diff --git a/src/users.js b/src/users.js
index a78d00b2d..45ff0efcc 100644
--- a/src/users.js
+++ b/src/users.js
@@ -231,7 +231,7 @@ async function add(email, data, auditSource) {
 
     fallbackEmail = fallbackEmail.toLowerCase();
     if (fallbackEmail) {
-        let error = validateEmail(fallbackEmail);
+        error = validateEmail(fallbackEmail);
         if (error) throw error;
     }
 
@@ -343,7 +343,7 @@ async function verifyAppPassword(userId, password, identifier) {
     const results = await appPasswords.list(userId);
 
     const hashedPasswords = results.filter(r => r.identifier === identifier).map(r => r.hashedPassword);
-    let hash = crypto.createHash('sha256').update(password).digest('base64');
+    const hash = crypto.createHash('sha256').update(password).digest('base64');
 
     if (hashedPasswords.includes(hash)) return;
 
@@ -550,7 +550,7 @@ async function getByRole(role) {
 async function getByResetToken(resetToken) {
     assert.strictEqual(typeof resetToken, 'string');
 
-    let error = validateToken(resetToken);
+    const error = validateToken(resetToken);
     if (error) throw error;
 
     const result = await database.query(`SELECT ${USERS_FIELDS} FROM users WHERE resetToken=?`, [ resetToken ]);
@@ -562,7 +562,7 @@ async function getByResetToken(resetToken) {
 async function getByInviteToken(inviteToken) {
     assert.strictEqual(typeof inviteToken, 'string');
 
-    let error = validateToken(inviteToken);
+    const error = validateToken(inviteToken);
     if (error) throw error;
 
     const result = await database.query(`SELECT ${USERS_FIELDS} FROM users WHERE inviteToken=?`, [ inviteToken ]);
@@ -770,7 +770,7 @@ async function notifyLoginLocation(user, ip, userAgent, auditSource) {
     // purge potentially old locations where ts > now() - 6 months
     const sixMonthsBack = Date.now() - 6 * 30 * 24 * 60 * 60 * 1000;
     const newLoginLocation = { ts: Date.now(), ip, userAgent: simplifiedUserAgent, country, city };
-    let loginLocations = user.loginLocations.filter(function (l) { return l.ts > sixMonthsBack; });
+    const loginLocations = user.loginLocations.filter(function (l) { return l.ts > sixMonthsBack; });
 
     // only stash if we have a real useragent, otherwise warn the user every time
     if (simplifiedUserAgent) loginLocations.push(newLoginLocation);
@@ -937,8 +937,8 @@ function compareRoles(role1, role2) {
     assert.strictEqual(typeof role1, 'string');
     assert.strictEqual(typeof role2, 'string');
 
-    let roleInt1 = ORDERED_ROLES.indexOf(role1);
-    let roleInt2 = ORDERED_ROLES.indexOf(role2);
+    const roleInt1 = ORDERED_ROLES.indexOf(role1);
+    const roleInt2 = ORDERED_ROLES.indexOf(role2);
 
     return roleInt1 - roleInt2;
 }