/install.js:217
  fs2.writeFileSync(toPath, `#!/usr/bin/env node
require('child_process').execFileSync(${pathString}, process.argv.slice(2), { stdio: 'inherit' });
`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #690130aa5f5ea1de Filesystem access.
pkgs/npm/[email protected]/install.js:221
  const code = fs2.readFileSync(libMain, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a1def97203ce502 Filesystem access.
pkgs/npm/[email protected]/install.js:222
  fs2.writeFileSync(libMain, `var ESBUILD_BINARY_PATH = ${pathString};
${code}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9e763680d97f3cf Filesystem access.
pkgs/npm/[email protected]/install.js:250
    fs2.writeFileSync(binPath, bytes);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79aeb0851e228be2 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1020
            fs3.readFile(response.code, (err, contents) => {
              if (err !== null) {
                callback(err, null);
              } else {
                response.code = contents;
                next();
              }
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2e9d01a929b3368 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1031
            fs3.readFile(response.map, (err, contents) => {
              if (err !== null) {
                callback(err, null);
              } else {
                response.map = contents;
                next();
              }
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5ecd44a6320b064 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1057
      start = () => fs3.writeFile(input, next);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b6ed1146fdfe04c Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1714
            contents = streamIn.readFileSync(match[1], "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6ef0ff6476554de Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1886
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa048164f9295a18 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:1889
var ESBUILD_BINARY_PATH = process.env.ESBUILD_BINARY_PATH || ESBUILD_BINARY_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a731c1d5675ad13b Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2080
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b65c8c034fb5a0f3 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:2084
if (process.env.ESBUILD_WORKER_THREADS !== "0") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ef96770fb07c46b Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2122
      let contents = fs2.readFileSync(tempFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0408449f1e8d697 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2135
      fs2.writeFileSync(tempFile, contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c59d3be93c45c36e Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2145
      fs2.readFile(tempFile, "utf8", (err, contents) => {
        try {
          fs2.unlink(tempFile, () => callback(err, contents));
        } catch {
          callback(err, contents);
        }
      });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d613dd6b3acc7f0 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2159
      fs2.writeFile(tempFile, contents, (err) => err !== null ? callback(null) : callback(tempFile));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #267ea260013e60fe Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:2380
    maxBuffer: +process.env.ESBUILD_MAX_BUFFER || 16 * 1024 * 1024

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #452984354bfa140f Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:129
			results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74d73159521a2788 Filesystem access.
pkgs/npm/[email protected]/lib/cli.js:133
			await writeFile(filePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0a7a3245b15b085 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1281
		const text = await fsp.readFile(filePath, {
			encoding: "utf8",
			signal: controller?.signal,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3f36f9b7b5d092f Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1326
	if (!process.env.ESLINT_FLAGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59bd000d53648620 Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1330
	const envFlags = process.env.ESLINT_FLAGS.trim().split(/\s*,\s*/gu);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35c42302418205bf Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:825
					retrier.retry(() => fs.writeFile(r.filePath, r.output)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5fe70cd002ac7cd Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:44
const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2c4b87d7eab1532 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:56
	if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33848b5ab6500c92 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:60
	if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff7956cb03166c00 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:64
	const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0eb378f05bece684 Filesystem access.
pkgs/npm/[email protected]/lib/rule-tester/rule-tester.js:697
				let content = readFileSync(sourceFile, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07edaf410a4c7f5d Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:217
			const data = await fs.promises.readFile(this.filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #225f5bad6e919523 Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:240
		return fs.promises.writeFile(
			this.filePath,
			stringify(suppressions, { space: 2 }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-plugin-import-x

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #aaff7187889a4c0e Filesystem access.
pkgs/npm/[email protected]/lib/index.cjs:658
			pkg: JSON.parse(stripBOM(node_fs.default.readFileSync(fp, { encoding: "utf8" }))),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3579bbb1055eb772 Filesystem access.
pkgs/npm/[email protected]/lib/index.cjs:1369
		const content = node_fs.default.readFileSync(filepath, { encoding: "utf8" });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1aa2fa128122498 Environment-variable access.
pkgs/npm/[email protected]/lib/index.cjs:2029
	const client = process.env.npm_config_user_agent?.split("/")[0];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e26bbe0a4c3d832 Filesystem access.
pkgs/npm/[email protected]/lib/index.cjs:4384
		return JSON.parse(node_fs.default.readFileSync(jsonPath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91495fd3c15b24fb Filesystem access.
pkgs/npm/[email protected]/lib/rules/no-extraneous-dependencies.js:16
        return JSON.parse(fs.readFileSync(jsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c8606075546fe88 Filesystem access.
pkgs/npm/[email protected]/lib/utils/export-map.js:68
        const content = fs.readFileSync(filepath, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a62c63a81721b74 Environment-variable access.
pkgs/npm/[email protected]/lib/utils/npm-client.js:14
    const client = process.env.npm_config_user_agent?.split('/')[0];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25e13ea784c64a1a Filesystem access.
pkgs/npm/[email protected]/lib/utils/read-pkg-up.js:13
            pkg: JSON.parse(stripBOM(fs.readFileSync(fp, { encoding: 'utf8' }))),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fork-ts-checker-webpack-plugin

npm dependency
expand_more 16 low-confidence finding(s)
low env_fs dependency Excluded from app score #e7b4e04c57d2b680 Filesystem access.
pkgs/npm/[email protected]/lib/formatter/code-frame-formatter.js:14
        const source = issue.file && fs_extra_1.default.existsSync(issue.file) && fs_extra_1.default.readFileSync(issue.file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db85feacb06a3e87 Environment-variable access.
pkgs/npm/[email protected]/lib/rpc/rpc-worker.js:81
    return JSON.parse(process.env[WORKER_DATA_ENV_KEY] || '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #272c34651f58907a Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/file-system.d.ts:2
import type { Dirent, Stats } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f68fb0ec4513a3ca Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/mem-file-system.js:46
        return memfs_1.fs
            .readFileSync(real_file_system_1.realFileSystem.normalizePath(path), { encoding: encoding })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2538a469b851193f Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/mem-file-system.js:67
    memfs_1.fs.writeFileSync(real_file_system_1.realFileSystem.normalizePath(path), data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a465c410abca1937 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:35
            ? real_file_system_1.realFileSystem.readFile(path, encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d795a91325ed039 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:36
            : mem_file_system_1.memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f7be791d58cfc2c Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:39
        return real_file_system_1.realFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #460fee54919e50eb Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:42
        return mem_file_system_1.memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #010fc1bed9c8535d Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/real-file-system.js:98
            readFileCache.set(normalizedPath, fs.readFileSync(normalizedPath, { encoding: encoding }).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aca17ef778adb29b Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/real-file-system.js:152
    fs.writeFileSync(normalizedPath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1c6f8cc670db8fa Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/host/watch-solution-builder-host.js:28
            system_1.system.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2a6fbc8e1238669 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:45
        return getReadFileSystem(path).readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41db46475e244abd Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:52
        getWriteFileSystem(path).writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f4fe5b33610e648 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:213
                const content = passive_file_system_1.passiveFileSystem.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #833d01804d927f33 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:215
                    mem_file_system_1.memFileSystem.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

happy-dom

npm dependency
expand_more 22 low-confidence finding(s)
low env_fs dependency Excluded from app score #45cfeffdb010d971 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/Fetch.js:8
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7d11c11dde0919a Filesystem access.
pkgs/npm/[email protected]/lib/fetch/Fetch.js:293
            buffer = await FS.promises.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85289557d7c4f223 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/SyncFetch.js:4
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c99668d6c00146cc Filesystem access.
pkgs/npm/[email protected]/lib/fetch/SyncFetch.js:246
            buffer = FS.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b82d66b4614cd6f1 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:2
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c09093d63c3c2146 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:42
                promises.push(FS.promises
                    .readFile(Path.join(absoluteDirectory, file), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0674a20ae8f1f60 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:49
                        return FS.promises
                            .readFile(Path.join(absoluteDirectory, file.split('.')[0] + '.data'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a3c05de5d088d65 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:129
                        promises.push(FS.promises.writeFile(Path.join(absoluteDirectory, `${hash}.json`), json));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2ff95da412b4916 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:131
                            promises.push(FS.promises.writeFile(Path.join(absoluteDirectory, `${hash}.data`), cachedResponse.response.body));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49f11b9088b1125b Filesystem access.
pkgs/npm/[email protected]/lib/module/ModuleURLUtility.js:5
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edaf40bb3e232feb Filesystem access.
pkgs/npm/[email protected]/lib/module/ModuleURLUtility.js:101
                packageJson = JSON.parse(FS.readFileSync(Path.join(nodeModulesDirectory, packageName, 'package.json'), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a287b7a52130cebc Filesystem access.
pkgs/npm/[email protected]/src/fetch/Fetch.ts:12
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f3d66df6e9b7091 Filesystem access.
pkgs/npm/[email protected]/src/fetch/Fetch.ts:380
			buffer = await FS.promises.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfcd00751a237808 Filesystem access.
pkgs/npm/[email protected]/src/fetch/SyncFetch.ts:6
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d6bbc93a5131ce0 Filesystem access.
pkgs/npm/[email protected]/src/fetch/SyncFetch.ts:326
			buffer = FS.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80458121b5f89ed9 Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:3
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0ca870433579adb Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:53
					FS.promises
						.readFile(Path.join(absoluteDirectory, file), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e309110eb820943 Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:61
								return FS.promises
									.readFile(Path.join(absoluteDirectory, file.split('.')[0] + '.data'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #abc0ac02e00060a2 Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:157
							FS.promises.writeFile(Path.join(absoluteDirectory, `${hash}.json`), json)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be1df67653d39f5b Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:162
								FS.promises.writeFile(
									Path.join(absoluteDirectory, `${hash}.data`),
									cachedResponse.response.body
								)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfd75cf2997f99c0 Filesystem access.
pkgs/npm/[email protected]/src/module/ModuleURLUtility.ts:7
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bdd895a2c174de24 Filesystem access.
pkgs/npm/[email protected]/src/module/ModuleURLUtility.ts:128
					FS.readFileSync(Path.join(nodeModulesDirectory, packageName, 'package.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

jiti

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #22e3ca8ea77ec6c7 Environment-variable access.
pkgs/npm/[email protected]/lib/jiti-cli.mjs:15
if (nodeModule.enableCompileCache && !process.env.NODE_DISABLE_COMPILE_CACHE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b89344d82d1ba84 Filesystem access.
pkgs/npm/[email protected]/lib/jiti-hooks.mjs:45
  const rawSource = await readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e247db29485b8b9 Filesystem access.
pkgs/npm/[email protected]/lib/jiti-hooks.mjs:121
    return JSON.parse(await readFile(packageJsonPath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

markdownlint-cli

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #5f0c56a3fab41332 Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:194
      fs.writeFileSync(options.output, lintResultString);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #113eb7fe4a26ebea Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:278
  const ignoreText = fs.readFileSync(ignorePath, fsOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #842665a37228ba5c Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:323
        const originalText = fs.readFileSync(file, fsOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #282cdeeb9798e6f0 Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:326
          fs.writeFileSync(file, fixedText, fsOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

memfs

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #884db2034802a7cb Filesystem access.
pkgs/npm/[email protected]/demo/runkit.js:3
fs.writeFileSync('/hello.txt', 'Hello World');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #d7f4c27359703671 Filesystem access.
pkgs/npm/[email protected]/demo/runkit.js:5
console.log(fs.readFileSync('/hello.txt', 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

oxc-transform

npm dependency
expand_more 33 low-confidence finding(s)
low env_fs dependency Excluded from app score #88d47ecf9907835b Filesystem access.
pkgs/npm/[email protected]/index.js:10
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3d05f19319e7b6b Filesystem access.
pkgs/npm/[email protected]/index.js:32
    return readFileSync('/usr/bin/ldd', 'utf-8').includes('musl')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba0ab6179508940f Environment-variable access.
pkgs/npm/[email protected]/index.js:68
  if (process.env.NAPI_RS_NATIVE_LIBRARY_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1a2c82bae6e460c Environment-variable access.
pkgs/npm/[email protected]/index.js:70
      return require(process.env.NAPI_RS_NATIVE_LIBRARY_PATH);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3643b518fee4506a Environment-variable access.
pkgs/npm/[email protected]/index.js:84
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ce78e925af98e4a Environment-variable access.
pkgs/npm/[email protected]/index.js:100
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #661ac6da7af655d5 Environment-variable access.
pkgs/npm/[email protected]/index.js:121
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb775fad4127d156 Environment-variable access.
pkgs/npm/[email protected]/index.js:137
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3635b59ec92ea098 Environment-variable access.
pkgs/npm/[email protected]/index.js:154
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99a52304ab46a3f1 Environment-variable access.
pkgs/npm/[email protected]/index.js:170
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fde0a1f61552cea Environment-variable access.
pkgs/npm/[email protected]/index.js:189
      if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72a5a2f8dadee6df Environment-variable access.
pkgs/npm/[email protected]/index.js:205
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b66ecb51669dbaaa Environment-variable access.
pkgs/npm/[email protected]/index.js:221
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67733e1ef5286b0a Environment-variable access.
pkgs/npm/[email protected]/index.js:241
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fa16e73f19c71e1 Environment-variable access.
pkgs/npm/[email protected]/index.js:257
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49054788d07422ea Environment-variable access.
pkgs/npm/[email protected]/index.js:278
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43bc20e646f65dd4 Environment-variable access.
pkgs/npm/[email protected]/index.js:294
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c98aee9605c94876 Environment-variable access.
pkgs/npm/[email protected]/index.js:312
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e542a55b71ca825 Environment-variable access.
pkgs/npm/[email protected]/index.js:328
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2a2cc1391a32654 Environment-variable access.
pkgs/npm/[email protected]/index.js:346
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e970217dac57715 Environment-variable access.
pkgs/npm/[email protected]/index.js:362
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e580536871f1e06 Environment-variable access.
pkgs/npm/[email protected]/index.js:380
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8891e48b49cc3866 Environment-variable access.
pkgs/npm/[email protected]/index.js:396
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #527a0c5d91974b7a Environment-variable access.
pkgs/npm/[email protected]/index.js:414
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a558716ebad911b Environment-variable access.
pkgs/npm/[email protected]/index.js:430
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0e416f7460a5524 Environment-variable access.
pkgs/npm/[email protected]/index.js:447
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71c771a0b9c0aa79 Environment-variable access.
pkgs/npm/[email protected]/index.js:463
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef424b79440e2398 Environment-variable access.
pkgs/npm/[email protected]/index.js:483
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a76ccdf83f1162b5 Environment-variable access.
pkgs/npm/[email protected]/index.js:499
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6545f22637adde4e Environment-variable access.
pkgs/npm/[email protected]/index.js:515
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22b646565fa43ca1 Environment-variable access.
pkgs/npm/[email protected]/index.js:540
  process.env.NAPI_RS_FORCE_WASI === 'true' || process.env.NAPI_RS_FORCE_WASI === 'error'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0237bb71e56102f0 Environment-variable access.
pkgs/npm/[email protected]/index.js:568
  if (process.env.NAPI_RS_FORCE_WASI === 'error' && !wasiBinding) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82865facebc66541 Filesystem access.
pkgs/npm/[email protected]/webcontainer-fallback.cjs:4
const pkg = JSON.parse(fs.readFileSync(require.resolve("oxc-transform/package.json"), "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

playwright-core

npm dependency
expand_more 44 low-confidence finding(s)
low env_fs dependency Excluded from app score #ba0f5f11f0375e4f Environment-variable access.
pkgs/npm/[email protected]/lib/bootstrap.js:13
if (process.env.PW_INSTRUMENT_MODULES) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ded614ad5fa10a20 Environment-variable access.
pkgs/npm/[email protected]/lib/server/electron/loader.js:59
  process.env.PLAYWRIGHT_LEGACY_SCREENSHOT ? "" : "--enable-features=CDPScreenshotNewSurface",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de5958dfaef56120 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:1780
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ae568c761cc3ed2 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5457
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58cec7e1c66e72f1 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5948
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80ed067ebf32669b Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5955
      if (process.env.CHOKIDAR_PRINT_FSEVENTS_REQUIRE_ERROR) console.error(error);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a357fa9bf66612c Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:6345
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97653f862b34385f Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:6582
        const envPoll = process.env.CHOKIDAR_USEPOLLING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe8afc5b5571aedd Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:6593
        const envInterval = process.env.CHOKIDAR_INTERVAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b74d02cfd2d41218 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7092
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3968f4285f2af39 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7179
    await import_fs.default.promises.writeFile(file, JSON.stringify(descriptor, null, 2), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2fd41466acf9faca Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7188
    const content = await import_fs.default.promises.readFile(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68b9dbcde093c7ab Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7199
    const content = import_fs.default.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96fc9b4c823aba36 Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7213
    return process.env.PWTEST_SERVER_REGISTRY || registryDirectory;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #551fdb841e49d204 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7243
      descriptor = JSON.parse(import_fs.default.readFileSync(file, "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c411ea2ff9b5634 Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7281
    return process.env.XDG_CACHE_HOME || import_path2.default.join(import_os.default.homedir(), ".cache");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b5c34868a3e48ca Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7285
    return process.env.LOCALAPPDATA || import_path2.default.join(import_os.default.homedir(), "AppData", "Local");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9d1df5eff5f27ec0 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:35
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3f07107b4f23a2e5 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:44
  if (process.env.PWTEST_CLI_CHANNEL_SCAN_DISABLED_FOR_TEST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #097c7cefff8d357e Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:72
    contents = await import_fs.default.promises.readFile(import_path.default.join(userDataDir, "DevToolsActivePort"), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #1c1d378c300435ce Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:99
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f4aa58043a6deb92 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:104
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome Beta", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ea986c11297c121f Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:109
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome Dev", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #6f8d6531d5804cd7 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:114
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome SxS", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4151b0954ba79c97 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:119
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #5fa8da702893e348 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:124
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge Beta", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f58a73b3449099cf Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:129
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge Dev", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #92a85a067ee89eba Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:134
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge SxS", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #59215ee91c0366a9 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/output.js:191
    if (process.env.PWTEST_PRINT_DASHBOARD_PID_FOR_TEST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #98021f832be94a83 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/program.js:80
      if (process.env.CLAUDECODE || process.env.COPILOT_CLI)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #05c206eb8ed02ec5 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/program.js:301
  const pidFilterEnv = process.env.PWTEST_KILL_ALL_PID_FILTER_FOR_TEST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c771bffb647d7460 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:40
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #56911b030fc909ed Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:81
      const data = await import_fs.default.promises.readFile(fileName, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #d13fec20db3ee94a Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:120
  if (process.env.PWTEST_DAEMON_SESSION_DIR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b4b65dac60207953 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:121
    return process.env.PWTEST_DAEMON_SESSION_DIR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b656a6e54bde0d50 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:124
    localCacheDir = process.env.XDG_CACHE_HOME || import_path.default.join(import_os.default.homedir(), ".cache");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #dd6bbbe6a96dae46 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:128
    localCacheDir = process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #27889c48dc04ffe1 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:135
  const version = process.env.PLAYWRIGHT_CLI_VERSION_FOR_TEST || import_package.packageJSON.version;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #346b9535052f1fc7 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:163
  return sessionName || process.env.PLAYWRIGHT_CLI_SESSION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e51fed0694602493 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/session.js:35
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b41ee9f498a12ef5 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/session.js:174
          const errLogContent = import_fs.default.readFileSync(errLog, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #00e4e7391c7b05b8 Filesystem access.
pkgs/npm/[email protected]/lib/tools/utils/extension.js:36
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #09f0152ff2d60b28 Filesystem access.
pkgs/npm/[email protected]/lib/tools/utils/extension.js:59
    const prefs = await import_fs.default.promises.readFile(import_path.default.join(profileDir, "Preferences"), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1ee93cf89ac285b Filesystem access.
pkgs/npm/[email protected]/types/types.d.ts:19
import { ReadStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

postcss

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #0a337d14a8741520 Environment-variable access.
pkgs/npm/[email protected]/lib/lazy-result.js:218
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a1377dd42cb72b4 Environment-variable access.
pkgs/npm/[email protected]/lib/lazy-result.js:440
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f481dfff4040ec7 Environment-variable access.
pkgs/npm/[email protected]/lib/no-work-result.js:114
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6cd4f0b8673d586a Environment-variable access.
pkgs/npm/[email protected]/lib/parse.js:13
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e819c1538e3ed4df Environment-variable access.
pkgs/npm/[email protected]/lib/postcss.js:41
      if (process.env.LANG && process.env.LANG.startsWith('cn')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e71a320572d78d9 Filesystem access.
pkgs/npm/[email protected]/lib/previous-map.js:3
let { existsSync, readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5723f15f0e383e81 Filesystem access.
pkgs/npm/[email protected]/lib/previous-map.js:97
      return readFileSync(path, 'utf-8').toString().trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbd935eef3b4bfd6 Environment-variable access.
pkgs/npm/[email protected]/lib/processor.js:30
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

postcss-url

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #55e54201e4ccd706 Filesystem access.
pkgs/npm/[email protected]/src/lib/get-file.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82b29a5792e31a09 Filesystem access.
pkgs/npm/[email protected]/src/lib/get-file.js:10
        fs.readFile(filePath, (err, data) => {
            if (err) {
                reject(err);
            }
            resolve(data);
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b019ffa87ca45490 Filesystem access.
pkgs/npm/[email protected]/src/type/copy.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc23a6617751d3a4 Filesystem access.
pkgs/npm/[email protected]/src/type/copy.js:22
        fs.writeFile(dest, file.contents, { flag: 'wx' }, (err) => {
            if (err) {
                err.code === 'EEXIST' ? resolve() : reject(err);
            }
            resolve();
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

prettier

npm dependency
expand_more 74 low-confidence finding(s)
low env_fs dependency Excluded from app score #fff33d961813c8ea Environment-variable access.
pkgs/npm/[email protected]/bin/prettier.cjs:66
if (process.env.PRETTIER_EXPERIMENTAL_CLI || index !== -1) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66397ade27b898a1 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:5609
    var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aefc79356981ba87 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6176
    if (process.env.npm_package_name === "pseudomap" && process.env.npm_lifecycle_script === "test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca6310b41da81974 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6177
      process.env.TEST_PSEUDOMAP = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fcee001326735645 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6178
    if (typeof Map === "function" && !process.env.TEST_PSEUDOMAP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea74b8ff2989f6f5 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6520
    var hasSymbol = typeof Symbol === "function" && process.env._nodeLRUCacheForceNoSymbol !== "1";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f4d2aa4113e9bec Filesystem access.
pkgs/npm/[email protected]/index.mjs:7655
            fs4.readFile(file, "utf8", function(err, data) {
              if (err) {
                reject(err);
                return;
              }
              resolve3(parseString2(data));
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae6c3ec0d9de5f6c Filesystem access.
pkgs/npm/[email protected]/index.mjs:7668
      return parseString2(fs4.readFileSync(file, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f459b7825c420f8f Filesystem access.
pkgs/npm/[email protected]/index.mjs:8004
              fs4.readFile(name, "utf8", function(err, data) {
                resolve3({
                  name,
                  contents: err ? "" : data
                });
              });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a47fcfddcc0dc76a Filesystem access.
pkgs/npm/[email protected]/index.mjs:8020
          file = fs4.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #468810a620f3db18 Filesystem access.
pkgs/npm/[email protected]/index.mjs:10382
import * as fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27733880fc5ba706 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:11485
  return typeof process === "object" && (process.env.FORCE_COLOR === "0" || process.env.FORCE_COLOR === "false") ? false : import_picocolors4.default.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b54d735d73026277 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12540
import fs2 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6747377b236850dc Filesystem access.
pkgs/npm/[email protected]/index.mjs:12546
    return await fs2.readFile(file, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4510667824a4efb5 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12697
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25525c2df9888639 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12707
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7d519dcb608f281 Filesystem access.
pkgs/npm/[email protected]/index.mjs:13059
    string = fs3.readFileSync(path6.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f8d718a9933e5d6 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:16485
      if (process.env.PRETTIER_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ec5304168b2ae89 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:10
import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e135ea6b887c499 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:15
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7da4d35a3b3bc1bf Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:371
  return dist_default.retry.readFile(retryOptions)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d13b19a2c75ceb5a Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:516
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f43d733dc5bf65b Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:526
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4179487c4aefad8c Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:878
    string2 = fs2.readFileSync(path3.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #108c562c8d99a6fd Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1878
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09746014db5e970a Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1955
          const content = fs3.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3da7ab87823c2648 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1961
          return fs3.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc9185a83baba3f2 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:54
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #094f79c35bd20c48 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:96
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e29daa7292e298bf Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:107
      const buffer2 = attempt(() => fs2.readFileSync(path18), Buffer2.alloc(0));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0d43d4be0a10812 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:116
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2218fdbbc0904a65 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:612
import fs4 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4214d79ac13272ec Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:627
              const content = fs4.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff237020b0542726 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:633
              return fs4.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e51eaa7b4908ab38 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2515
import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42a4dc77eea95345 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2525
    string2 = fs5.readFileSync(path4.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a023712091e18ddf Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2743
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7df04f68faac2e1 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:3607
import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99c0e661da51cd6c Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:4855
import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7cd60efc77f16c8a Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5794
import fs8 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29875de3afadf071 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5820
          const store = JSON.parse(fs8.readFileSync(this.storePath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc53586bcc63d2d7 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5835
          fs8.writeFileSync(this.storePath, store);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08b687b8aeb41e6b Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5850
          const content = fs8.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01659eefadefe826 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6238
import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3bcb7737fcb477d Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6252
        return fs9.readFile(filePath, "utf8").then(parse_default2).catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a23c0e3d19440f6 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6582
import fs10 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e701eb6b5b9fda28 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6594
      return fs10.readFile(filePath, "utf8").catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0771d2203e7ad8d6 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10466
import fs11 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e5241778226018f Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10488
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60ebc21b7c6aee26 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10493
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f9e42fadfa5e86d Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10499
        const fileBuffer = fs11.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7a0f9d308a3ee2a Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10515
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0183a6c7ba8c5ce5 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10521
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04867101c2dab20b Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11366
import fs12 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d4f0d1cb544ca7e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11559
import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ff8060cd7be1e12 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11567
  return dist_default36.retry.readFile(retryOptions)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #701bbf2d444350e8 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12330
import fs13 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e3995f83e06fad5 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12395
  const ignoreManualFilesContents = await Promise.all(ignoreManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8").catch(() => "")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cde8a8f954094235 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12400
  const prettierManualFilesContents = await Promise.all(prettierManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74c50c8e84ca9ffd Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1233
import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a213c9b33cbacf19 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1554
import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe38df1e6778ad45 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1778
import fs4 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d833352e47b5556 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1786
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c4a97c91dd47ec1 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1794
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1dc2deb36a2b0852 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1888
    const data = await fs4.readFile(cacheFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9b2e7364a7f63e2 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1906
import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4be8b8a2af2a929 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1910
import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c207a6f296bfa20 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1914
import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffa696ecc46e6fbe Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4302
      const data = fs5.readFileSync(pathToFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03e80a36bc5556d8 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4506
        fs5.writeFileSync(filePath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72a4fae8fc0d294d Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4894
        const buffer = fs6.readFileSync(absolutePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69c7907dd14bc350 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:5188
import fs8 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df10a03edb485858 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:5449
  writeFormattedFile: (file, data) => fs8.writeFile(file, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4f863b6c895ea68 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:5805
      input = await fs9.readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

semver

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #90c2e8c89038a6f1 Environment-variable access.
pkgs/npm/[email protected]/internal/debug.js:6
  process.env.NODE_DEBUG &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34f725ec62605ab8 Environment-variable access.
pkgs/npm/[email protected]/internal/debug.js:7
  /\bsemver\b/i.test(process.env.NODE_DEBUG)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sherif

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #9f47e214bc1ef0b4 Filesystem access.
pkgs/npm/[email protected]/index.js:4
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

svgo

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #5925458808fc8f3d Filesystem access.
pkgs/npm/[email protected]/lib/svgo-node.js:2
import fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52ac87363547d2ac Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fd2445aefd9086a Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:12
const PKG = JSON.parse(await fs.promises.readFile(pkgPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9be293717e903f29 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:378
  return fs.promises.readFile(file, 'utf8').then(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4e271a46d206d54 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:452
  return fs.promises
    .writeFile(output, data, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6faf5bd2e5bd56d5 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:517
    return fs.promises.writeFile(
      path.resolve(output, path.basename(input)),
      data,
      'utf8',
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ts-checker-rspack-plugin

npm dependency
expand_more 26 low-confidence finding(s)
low env_fs dependency Excluded from app score #4489833ce5015402 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:156
        if (stats && stats.isFile()) readFileCache.set(normalizedPath, external_node_fs_default().readFileSync(normalizedPath, {
            encoding: encoding
        }).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7ab0ef2a3c6aecf Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:202
    external_node_fs_default().writeFileSync(normalizedPath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3af2c01fda9e8af2 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:263
    if (stats && stats.isFile()) return external_memfs_namespaceObject.fs.readFileSync(realFileSystem.normalizePath(path), {
        encoding: encoding
    }).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd202d9696603c35 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:281
    external_memfs_namespaceObject.fs.writeFileSync(realFileSystem.normalizePath(path), data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eac3d466a3abde22 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:316
    if (fsStats && memStats) return fsStats.mtimeMs > memStats.mtimeMs ? realFileSystem.readFile(path, encoding) : memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05033bfd6314d8b8 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:317
    if (fsStats) return realFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdbff04343011d2f Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:318
    if (memStats) return memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1cc7c82eb92c369 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:361
        return getReadFileSystem(path).readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #245041206083900a Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:368
        getWriteFileSystem(path).writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c708967f438bd6a3 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:503
                const content = passiveFileSystem.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17f66b14f7eb737a Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:505
                    memFileSystem.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63b7afe3ec67e5ea Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:271
        if (stats && stats.isFile()) readFileCache.set(normalizedPath, external_node_fs_default().readFileSync(normalizedPath, {
            encoding: encoding
        }).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbcf3b1bd0d2ab26 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:317
    external_node_fs_default().writeFileSync(normalizedPath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ec3280f3c89a605 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:378
    if (stats && stats.isFile()) return external_memfs_namespaceObject.fs.readFileSync(realFileSystem.normalizePath(path), {
        encoding: encoding
    }).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ba67c1e37780b6f Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:396
    external_memfs_namespaceObject.fs.writeFileSync(realFileSystem.normalizePath(path), data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e14ae64877565229 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:431
    if (fsStats && memStats) return fsStats.mtimeMs > memStats.mtimeMs ? realFileSystem.readFile(path, encoding) : memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #133e6ff0a5e95a1a Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:432
    if (fsStats) return realFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #739323c77cefee20 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:433
    if (memStats) return memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffff9964e05744ad Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:476
        return getReadFileSystem(path).readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6602d7e83f8d00b Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:483
        getWriteFileSystem(path).writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b5d03eb17fc0637 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:618
                const content = passiveFileSystem.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7206592fea5dc4de Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:620
                    memFileSystem.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2da033c53cd4d0fe Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:994
            system.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a559e8823f74756 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:145
            return "object" == typeof process && ("0" === process.env.FORCE_COLOR || "false" === process.env.FORCE_COLOR) ? false : picocolors.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75f72f0901cb9956 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:2609
    const defaultPlatform = 'object' == typeof process && process ? 'object' == typeof process.env && process.env && process.env.__MINIMATCH_TESTING_PLATFORM__ || process.platform : 'posix';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ac29446474f9a0c Filesystem access.
pkgs/npm/[email protected]/lib/index.js:4385
            const source = issue.file && external_node_fs_default().existsSync(issue.file) && external_node_fs_default().readFileSync(issue.file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #b4ad53466089ec35 Filesystem access.
pkgs/npm/[email protected]/lib/_tsserver.js:51
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39c5bf20d7fe2744 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:309
    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa1aa01416076062 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:535
  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1db07b486a2d53b9 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3999fda0e533b4e Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:565
    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f15e76ab3b6a6b21 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:566
      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b324765bc84a0b3 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69a42fe4e2cd64ad Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:44
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c82d52e9e05405d Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:88
    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #889c3b744efbbc9c Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

undici

npm dependency
expand_more 12 low-confidence finding(s)
low env_fs dependency Excluded from app score #abb1e4aeb4eb9c2c Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:67
  const llhttpWasmData = process.env.JEST_WORKER_ID ? require('../llhttp/llhttp-wasm.js') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5932be50416ed612 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:74
  if (process.env.UNDICI_NO_WASM_SIMD === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46f38ce307d54af9 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:76
  } else if (process.env.UNDICI_NO_WASM_SIMD === '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea5162ca4925d205 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:26
    const HTTP_PROXY = httpProxy ?? process.env.http_proxy ?? process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed5f2635921680eb Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:33
    const HTTPS_PROXY = httpsProxy ?? process.env.https_proxy ?? process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d1d99dab64dfd80 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:142
    return process.env.no_proxy ?? process.env.NO_PROXY ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d1f253b890bf686 Environment-variable access.
pkgs/npm/[email protected]/lib/mock/pending-interceptors-formatter.js:23
        colors: !disableColors && !process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fb3cc44c40efc4d Filesystem access.
pkgs/npm/[email protected]/lib/mock/snapshot-recorder.js:424
      const data = await readFile(resolve(path), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d750f9b2be9dff40 Filesystem access.
pkgs/npm/[email protected]/lib/mock/snapshot-recorder.js:470
    await writeFile(resolvedPath, JSON.stringify(data, null, 2), { flush: true })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f0c6158a253dc067 Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:7
  ? transcode(readFileSync('./undici-fetch.js'), 'utf8', 'latin1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9dcaac816cb15d92 Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:8
  : readFileSync('./undici-fetch.js')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9262802e2e17bc01 Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:10
writeFileSync('./undici-fetch.js', buffer.toString('latin1'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

unstorage

npm dependency
expand_more 20 low-confidence finding(s)
low env_fs dependency Excluded from app score #de3f04a002abb7f4 Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:38
      return readFile(r(key), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f80149bc5433d9e8 Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:41
      return readFile(r(key));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4cd49c37eba8275c Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:51
      return writeFile(r(key), value, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8c352d6e8947b15 Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:57
      return writeFile(r(key), value);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c458344fe53a698c Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:49
      return readFile(r(key), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ac62e34b7bb5f52 Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:52
      return readFile(r(key));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fafc79d6b8cfa5db Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:62
      return writeFile(r(key), value, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84289413815180d9 Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:68
      return writeFile(r(key), value);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #935a42fd2bdbe44d Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.cjs:24
  return _nodeFs.promises.writeFile(path, data, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d19ba6fce64c894 Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.cjs:27
  return _nodeFs.promises.readFile(path, encoding).catch(ignoreNotfound);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffc73dcd1aac96be Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.mjs:11
  return fsPromises.writeFile(path, data, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d943c19d15abdb51 Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.mjs:14
  return fsPromises.readFile(path, encoding).catch(ignoreNotfound);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef75abe975c10899 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:19
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96402b9bc3e8c69b Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:20
          opts.url = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b23e8dfd768e769 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:27
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a148bfbd701c0a2a Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:28
          opts.token = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48bfc32fee0a2edd Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:13
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ccd0100f058af6f Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:14
          opts.url = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb0922ce64708c46 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:24
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22311bd176a987d1 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:25
          opts.token = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

vite

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #2257320828130c9c Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:6
  if (!process.env.DEBUG_DISABLE_SOURCE_MAP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3434fb95240a8b8a Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:36
  process.env.DEBUG = `${

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31b047d6d83e74af Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:37
    process.env.DEBUG ? process.env.DEBUG + ',' : ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72f64381a6c0c7b2 Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:43
      process.env.VITE_DEBUG_FILTER = filter

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

vue

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #5f64bf920d39cefc Environment-variable access.
pkgs/npm/[email protected]/index.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

vue-router

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #362a00dfbc5624b6 Environment-variable access.
pkgs/npm/[email protected]/index.cjs:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

webpack

npm dependency
expand_more 29 low-confidence finding(s)
low env_fs dependency Excluded from app score #4dcd40ebef088f4d Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:901
							(this.outputFileSystem).writeFile(targetPath, content, (err) => {
								if (err) return callback(err);

								// information marker that the asset has been emitted
								compilation.emittedAssets.add(file);

								// cache the information that the Source has been written to that location
								const newGeneration =
									targetFileGeneration === undefined
										? 1
										: targetFileGeneration + 1;
								/** @type {CacheEntry} */
								(cacheEntry).writtenTo.set(targetPath, newGeneration);
								this._assetEmittingWrittenFiles.set(targetPath, newGeneration);
								this.hooks.assetEmitted.callAsync(
									file,
									{
										content,
										source,
										outputPath,
										compilation,
										targetPath
									},
									callback
								);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b94d6eb79bc78750 Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:996
								return /** @type {OutputFileSystem} */ (
									this.outputFileSystem
								).readFile(targetPath, (err, existingContent) => {
									if (
										err ||
										!content.equals(/** @type {Buffer} */ (existingContent))
									) {
										return doWrite(content);
									}
									return alreadyWritten();
								});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #584ecea9305652ba Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:1141
			(this.outputFileSystem).writeFile(
				/** @type {string} */ (this.recordsOutputPath),
				JSON.stringify(
					this.records,
					(n, value) => {
						if (
							typeof value === "object" &&
							value !== null &&
							!Array.isArray(value)
						) {
							const keys = Object.keys(value);
							if (!isSorted(keys)) {
								return sortObject(value, keys);
							}
						}
						return value;
					},
					2
				),
				callback
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5c1e5826c6795d7 Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:1227
			(this.inputFileSystem).readFile(
				/** @type {string} */
				(this.recordsInputPath),
				(err, content) => {
					if (err) return callback(err);

					try {
						this.records =
							/** @type {Records} */
							(parseJson(/** @type {Buffer} */ (content).toString("utf8")));
					} catch (parseErr) {
						return callback(
							new Error(
								`Cannot parse records: ${
									/** @type {Error} */ (parseErr).message
								}`
							)
						);
					}

					return callback(null);
				}
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ae02618f4e91783 Environment-variable access.
pkgs/npm/[email protected]/lib/DotenvPlugin.js:447
					process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cdc9497cc4baba9e Environment-variable access.
pkgs/npm/[email protected]/lib/DotenvPlugin.js:448
						? process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3130b97e3a2b9c6a Filesystem access.
pkgs/npm/[email protected]/lib/DotenvPlugin.js:465
			fs.readFile(file, (err, content) => {
				if (err) reject(err);
				else resolve(/** @type {Buffer} */ (content).toString() || "");
			});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #117c9619059893c7 Environment-variable access.
pkgs/npm/[email protected]/lib/EnvironmentPlugin.js:50
					process.env[key] !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8397b8a51da888b9 Environment-variable access.
pkgs/npm/[email protected]/lib/EnvironmentPlugin.js:51
						? process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38c008785cc3302b Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:2209
								this.fs.readFile(path, (err, content) => {
									if (err) return callback(err);
									try {
										const context = dirname(this.fs, path);
										const source = /** @type {Buffer} */ (content).toString();
										const [imports] = lexer.parse(source);
										/** @type {Set<string>} */
										const added = new Set();
										for (const imp of imports) {
											try {
												// import.meta
												if (imp.d === -2) {
													continue;
												}

												/** @type {string | null} */
												const dependency =
													imp.n ||
													parseString(source.slice(imp.s, imp.e).trim());

												if (!dependency) {
													continue;
												}

												// We should not track Node.js build dependencies
												if (dependency.startsWith("node:")) continue;
												if (builtinModules.has(dependency)) continue;
												// Avoid extra jobs for identical imports
												if (added.has(dependency)) continue;

												push({
													type: RBDT_RESOLVE_ESM_FILE,
													context,
													path: dependency,
													expected: imp.d > -1 ? false : undefined,
													issuer: job
												});
												added.add(dependency);
											} catch (err1) {
												logger.warn(
													`Parsing of ${path} for build dependencies failed at 'import(${source.slice(
														imp.s,
														imp.e
													)})'.\n` +
														"Build dependencies behind this expression are ignored and might cause incorrect cache invalidation."
												);
												logger.debug(pathToString(job));
												logger.debug(/** @type {Error} */ (err1).stack);
											}
										}
									} catch (err2) {
										logger.warn(
											`Parsing of ${path} for build dependencies failed and all dependencies of this file are ignored, which might cause incorrect cache invalidation..`
										);
										logger.debug(pathToString(job));
										logger.debug(/** @type {Error} */ (err2).stack);
									}
									process.nextTick(callback);
								});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e3e17feb0e13f07 Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:2284
						this.fs.readFile(packageJson, (err, content) => {
							if (err) {
								if (err.code === "ENOENT") {
									resolveMissing.add(packageJson);
									const parent = dirname(this.fs, packagePath);
									if (parent !== packagePath) {
										push({
											type: RBDT_DIRECTORY_DEPENDENCIES,
											context: undefined,
											path: parent,
											expected: undefined,
											issuer: job
										});
									}
									callback();
									return;
								}
								return callback(err);
							}
							resolveFiles.add(packageJson);
							/** @type {JsonObject} */
							let packageData;
							try {
								packageData = JSON.parse(
									/** @type {Buffer} */
									(content).toString("utf8")
								);
							} catch (parseErr) {
								return callback(/** @type {Error} */ (parseErr));
							}
							const depsObject = packageData.dependencies;
							const optionalDepsObject = packageData.optionalDependencies;
							/** @type {Set<string>} */
							const allDeps = new Set();
							/** @type {Set<string>} */
							const optionalDeps = new Set();
							if (typeof depsObject === "object" && depsObject) {
								for (const dep of Object.keys(depsObject)) {
									allDeps.add(dep);
								}
							}
							if (
								typeof optionalDepsObject === "object" &&
								optionalDepsObject
							) {
								for (const dep of Object.keys(optionalDepsObject)) {
									allDeps.add(dep);
									optionalDeps.add(dep);
								}
							}
							for (const dep of allDeps) {
								push({
									type: RBDT_RESOLVE_DIRECTORY,
									context: packagePath,
									path: dep,
									expected: !optionalDeps.has(dep),
									issuer: job
								});
							}
							callback();
						});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e1cab1b7ed4339c Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:3676
		this.fs.readFile(path, (err, content) => {
			if (err) {
				if (err.code === "EISDIR") {
					this._fileHashes.set(path, "directory");
					return callback(null, "directory");
				}
				if (err.code === "ENOENT") {
					this._fileHashes.set(path, null);
					return callback(null, null);
				}
				if (err.code === "ERR_FS_FILE_TOO_LARGE") {
					/** @type {Logger} */
					(this.logger).warn(`Ignoring ${path} for hashing as it's very large`);
					this._fileHashes.set(path, "too large");
					return callback(null, "too large");
				}
				return callback(/** @type {WebpackError} */ (err));
			}

			const hash = createHash(this._hashFunction);

			hash.update(/** @type {string | Buffer} */ (content));

			const digest = hash.digest("hex");

			this._fileHashes.set(path, digest);

			callback(null, digest);
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e7e45ccb41fbaf7 Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:4419
			this.fs.readFile(packageJsonPath, (err, content) => {
				if (err) {
					if (err.code === "ENOENT" || err.code === "ENOTDIR") {
						// no package.json or path is not a directory
						this.fs.readdir(path, (err, elements) => {
							if (
								!err &&
								/** @type {string[]} */ (elements).length === 1 &&
								/** @type {string[]} */ (elements)[0] === "node_modules"
							) {
								// This is only a grouping folder e.g. used by yarn
								// we are only interested in existence of this special directory
								this._managedItems.set(path, "*nested");
								return callback(null, "*nested");
							}
							/** @type {Logger} */
							(this.logger).warn(
								`Managed item ${path} isn't a directory or doesn't contain a package.json (see snapshot.managedPaths option)`
							);
							return callback();
						});
						return;
					}
					return callback(/** @type {WebpackError} */ (err));
				}
				/** @type {JsonObject} */
				let data;
				try {
					data = JSON.parse(/** @type {Buffer} */ (content).toString("utf8"));
				} catch (parseErr) {
					return callback(/** @type {WebpackError} */ (parseErr));
				}
				if (!data.name) {
					/** @type {Logger} */
					(this.logger).warn(
						`${packageJsonPath} doesn't contain a "name" property (see snapshot.managedPaths option)`
					);
					return callback();
				}
				const info = `${data.name || ""}@${data.version || ""}`;
				this._managedItems.set(path, info);
				callback(null, info);
			});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73ecfa0a109ac547 Filesystem access.
pkgs/npm/[email protected]/lib/config/defaults.js:8
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #827d898796763eb3 Filesystem access.
pkgs/npm/[email protected]/lib/config/defaults.js:1477
			const packageInfo = JSON.parse(fs.readFileSync(pkgPath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67856106b7687836 Environment-variable access.
pkgs/npm/[email protected]/lib/config/defaults.js:2450
		(infrastructureLogging.stream).isTTY && process.env.TERM !== "dumb";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e3ad8d9e2adb1c3 Filesystem access.
pkgs/npm/[email protected]/lib/dll/DllReferencePlugin.js:73
					(compiler.inputFileSystem).readFile(manifest, (err, result) => {
						if (err) return callback(err);
						/** @type {CompilationDataItem} */
						const data = {
							path: manifest,
							data: undefined,
							error: undefined
						};
						// Catch errors parsing the manifest so that blank
						// or malformed manifest files don't kill the process.
						try {
							data.data =
								/** @type {DllReferencePluginOptionsManifest} */
								(
									/** @type {unknown} */
									(parseJson(/** @type {Buffer} */ (result).toString("utf8")))
								);
						} catch (parseErr) {
							// Store the error in the params so that it can
							// be added as a compilation error later on.
							const manifestPath = makePathsRelative(
								compiler.context,
								manifest,
								compiler.root
							);
							data.error = new DllManifestError(
								manifestPath,
								/** @type {Error} */ (parseErr).message
							);
						}
						compilationData.set(params, data);
						return callback();
					});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56e91304f70177a9 Filesystem access.
pkgs/npm/[email protected]/lib/dll/LibManifestPlugin.js:137
								intermediateFileSystem.writeFile(targetPath, buffer, callback);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e388885fa3cbede Filesystem access.
pkgs/npm/[email protected]/lib/ids/SyncModuleIdsPlugin.js:63
				fs.readFile(this.options.path, (err, buffer) => {
					if (err) {
						if (err.code !== "ENOENT") {
							return callback(err);
						}
						return callback();
					}
					/** @type {JSONContent} */
					const json = JSON.parse(/** @type {Buffer} */ (buffer).toString());
					/** @type {Map<string, string | number | null>} */
					data = new Map();
					for (const key of Object.keys(json)) {
						data.set(key, json[key]);
					}
					dataChanged = false;
					return callback();
				});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2824a1ff7f8c5d8d Filesystem access.
pkgs/npm/[email protected]/lib/ids/SyncModuleIdsPlugin.js:94
				fs.writeFile(this.options.path, JSON.stringify(json), callback);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #649cc39f8a38249c Filesystem access.
pkgs/npm/[email protected]/lib/schemes/FileUriPlugin.js:43
						loaderContext.fs.readFile(resourcePath, (err, result) => {
							if (err) return callback(err);
							loaderContext.addDependency(resourcePath);
							callback(null, result);
						});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43fef5b6fafc400d Environment-variable access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:496
			this.options.proxy || process.env.http_proxy || process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b64ea176078fef73 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:589
							intermediateFs.readFile(lockfileLocation, (err, buffer) => {
								if (err && err.code !== "ENOENT") {
									compilation.missingDependencies.add(lockfileLocation);
									return callback(err);
								}
								compilation.fileDependencies.add(lockfileLocation);
								compilation.fileSystemInfo.createSnapshot(
									compiler.fsStartTime,
									buffer ? [lockfileLocation] : [],
									[],
									buffer ? [] : [lockfileLocation],
									{ timestamp: true },
									(err, s) => {
										if (err) return callback(err);
										const lockfile = buffer
											? Lockfile.parse(buffer.toString("utf8"))
											: new Lockfile();
										lockfileCache = {
											lockfile,
											snapshot: /** @type {Snapshot} */ (s)
										};
										callback(null, lockfile);
									}
								);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #808b6caf76e4f298 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:693
							intermediateFs.writeFile(filePath, result.content, (err) => {
								if (err) return callback(err);
								callback(null, result);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b316a1c36efeb7f7 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1202
									fs.readFile(filePath, (err, result) => {
										if (err) {
											if (err.code === "ENOENT") return doFetch();
											return callback(err);
										}
										const content = /** @type {Buffer} */ (result);
										/**
										 * Continue with cached content.
										 * @param {Buffer | undefined} _result result
										 * @returns {void}
										 */
										const continueWithCachedContent = (_result) => {
											if (!upgrade) {
												// When not in upgrade mode, we accept the result from the lockfile cache
												return callback(null, { entry, content });
											}
											return doFetch(content);
										};
										if (!verifyIntegrity(content, entry.integrity)) {
											/** @type {Buffer | undefined} */
											let contentWithChangedEol;
											let isEolChanged = false;
											try {
												contentWithChangedEol = Buffer.from(
													content.toString("utf8").replace(/\r\n/g, "\n")
												);
												isEolChanged = verifyIntegrity(
													contentWithChangedEol,
													entry.integrity
												);
											} catch (_err) {
												// ignore
											}
											if (isEolChanged) {
												if (!warnedAboutEol) {
													const explainer = `Incorrect end of line sequence was detected in the lockfile cache.
The lockfile cache is protected by integrity checks, so any external modification will lead to a corrupted lockfile cache.
When using git make sure to configure .gitattributes correctly for the lockfile cache:
  **/*webpack.lock.data/** -text
This will avoid that the end of line sequence is changed by git on Windows.`;
													if (frozen) {
														logger.error(explainer);
													} else {
														logger.warn(explainer);
														logger.info(
															"Lockfile cache will be automatically fixed now, but when lockfile is frozen this would result in an error."
														);
													}
													warnedAboutEol = true;
												}
												if (!frozen) {
													// "fix" the end of line sequence of the lockfile content
													logger.log(
														`${filePath} fixed end of line sequence (\\r\\n instead of \\n).`
													);
													intermediateFs.writeFile(
														filePath,
														/** @type {Buffer} */
														(contentWithChangedEol),
														(err) => {
															if (err) return callback(err);
															continueWithCachedContent(
																/** @type {Buffer} */
																(contentWithChangedEol)
															);
														}
													);
													return;
												}
											}
											if (frozen) {
												return callback(
													new Error(
														`${
															entry.resolved
														} integrity mismatch, expected content with integrity ${
															entry.integrity
														} but got ${computeIntegrity(content)}.
Lockfile corrupted (${
															isEolChanged
																? "end of line sequence was unexpectedly changed"
																: "incorrectly merged? changed by other tools?"
														}).
Run build with un-frozen lockfile to automatically fix lockfile.`
													)
												);
											}
											// "fix" the lockfile entry to the correct integrity
											// the content has priority over the integrity value
											entry = {
												...entry,
												integrity: computeIntegrity(content)
											};
											storeLockEntry(lockfile, url, entry);
										}
										continueWithCachedContent(result);
									});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7de2d247a72c776 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1257
													intermediateFs.writeFile(
														filePath,
														/** @type {Buffer} */
														(contentWithChangedEol),
														(err) => {
															if (err) return callback(err);
															continueWithCachedContent(
																/** @type {Buffer} */
																(contentWithChangedEol)
															);
														}
													);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ea14f7744857376 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1410
							intermediateFs.readFile(lockfileLocation, (err, buffer) => {
								if (err && err.code !== "ENOENT") {
									writeDone();
									return callback(err);
								}
								const lockfile = buffer
									? Lockfile.parse(buffer.toString("utf8"))
									: new Lockfile();
								for (const [key, value] of /** @type {LockfileUpdates} */ (
									lockfileUpdates
								)) {
									lockfile.entries.set(key, value);
								}
								intermediateFs.writeFile(
									tempFile,
									lockfile.toString(),
									(err) => {
										if (err) {
											writeDone();
											return (
												/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
												(intermediateFs.unlink)(tempFile, () => callback(err))
											);
										}
										intermediateFs.rename(tempFile, lockfileLocation, (err) => {
											if (err) {
												writeDone();
												return (
													/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
													(intermediateFs.unlink)(tempFile, () => callback(err))
												);
											}
											writeDone();
											callback();
										});
									}
								);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ead39e2a8fbf1aa8 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1423
								intermediateFs.writeFile(
									tempFile,
									lockfile.toString(),
									(err) => {
										if (err) {
											writeDone();
											return (
												/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
												(intermediateFs.unlink)(tempFile, () => callback(err))
											);
										}
										intermediateFs.rename(tempFile, lockfileLocation, (err) => {
											if (err) {
												writeDone();
												return (
													/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
													(intermediateFs.unlink)(tempFile, () => callback(err))
												);
											}
											writeDone();
											callback();
										});
									}
								);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa368625bf497426 Filesystem access.
pkgs/npm/[email protected]/lib/util/fs.js:681
	fs.readFile(p, (err, buf) => {
		if (err) return callback(err);
		/** @type {JsonObject} */
		let data;
		try {
			data = JSON.parse(/** @type {Buffer} */ (buf).toString("utf8"));
		} catch (err1) {
			return callback(/** @type {Error} */ (err1));
		}
		return callback(null, data);
	});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

webpack-bundle-analyzer

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #fb9cafbbb378e889 Filesystem access.
pkgs/npm/[email protected]/lib/parseUtils.js:253
  const content = fs.readFileSync(bundlePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63349dd4100f8a59 Filesystem access.
pkgs/npm/[email protected]/lib/template.js:36
  return fs.readFileSync(assetPath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d24af4ab620967c2 Environment-variable access.
pkgs/npm/[email protected]/lib/utils.js:71
  return `${process.env.npm_package_name || "Webpack Bundle Analyzer"} [${currentTime}]`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b19cbcf2fe1c6f5 Filesystem access.
pkgs/npm/[email protected]/lib/viewer.js:266
  fs.writeFileSync(reportFilepath, reportHtml);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dd340d5881feb62 Filesystem access.
pkgs/npm/[email protected]/lib/viewer.js:304
  await fs.promises.writeFile(reportFilename, JSON.stringify(chartData));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @vue/compiler-sfc prod — dist-only: no readable source
  • css-loader prod — dist-only: no readable source
  • esbuild-loader prod — dist-only: no readable source
  • exsolve prod — dist-only: no readable source
  • file-loader prod — dist-only: no readable source
  • knitwork prod — dist-only: no readable source
  • mlly prod — dist-only: no readable source
  • ohash prod — dist-only: no readable source
  • postcss-loader prod — dist-only: no readable source
  • unplugin prod — dist-only: no readable source
  • url-loader prod — dist-only: no readable source
  • vue-loader prod — dist-only: no readable source
  • webpackbar prod — dist-only: no readable source
  • @vitejs/plugin-vue prod — dist-only: no readable source
  • pkg-types prod — dist-only: no readable source
  • vite-node prod — dist-only: no readable source
  • vite-plugin-checker prod — dist-only: no readable source
  • @dxup/nuxt prod — dist-only: no readable source
  • @nuxt/nitro-server prod — dist-only: no readable source
  • @nuxt/vite-builder prod — dist-only: no readable source
  • cookie-es prod — dist-only: no readable source
  • errx prod — dist-only: no readable source
  • impound prod — dist-only: no readable source
  • nanotar prod — dist-only: no readable source
  • oxc-walker prod — dist-only: no readable source
  • perfect-debounce prod — dist-only: no readable source
  • uncrypto prod — dist-only: no readable source
  • unrouting prod — dist-only: no readable source
  • lru-cache prod — dist-only: no readable source
  • vue-devtools-stub prod — dist-only: no readable source
  • nypm prod — dist-only: no readable source
  • rc9 prod — dist-only: no readable source
  • hook-augmenting-module prod — no javascript source

Development

  • @arethetypeswrong/cli dev — dist-only: no readable source
  • @codspeed/core dev — dist-only: no readable source
  • @eslint/markdown dev — dist-only: no readable source
  • @codspeed/vitest-plugin dev — dist-only: no readable source
  • @nuxt/eslint-config dev — dist-only: no readable source
  • @nuxt/kit dev — dist-only: no readable source
  • @typescript-eslint/parser dev — dist-only: no readable source
  • @vitest/coverage-v8 dev — dist-only: no readable source
  • @vue/test-utils dev — dist-only: no readable source
  • acorn dev — dist-only: no readable source
  • changelogen dev — dist-only: no readable source
  • eslint-plugin-perfectionist dev — dist-only: no readable source
  • eslint-typegen dev — dist-only: no readable source
  • get-port-please dev — dist-only: no readable source
  • magic-string dev — dist-only: no readable source
  • ofetch dev — dist-only: no readable source
  • rolldown-string dev — dist-only: no readable source
  • rollup dev — dist-only: no readable source
  • std-env dev — dist-only: no readable source
  • tinyexec dev — dist-only: no readable source
  • tinyglobby dev — dist-only: no readable source
  • ufo dev — dist-only: no readable source
  • h3-next dev — no resolvable version
  • @vitejs/plugin-vue-jsx dev — dist-only: no readable source
  • rollup-plugin-visualizer dev — dist-only: no readable source
  • @nuxt/ui-templates dev — dist-only: no readable source
  • c12 dev — dist-only: no readable source
  • compatx dev — dist-only: no readable source
  • hookable dev — dist-only: no readable source
  • scule dev — dist-only: no readable source
  • unctx dev — dist-only: no readable source
  • unimport dev — dist-only: no readable source
  • untyped dev — dist-only: no readable source
  • vue-sfc-transformer dev — dist-only: no readable source
  • @unocss/reset dev — no javascript source
  • beasties dev — dist-only: no readable source
  • htmlnano dev — dist-only: no readable source
  • unocss dev — dist-only: no readable source
  • @vue/devtools-api dev — dist-only: no readable source