Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2023-45133 babel: arbitrary code executionCVE-2025-9287 cipher-base: Cipher-base hash manipulationGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)CVE-2022-1650 eventsource: Exposure of Sensitive InformationCVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerabilityCVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.jsCVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.jsCVE-2021-26707 nodejs-merge-deep: Prototype pollution of Object.prototype via a constructor payloadCVE-2021-44906 minimist: prototype pollutionCVE-2025-6545 pbkdf2: pbkdf2 silently returns predictable key materialCVE-2025-6547 pbkdf2: pbkdf2 silently returns static keysCVE-2025-9288 sha.js: Missing type checks leading to hash rewind and passing on crafted dataCVE-2021-42740 The shell-quote package before 1.7.3 for Node.js allows command inject ...CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled keyCVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsCVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsCVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsCVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsCVE-2025-69873 ajv: ReDoS via $data referenceCVE-2021-23424 nodejs-ansi-html: ReDoS via crafted stringCVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codesCVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codesCVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codesYour dependencies cross-checked against the OSV vulnerability database.
GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted dataGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsourceGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-896r-f27r-55mw json-schema is vulnerable to Prototype PollutionGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-r6rj-9ch6-g264 Prototype pollution in Merge-deepGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-92xj-mqp7-vmcj Prototype Pollution in node-forgeGHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algosGHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keysGHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted dataGHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quoteGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parseGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-whgm-jr23-g3j9 Uncontrolled Resource Consumption in ansi-htmlGHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regexGHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regexCode that can be exploited: injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious: typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project, not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 1.4/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Code-Review Code-Review scored 0: Found 0/2 approved changesets -- score normalized to 0scorecard-Contributors Contributors scored 0: project has 0 contributing companies or organizations -- score normalized to 0scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-License License scored 0: license file not detectedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-SAST SAST scored 0: no SAST tool detectedscorecard-Security-Policy Security-Policy scored 0: security policy file not detected