Close Open Privacy Scan

bolt Snapshot: commit 90dd9ea
science engine v2
schedule 2026-07-02T11:08:38.383767+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code.

App Privacy Score

87 /100
Low privacy risk

Low risk · 181 finding(s)

Dependency score: 87 (Low risk)

bar_chart Score Breakdown

egress −10
env_fs −3

list Scan Summary

0 high 0 medium 181 low
First-party packages: 1
Dependency packages: 14
Ecosystem: npm

swap_horiz External domains

opencollective.com

</> First-Party Code

first-party (npm)

npm first-party
expand_more 40 low-confidence finding(s)
low env_fs test-only #82ce439407f4ed4e Environment-variable access.
repo/benchmarks/createDeepNestedDocArray.js:23
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6882477cdaa25084 Environment-variable access.
repo/benchmarks/findOneAndUpdateSimple.js:34
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e2f2a3953d48219a Environment-variable access.
repo/benchmarks/findOneWithCast.js:38
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d547947b5d9253c Environment-variable access.
repo/benchmarks/insertManySimple.js:15
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5ae71237a926bbee Environment-variable access.
repo/benchmarks/nestedArrayLarge.js:28
    if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7c226f06a6fbdb51 Environment-variable access.
repo/benchmarks/recursiveToObject.js:28
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dcf1064548c12d3e Environment-variable access.
repo/benchmarks/saveSimple.js:34
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #e9fc6c1ecca2cf6b Hardcoded external endpoint. Review what data is sent to this destination.
repo/docs/js/ask-ai.js:85
      const response = await fetch(endpoint, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
          model: 'mongodb-chat-latest',
          stream: true,
          store: true,
          input: question
        })
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #1a409fb6fd86231d Filesystem access.
repo/docs/source/api.js:8
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccf0c7c9d114bd7e Filesystem access.
repo/docs/source/api.js:361
    const comments = dox.parseComments(fs.readFileSync(file, 'utf8'), { raw: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6124a87d233ddf79 Filesystem access.
repo/docs/source/utils.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3b3978150cda1eb Filesystem access.
repo/docs/source/utils.js:20
    const content = fs.readFileSync(`${dirName}/${filename}`, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec1df2167cf1afdf Environment-variable access.
repo/lib/helpers/printJestWarning.js:5
if (typeof jest !== 'undefined' && !process.env.SUPPRESS_JEST_WARNINGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de58902e4b90064f Filesystem access.
repo/scripts/generateLLMsTXT.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8b2cf848dec64af Filesystem access.
repo/scripts/generateLLMsTXT.js:153
  await fs.promises.writeFile(llmsTxtPath, `${lines.join('\n').trim()}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d3e6084a75a83c4 Filesystem access.
repo/scripts/generateSearch.js:7
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce07d3859d2432c9 Filesystem access.
repo/scripts/generateSearch.js:54
      let text = fs.readFileSync(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ef1b41d4ea9450f Filesystem access.
repo/scripts/generateSearch.js:90
      let text = fs.readFileSync(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #963dc17145ead573 Filesystem access.
repo/scripts/loadSponsorData.js:13
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b93aa1e17c93ed10 Filesystem access.
repo/scripts/loadSponsorData.js:77
  fs.writeFileSync(`${docsDir}/data/sponsors.json`, JSON.stringify(subscribers, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42d389482a65890f Filesystem access.
repo/scripts/loadSponsorData.js:80
  fs.writeFileSync(`${docsDir}/data/jobs.json`, JSON.stringify(jobs, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #41db194941068b4f Hardcoded external endpoint. Review what data is sent to this destination.
repo/scripts/loadSponsorData.js:82
  const opencollectiveSponsors = await fetch('https://opencollective.com/mongoose/members.json')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #856b6b1594c2967f Filesystem access.
repo/scripts/loadSponsorData.js:106
    fs.writeFileSync(`${docsDir}/data/opencollective.json`, JSON.stringify(opencollectiveSponsors, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ff04750dfe14d18 Filesystem access.
repo/scripts/setup-encryption-tests.js:14
  await writeFile('fle-cluster-config.json', JSON.stringify(configuration, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f99a5eeeedfa120 Environment-variable access.
repo/scripts/static.js:8
const port = process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0058f4aa8f07aeb3 Environment-variable access.
repo/scripts/static.js:9
  ? parseInt(process.env.PORT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6f2a3ea8cbb1aa4 Filesystem access.
repo/scripts/tsc-diagnostics-check.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a0cfb335d7949f4 Filesystem access.
repo/scripts/tsc-diagnostics-check.js:5
const stdin = fs.readFileSync(0).toString('utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24ae65129b1bb93e Filesystem access.
repo/scripts/update-mongodb-links.js:77
    const promise = fs.readFile(fullPath, { encoding: 'utf8' }).then(text => fs.writeFile(fullPath, mapURLsMongoDb(text)));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c59c05081c766694 Filesystem access.
repo/scripts/website.js:6
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4afff082e9e4c3b1 Filesystem access.
repo/scripts/website.js:116
      retArray.push(acquit.parse(fs.readFileSync(file).toString()));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #294c3a46e39516af Environment-variable access.
repo/scripts/website.js:333
  const versionedDeploy = process.env.DOCS_DEPLOY ? !(base.currentVersion.listed === base.latestVersion.listed) : false;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73e26b0b5dd39877 Filesystem access.
repo/scripts/website.js:503
      await fs.promises.writeFile(versionedMarkdownPath, str);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27d1fc4367383f92 Filesystem access.
repo/scripts/website.js:508
    await fs.promises.writeFile(newfile, str).catch((err) => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab6c2edbd5d542f7 Filesystem access.
repo/scripts/website.js:517
  let contents = fs.readFileSync(path.resolve(cwd, inputFile)).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9475b6e0b1cb5339 Filesystem access.
repo/scripts/website.js:530
      fs.writeFileSync(path.resolve(cwd, inputFile), contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d47bf23269557bb8 Filesystem access.
repo/scripts/website.js:587
  await fs.promises.writeFile(newfile, str).catch((err) => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e51460a3f220e663 Filesystem access.
repo/scripts/website.js:596
    await fs.promises.writeFile(versionedMarkdownPath, markdownSource);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e29132d8b8ba2112 Environment-variable access.
repo/scripts/website.js:700
    if (process.env.GENERATE_SEARCH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c64d1f2478bfc567 Environment-variable access.
repo/scripts/website.js:715
    if (!!process.env.DOCS_DEPLOY && !!versionObj.versionedPath) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

@ark/attest

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #4ef9a702e5c10b3d Filesystem access.
pkgs/npm/@[email protected]/out/cache/snapshots.js:131
    let fileText = readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c33e21ebf1079600 Filesystem access.
pkgs/npm/@[email protected]/out/cache/snapshots.js:142
    writeFile(path, fileText);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #547bbe31d2f56b8c Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:29
            const contents = readFile(path).trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dcbb9e6d36fbdf7 Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:45
        const contents = this.virtualEnv.sys.readFile(tsPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50786104fbcb5ede Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:107
    const configFileText = readFileSync(path).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0088bd15f4752144 Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:133
        writeFile(summaryPath, outputCapture.getBuffer());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fc16dac0ad53c8f Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:151
    writeFile(summaryPath, summaryContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8eecdd4209bd4b82 Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:552
    writeFile(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ebe92b59ebf4322 Environment-variable access.
pkgs/npm/@[email protected]/out/fixtures.js:12
    process.env.ATTEST_CONFIG = JSON.stringify(config);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

acquit-ignore

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #b9b7da66561df00d Filesystem access.
pkgs/npm/[email protected]/docs.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c56d8c01310c2d6 Filesystem access.
pkgs/npm/[email protected]/docs.js:6
let md = fs.readFileSync('./HEADER.md');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43fda6652624dea3 Filesystem access.
pkgs/npm/[email protected]/docs.js:9
const blocks = acquit.parse(fs.readFileSync('./test/examples.test.js').toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #762f4b569cec35ff Filesystem access.
pkgs/npm/[email protected]/docs.js:26
require('fs').writeFileSync('./README.md', md);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

acquit-require

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #457b100e98387593 Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:8
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #588a304f276567fa Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:20
const text = fs.readFileSync(commander.path).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf36b07436ce1fe4 Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:21
const tests = fs.readFileSync(commander.test).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4027b14ad8224e49 Filesystem access.
pkgs/npm/[email protected]/docs.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6cd913caa952599 Filesystem access.
pkgs/npm/[email protected]/docs.js:3
let readme = fs.readFileSync('./README.md', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbedc87e7258c25d Filesystem access.
pkgs/npm/[email protected]/docs.js:5
const md = fs.readFileSync('./test/data/article.md').

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0a30e72eb2530d5 Filesystem access.
pkgs/npm/[email protected]/docs.js:11
readme = readme.replace('[code]', fs.readFileSync('./test/data/simple.js'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf5ca11c1f043c6a Filesystem access.
pkgs/npm/[email protected]/docs.js:13
fs.writeFileSync('./README.md', readme);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

c8

npm dependency
expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #f3fd297af86dba6a Environment-variable access.
pkgs/npm/[email protected]/bin/c8.js:27
    process.env.NODE_V8_COVERAGE = argv.tempDirectory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ca56f5164ad6bd9 Environment-variable access.
pkgs/npm/[email protected]/lib/commands/report.js:40
    monocartArgv: (argv.experimentalMonocart || process.env.EXPERIMENTAL_MONOCART) ? argv : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6937b31ee8b6db46 Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:4
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aafdc08cba1a2be3 Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:18
        const config = JSON.parse(readFileSync(path))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ee620ea39987b70 Environment-variable access.
pkgs/npm/[email protected]/lib/parse-args.js:129
      default: process.env.NODE_V8_COVERAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a780a0b11c20ed11 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:9
  ;({ readFile } = require('fs').promises)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4eba9027d996c87a Filesystem access.
pkgs/npm/[email protected]/lib/report.js:11
const { readdirSync, readFileSync, statSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #151ca735186f6d6f Filesystem access.
pkgs/npm/[email protected]/lib/report.js:452
        reports.push(JSON.parse(readFileSync(
          resolve(this.tempDirectory, file),
          'utf8'
        )))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db59e74f03ef8a5f Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:27
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc7f8197b2df66ee Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:40
  const fileBody = readFileSync(filename).toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b8ec86c3e016b89 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:71
    const content = readFileSync(fileURLToPath(mapURL), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #897567f9e9d5e634 Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:129
			results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23662146e8b244a3 Filesystem access.
pkgs/npm/[email protected]/lib/cli.js:133
			await writeFile(filePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0f623c421e2fe2b Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1281
		const text = await fsp.readFile(filePath, {
			encoding: "utf8",
			signal: controller?.signal,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5177ee423e13ccaf Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1326
	if (!process.env.ESLINT_FLAGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81829cb2c1148b54 Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1330
	const envFlags = process.env.ESLINT_FLAGS.trim().split(/\s*,\s*/gu);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ace035a7f0e62f7 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:825
					retrier.retry(() => fs.writeFile(r.filePath, r.output)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d27c48c15bf5a501 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:44
const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffb57f7e062dbaa9 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:56
	if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c96c9430c9ebbdb0 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:60
	if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d26e3bee3f5d2e86 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:64
	const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aec6e62c0bd64b6b Filesystem access.
pkgs/npm/[email protected]/lib/rule-tester/rule-tester.js:697
				let content = readFileSync(sourceFile, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #866fee1ab78d5f41 Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:217
			const data = await fs.promises.readFile(this.filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d796fa7b6dfd6742 Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:240
		return fs.promises.writeFile(
			this.filePath,
			stringify(suppressions, { space: 2 }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #829c4793aa09f49d Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fs-extra

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #bd04c039492cbc18 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:24
      await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b8febdef054f041 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:32
    await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fcd8edb9aa41ba05 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:60
  fs.writeFileSync(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48a7ce3ce34816a3 Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:16
  return fs.writeFile(file, data, encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb2fbe4ede078136 Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:25
  fs.writeFileSync(file, ...args)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

markdownlint-cli2

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #b8509b357af2f980 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:38
const readJsonc = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(jsoncParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77d0ff1a3b058aff Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:41
const readToml = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(tomlParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cefa3e34410750a5 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:44
const readYaml = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(yamlParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58c710864694255e Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:762
            subTasks.push(fs.promises.readFile(fileName, utf8).

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #690efdd34c2c59ec Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:765
                return fs.promises.writeFile(fileName, fixed, utf8);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mocha

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #e3a1b3f50caca428 Filesystem access.
pkgs/npm/[email protected]/lib/cli/config.js:40
    require("js-yaml").load(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57fcf877f5305821 Filesystem access.
pkgs/npm/[email protected]/lib/cli/config.js:56
      require("strip-json-comments").default(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72e01c39ada1857b Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:27
  const css = fs.readFileSync(path.join(srcdir, "mocha.css"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57da629821ab5f1a Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:28
  const js = fs.readFileSync(path.join(srcdir, "mocha.js"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4766f314d7e02e04 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:29
  const tmpl = fs.readFileSync(
    path.join(srcdir, "lib", "browser", "template.html"),
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f4489456161774f Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:32
  fs.writeFileSync(path.join(destdir, "mocha.css"), css);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfdfa7d589ca6028 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:33
  fs.writeFileSync(path.join(destdir, "mocha.js"), js);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5861e5d91377e449 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:34
  fs.writeFileSync(path.join(destdir, "tests.spec.js"), "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88aae9adef38e854 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:35
  fs.writeFileSync(path.join(destdir, "index.html"), tmpl);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67979f76a4542eb7 Filesystem access.
pkgs/npm/[email protected]/lib/cli/options.js:240
      configData = fs.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12fc8c5554a74a98 Environment-variable access.
pkgs/npm/[email protected]/lib/cli/options.js:302
  const envConfig = parse(process.env.MOCHA_OPTIONS || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a29ea00ab33983a9 Environment-variable access.
pkgs/npm/[email protected]/lib/reporters/base.js:57
  (supportsColor.stdout || process.env.MOCHA_COLORS !== undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #679340bd54397e34 Filesystem access.
pkgs/npm/[email protected]/lib/reporters/json.js:90
        fs.writeFileSync(output, json);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a535125d254481cc Environment-variable access.
pkgs/npm/[email protected]/lib/utils.js:714
  return !!process.env.CI;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mongodb

npm dependency
expand_more 52 low-confidence finding(s)
low env_fs dependency Excluded from app score #fe08146c5441987c Filesystem access.
pkgs/npm/[email protected]/etc/prepare.js:3
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #454699acfc5b2956 Environment-variable access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:57
    if (process.env.MONGODB_CRYPT_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa93fa6562fe54b1 Filesystem access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:339
            const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9ff55917b2f662c Filesystem access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:343
            options.ca = await fs.readFile(tlsOptions.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #ca03c6768f5f3ba5 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/gcp_machine_workflow.js:29
    const url = new URL(GCP_BASE_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #49df7038fbd32d72 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:19
    if (process.env[AZURE_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7de85f9e50795d7b Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:20
        filename = process.env[AZURE_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74622b53ee829696 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:22
    else if (process.env[AWS_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d233121dbb4eb89d Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:23
        filename = process.env[AWS_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #303d0008aaf7cb03 Filesystem access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:4
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d61a3a4edfb2c2b3 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:15
    const tokenFile = process.env.OIDC_TOKEN_FILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b55d3d8d41be0d9c Filesystem access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:19
    const token = await fs.promises.readFile(tokenFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6305bddcd2f532df Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:390
        MONGODB_LOG_COMMAND: process.env.MONGODB_LOG_COMMAND,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e90a26c2deea5e71 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:391
        MONGODB_LOG_TOPOLOGY: process.env.MONGODB_LOG_TOPOLOGY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd7423ac53d10cc3 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:392
        MONGODB_LOG_SERVER_SELECTION: process.env.MONGODB_LOG_SERVER_SELECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ed9dfc99fa90e97 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:393
        MONGODB_LOG_CONNECTION: process.env.MONGODB_LOG_CONNECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #729ca947757ca7bc Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:394
        MONGODB_LOG_CLIENT: process.env.MONGODB_LOG_CLIENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d57e10ef5219198 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:395
        MONGODB_LOG_ALL: process.env.MONGODB_LOG_ALL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e31d595c21d4530f Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:396
        MONGODB_LOG_MAX_DOCUMENT_LENGTH: process.env.MONGODB_LOG_MAX_DOCUMENT_LENGTH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6356962387087c0c Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:397
        MONGODB_LOG_PATH: process.env.MONGODB_LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a53ec71fa741489c Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:4
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41054e35f87f82aa Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:216
                options.ca ??= await fs_1.promises.readFile(options.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08a31b469d822b1b Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:219
                options.crl ??= await fs_1.promises.readFile(options.tlsCRLFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7e96579b9a832ae Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:223
                    const contents = await fs_1.promises.readFile(options.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06d6e3ea1efbe342 Filesystem access.
pkgs/npm/[email protected]/lib/utils.js:53
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43e58aceb579f147 Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:1
import * as fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf841c3627d70c14 Environment-variable access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:80
  if (process.env.MONGODB_CRYPT_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #181f49c0b2516ceb Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:530
      const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db40a210ba3dc482 Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:534
      options.ca = await fs.readFile(tlsOptions.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #b09e617670f5dbb4 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/gcp_machine_workflow.ts:35
  const url = new URL(GCP_BASE_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #d0f636d3e8267a55 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:1
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aec16c5996f0d6c9 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:22
  if (process.env[AZURE_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84b1594e47d01593 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:23
    filename = process.env[AZURE_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87209a15ce5e2f32 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:24
  } else if (process.env[AWS_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f236feb5dc8dc080 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:25
    filename = process.env[AWS_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f3d90cde986ab9d Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:29
  const token = await readFile(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6909b8f4af1caad5 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e43d914746ed4017 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:16
  const tokenFile = process.env.OIDC_TOKEN_FILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #052b6e1f49835c50 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:20
  const token = await fs.promises.readFile(tokenFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9800621a00ecb2b7 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:530
      MONGODB_LOG_COMMAND: process.env.MONGODB_LOG_COMMAND,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1307f74b2296f58 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:531
      MONGODB_LOG_TOPOLOGY: process.env.MONGODB_LOG_TOPOLOGY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4f9725edc1d05cb Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:532
      MONGODB_LOG_SERVER_SELECTION: process.env.MONGODB_LOG_SERVER_SELECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec0945653c690dd8 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:533
      MONGODB_LOG_CONNECTION: process.env.MONGODB_LOG_CONNECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f39bf66e79902d24 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:534
      MONGODB_LOG_CLIENT: process.env.MONGODB_LOG_CLIENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fec2805f8cff8520 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:535
      MONGODB_LOG_ALL: process.env.MONGODB_LOG_ALL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a33c766b3c41152 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:536
      MONGODB_LOG_MAX_DOCUMENT_LENGTH: process.env.MONGODB_LOG_MAX_DOCUMENT_LENGTH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e1b515851d3ca5f Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:537
      MONGODB_LOG_PATH: process.env.MONGODB_LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9ad787329f618db Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:1
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a222fc500ff38993 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:628
        options.ca ??= await fs.readFile(options.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d174121236382862 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:631
        options.crl ??= await fs.readFile(options.tlsCRLFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae307f1d27b09039 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:635
          const contents = await fs.readFile(options.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d4b65b6cfffe727 Filesystem access.
pkgs/npm/[email protected]/src/utils.ts:3
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ncp

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #e5afd44fdbc8e735 Filesystem access.
pkgs/npm/[email protected]/lib/ncp.js:1
var fs = require('fs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pug

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #9d43441f394b57c0 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:13
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c995923afe8b6d34 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:241
    if (str === undefined) str = fs.readFileSync(options.filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e38b6eb2ad1459d4 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:476
  var str = fs.readFileSync(options.filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3e843ad0869e7c2 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:489
    process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sift

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #238adfb64337bae6 Environment-variable access.
pkgs/npm/[email protected]/es/index.js:585
    else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1fb1c2d3542ceb7a Environment-variable access.
pkgs/npm/[email protected]/es5m/index.js:694
    else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39de8f372697f360 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:700
        else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f5c95d66b9e81b1 Environment-variable access.
pkgs/npm/[email protected]/src/operations.ts:413
  } else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #5f54cbe1919c4c7d Filesystem access.
pkgs/npm/[email protected]/lib/_tsserver.js:51
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0364ed099be85d0 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:309
    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0967800b81cd59fc Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:535
  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0caafb917894ed67 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70676ab8a36b67d8 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:565
    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #126e91cb1bde3bbc Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:566
      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26a13a0af0f8a461 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e47f85d3f11e336c Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:44
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2c33699a6c12e5c Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:88
    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f4b7888d3a3acac Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @standard-schema/spec prod — dist-only: no readable source

Development

  • @mongodb-js/mongodb-downloader dev — dist-only: no readable source
  • glob dev — dist-only: no readable source
  • mkdirp dev — dist-only: no readable source
  • tstyche dev — dist-only: no readable source
  • typescript-eslint dev — dist-only: no readable source