gitsafehub
github.com/webdevsimplified/react-photoshop-clone ↗

webdevsimplified/react-photoshop-clone

scanned 2026-07-08 · git 8abdc59
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies168Known OSS vulnerabilities172Risky code patternsMalicious dependenciesProject health10

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 168 found · 16 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2023-45133 babel: arbitrary code execution
    package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious CVE-2025-9287 cipher-base: Cipher-base hash manipulation
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-9287). Fix: Update that package to its patched version.
  • Serious GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
    package-lock.json
    A package you depend on has a known security hole (GHSA-vjh7-7g9h-fjfh). Fix: Update that package to its patched version.
  • Serious CVE-2022-1650 eventsource: Exposure of Sensitive Information
    package-lock.json
    A package you depend on has a known security hole (CVE-2022-1650). Fix: Update that package to its patched version.
  • Serious CVE-2025-7783 form-data: Unsafe random function in form-data
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
    package-lock.json
    A package you depend on has a known security hole (CVE-2021-3918). Fix: Update that package to its patched version.
  • Serious CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js
    package-lock.json
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js
    package-lock.json
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious CVE-2021-26707 nodejs-merge-deep: Prototype pollution of Object.prototype via a constructor payload
    package-lock.json
    A package you depend on has a known security hole (CVE-2021-26707). Fix: Update that package to its patched version.
  • Serious CVE-2021-44906 minimist: prototype pollution
    package-lock.json
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious CVE-2025-6545 pbkdf2: pbkdf2 silently returns predictable key material
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-6545). Fix: Update that package to its patched version.
  • Serious CVE-2025-6547 pbkdf2: pbkdf2 silently returns static keys
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-6547). Fix: Update that package to its patched version.
  • Serious CVE-2025-9288 sha.js: Missing type checks leading to hash rewind and passing on crafted data
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-9288). Fix: Update that package to its patched version.
  • Serious CVE-2021-42740 The shell-quote package before 1.7.3 for Node.js allows command inject ...
    package-lock.json
    A package you depend on has a known security hole (CVE-2021-42740). Fix: Update that package to its patched version.
  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key
    package-lock.json
    A package you depend on has a known security hole (CVE-2022-0686). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69873 ajv: ReDoS via $data reference
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-23424 nodejs-ansi-html: ReDoS via crafted string
    package-lock.json
    A package you depend on has a known security hole (CVE-2021-23424). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
    package-lock.json
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
    package-lock.json
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
    package-lock.json
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
… 143 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 172 found · 17 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2025-9287). Fix: Update that package to its patched version.
  • Serious GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsource
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2022-1650). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2021-3918). Fix: Update that package to its patched version.
  • Serious GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious GHSA-r6rj-9ch6-g264 Prototype pollution in Merge-deep
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2021-26707). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-92xj-mqp7-vmcj Prototype Pollution in node-forge
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2020-7720). Fix: Update that package to its patched version.
  • Serious GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2025-6545). Fix: Update that package to its patched version.
  • Serious GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2025-6547). Fix: Update that package to its patched version.
  • Serious GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2025-9288). Fix: Update that package to its patched version.
  • Serious GHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quote
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2021-42740). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parse
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2022-0686). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-whgm-jr23-g3j9 Uncontrolled Resource Consumption in ansi-html
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2021-23424). Fix: Update that package to its patched version.
  • Worth fixing GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
  • Worth fixing GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex
    /workdirs/scan-a39d77f8-21f8-41c4-a29d-ac8b24db9b76/package-lock.json
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
… 147 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited: injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious: typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 10 notes

Maintenance & supply-chain hygiene. A signal about the project, not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 1.4/10
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 0/2 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Contributors Contributors scored 0: project has 0 contributing companies or organizations -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-License License scored 0: license file not detected
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: no SAST tool detected
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.