Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2026-2739 bn.js: bn.js: Denial of Service via calling maskn(0)CVE-2026-2739 bn.js: bn.js: Denial of Service via calling maskn(0)CVE-2026-8723 ### Summary `qs.stringify` throws `TypeError` when called with `arr ...CVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragmentsCVE-2026-45736 ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`CVE-2025-69873 ajv: ReDoS via $data referenceCVE-2026-2739 bn.js: bn.js: Denial of Service via calling maskn(0)CVE-2026-2739 bn.js: bn.js: Denial of Service via calling maskn(0)CVE-2024-45590 body-parser: Denial of Service Vulnerability in body-parserCVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace patternCVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace patternCVE-2024-4068 braces: fails to limit the number of characters it can handleCVE-2024-21538 cross-spawn: regular expression denial of serviceCVE-2026-32141 flatted: flatted: Unbounded recursion DoS in parse() revive phaseCVE-2026-33228 flatted: Flatted: Prototype pollution vulnerability allows arbitrary code execution via crafted JSON.CVE-2023-26159 follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()CVE-2024-28849 follow-redirects: Possible credential leakGHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect TargetsCVE-2025-64756 glob: glob: Command Injection Vulnerability via Malicious FilenamesCVE-2026-55602 http-proxy-middleware: http-proxy-middleware: Unintended backend routing due to crafted Host headerCVE-2025-64718 js-yaml: js-yaml prototype pollution in mergeCVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keysCVE-2026-53632 launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path accessCVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template importsYour dependencies cross-checked against the OSV vulnerability database.
GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-378v-28hj-76wf bn.js affected by an infinite loopGHSA-378v-28hj-76wf bn.js affected by an infinite loopGHSA-848j-6mx2-7j84 Elliptic Uses a Cryptographic Primitive with a Risky ImplementationGHSA-q8mj-m7cp-5q26 qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is setGHSA-58qx-3vcg-4xpx ws: Uninitialized memory disclosureGHSA-96hv-2xvq-fx4p ws: Memory exhaustion DoS from tiny fragments and data chunksGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-378v-28hj-76wf bn.js affected by an infinite loopGHSA-378v-28hj-76wf bn.js affected by an infinite loopGHSA-qwcr-r2fm-qrc7 body-parser vulnerable to denial of service when url encoding is enabledGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-grv7-fg5c-xmjg Uncontrolled resource consumption in bracesGHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawnGHSA-848j-6mx2-7j84 Elliptic Uses a Cryptographic Primitive with a Risky ImplementationGHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phaseGHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flattedGHSA-cxjh-pqwp-8mfp follow-redirects' Proxy-Authorization header kept across hostsGHSA-jchw-25xp-jwwc Follow Redirects improperly handles URLs in the url.parse() functionGHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect TargetsGHSA-5j98-mcp5-4vw2 glob CLI: Command injection via -c/--cmd executes matches with shell:trueGHSA-64mm-vxmg-q3vj http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypassGHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesGHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)Code that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.