gitsafehub
github.com/alshedivat/al-folio ↗

alshedivat/al-folio

scanned 2026-06-29 · git 2b5eaca
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 3 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies16Known OSS vulnerabilities20Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy 16 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-54906 concurrent-ruby: rubygem-concurrent-ruby: concurrent-ruby: Synchronization flaw in ReadWriteLock allows unauthorized lock release and denial of service
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54906). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54904 concurrent-ruby: rubygem-concurrent-ruby: concurrent-ruby: Denial of Service due to infinite loop in AtomicReference#update
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54904). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54905 concurrent-ruby: Concurrent-ruby: Incorrect write lock granting leading to broken mutual exclusion
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54905). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5prr-v3j2-97mh Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]`
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-5prr-v3j2-97mh). Fix: Update that package to its patched version.
  • Minor GHSA-5v8h-3h3q-446p Nokogiri: Possible Use-After-Free when `Nokogiri::XML::Document#encoding=` raises an exception
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-5v8h-3h3q-446p). Fix: Update that package to its patched version.
  • Minor GHSA-8678-w3jw-xfc2 Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-8678-w3jw-xfc2). Fix: Update that package to its patched version.
  • Minor GHSA-9cv2-cfxc-v4v2 Nokogiri: Null Pointer Dereference calling methods on uninitialized wrapper classes
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-9cv2-cfxc-v4v2). Fix: Update that package to its patched version.
  • Minor GHSA-p67v-3w7g-wjg7 Nokogiri: Possible Use-After-Free when directly using `NokogirI::XML::XPathContext` beyond document lifetime
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-p67v-3w7g-wjg7). Fix: Update that package to its patched version.
  • Minor GHSA-phwj-rprq-35pp Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Attr#value=` or `#content=`
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-phwj-rprq-35pp). Fix: Update that package to its patched version.
  • Minor GHSA-wfpw-mmfh-qq69 Nokogiri: Possible Use-After-Free in XInclude Processing
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-wfpw-mmfh-qq69). Fix: Update that package to its patched version.
  • Minor GHSA-wjv4-x9w8-wm3h Nokogiri: Possible Use-After-Free when setting `Document#root=` to an invalid node type
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-wjv4-x9w8-wm3h). Fix: Update that package to its patched version.
  • FYI GHSA-6jxj-px6v-747w Deeply nested CSS blocks and functions can trigger a SystemStackError or excessive memory usage
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-6jxj-px6v-747w). Fix: Update that package to its patched version.
  • FYI GHSA-6wmf-3r64-vcwv Large numeric exponents cause CPU and memory denial of service
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-6wmf-3r64-vcwv). Fix: Update that package to its patched version.
  • FYI GHSA-8vfg-2r28-hvhj Non-ASCII characters cause superlinear CPU consumption
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-8vfg-2r28-hvhj). Fix: Update that package to its patched version.
  • FYI GHSA-wwpr-jff3-395c A large number of adjacent CSS comments can trigger a SystemStackError
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-wwpr-jff3-395c). Fix: Update that package to its patched version.
  • FYI GHSA-g9g8-vgvw-g3vf Possible invalid memory read when calling `Nokogiri::XML::Node#initialize_copy_with_args` with incorrect argument type
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-g9g8-vgvw-g3vf). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 20 found · 2 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious PYSEC-2026-348 h11 accepts some malformed Chunked-Encoding bodies
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/requirements.txt
    A package you depend on has a known security hole (CVE-2025-43859). Fix: Update that package to its patched version.
  • Serious PYSEC-2022-183 Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/requirements.txt
    A package you depend on has a known security hole (CVE-2021-41945). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h8w8-99g7-qmvj Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN`
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5prr-v3j2-97mh Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]`
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-4c99-qj7h-p3vg nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/requirements.txt
    A package you depend on has a known security hole (CVE-2026-39377). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7jqv-fw35-gmx9 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/requirements.txt
    A package you depend on has a known security hole (CVE-2026-39378). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xm59-rqc7-hhvf nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/requirements.txt
    A package you depend on has a known security hole (CVE-2025-53000). Fix: Update that package to its patched version.
  • Worth fixing GHSA-847f-9342-265h h2 allows HTTP Request Smuggling due to illegal characters in headers
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/requirements.txt
    A package you depend on has a known security hole (CVE-2025-57804). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2024-60 A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings,
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/requirements.txt
    A package you depend on has a known security hole (CVE-2024-3651). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/requirements.txt
    A package you depend on has a known security hole (CVE-2026-45409). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2023-206 NULL Pointer Dereference in GitHub repository seleniumhq/selenium prior to 4.14.0.
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/requirements.txt
    A package you depend on has a known security hole (CVE-2023-5590). Fix: Update that package to its patched version.
  • Minor GHSA-6wx8-w4f5-wwcr Concurrent Ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54906). Fix: Update that package to its patched version.
  • Minor GHSA-wv3x-4vxv-whpp Concurrent Ruby: `ReentrantReadWriteLock` read-count overflow grants a write lock without exclusivity
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54905). Fix: Update that package to its patched version.
  • Minor GHSA-5v8h-3h3q-446p Nokogiri: Possible Use-After-Free when `Nokogiri::XML::Document#encoding=` raises an exception
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-8678-w3jw-xfc2 Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-9cv2-cfxc-v4v2 Nokogiri: Null Pointer Dereference calling methods on uninitialized wrapper classes
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-p67v-3w7g-wjg7 Nokogiri: Possible Use-After-Free when directly using `NokogirI::XML::XPathContext` beyond document lifetime
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-phwj-rprq-35pp Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Attr#value=` or `#content=`
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-wfpw-mmfh-qq69 Nokogiri: Possible Use-After-Free in XInclude Processing
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-wjv4-x9w8-wm3h Nokogiri: Possible Use-After-Free when setting `Document#root=` to an invalid node type
    /workdirs/scan-6bcb1b61-164e-40e6-83e2-02faef801ac7/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.