gitsafehub
github.com/autodarkmode/windows-auto-night-mode ↗

autodarkmode/windows-auto-night-mode

scanned 2026-07-01 · git 9b1d1db
2 of 6 checks flagged a security issue
🟡 Worth a look
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies14Known OSS vulnerabilities15Risky code patternsMalicious dependenciesProject health7

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 120s

Vulnerable dependencies — Trivy 14 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2026-25541 Bytes is a utility library for working with bytes. From version 1.2.1 ...
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41676 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41676). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41678 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41678). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41681 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41681). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41898 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41898). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42327 rust-openssl: rust-openssl: Arbitrary code execution via specially crafted certificate
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-42327). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44662 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-44662). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45784 rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-45784). Fix: Update that package to its patched version.
  • Worth fixing GHSA-82j2-j2ch-gfr8 rustls-webpki: Denial of service via panic on malformed CRL BIT STRING
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (GHSA-82j2-j2ch-gfr8). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pwjx-qhcg-rvj4 webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (GHSA-pwjx-qhcg-rvj4). Fix: Update that package to its patched version.
  • Minor CVE-2026-41677 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41677). Fix: Update that package to its patched version.
  • Minor GHSA-965h-392x-2mh5 webpki: Name constraints for URI names were incorrectly accepted
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (GHSA-965h-392x-2mh5). Fix: Update that package to its patched version.
  • Minor GHSA-xgp8-3hg3-c2mh webpki: Name constraints were accepted for certificates asserting a wildcard name
    adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (GHSA-xgp8-3hg3-c2mh). Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    adm-updater-rs/Cargo.lock
    A package you depend on has a known security hole (GHSA-cq8v-f236-94qc). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 15 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing RUSTSEC-2026-0007 Integer overflow in `BytesMut::reserve`
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8c75-8mhr-p7r9 rust-openssl has incorrect bounds assertion in aes key wrap
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41678). Fix: Update that package to its patched version.
  • Worth fixing GHSA-ghm9-cr32-g9qj rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41681). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hppc-g8h3-xhp3 rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41898). Fix: Update that package to its patched version.
  • Worth fixing GHSA-phqj-4mhp-q6mq rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-45784). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pqf5-4pqq-29f5 rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41676). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xp3w-r5p5-63rr rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-42327). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xv59-967r-8726 rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-44662). Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0049 CRLs not considered authoritative by Distribution Point due to faulty matching logic
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0104 Reachable panic in certificate revocation list parsing
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-xmgf-hq76-4vx2 rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41677). Fix: Update that package to its patched version.
  • Minor RUSTSEC-2026-0098 Name constraints for URI names were incorrectly accepted
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor RUSTSEC-2026-0099 Name constraints were accepted for certificates asserting a wildcard name
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2026-0190 Unsoundness in `Error::downcast_mut()`
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-downloader-rs/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2026-0097 Rand is unsound with a custom logger using `rand::rng()`
    /workdirs/scan-8b8cd623-d0d2-4da0-b28c-02cdaa094ca8/adm-updater-rs/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 7 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 5.1/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 6 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.