gitsafehub
github.com/cucumber/vscode ↗

cucumber/vscode

scanned 2026-07-17 · git df851d4
2 of 6 checks flagged a security issue
🟡 Worth a look
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies2Known OSS vulnerabilities25Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 2 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2026-41907 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41907 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 25 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hmw2-7cc7-3qxx form-data: CRLF injection in form-data via unescaped multipart field names and filenames
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-12143). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-64718). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-64718). Fix: Update that package to its patched version.
  • Worth fixing GHSA-869p-cjfg-cm3x auth0/node-jws Improperly Verifies HMAC Signature
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-65945). Fix: Update that package to its patched version.
  • Worth fixing GHSA-22p9-wv53-3rq4 LinkifyIt#match scan loop has quadratic algorithmic complexity
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48801). Fix: Update that package to its patched version.
  • Worth fixing GHSA-38c4-r59v-3vqw markdown-it is has a Regular Expression Denial of Service (ReDoS)
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-2327). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48988). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6rw7-vpxm-498p qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-15284). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q8mj-m7cp-5q26 qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-8723). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5c6j-r48x-rmvq Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-qj8w-gfj5-8c6v Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-34043). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8cj5-5rvv-wf4v tar-fs can extract outside the specified dir with a specific tarball
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-48387). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vj76-c3g6-qr5v tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-59343). Fix: Update that package to its patched version.
  • Worth fixing GHSA-ph9p-34f9-6g65 tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44705). Fix: Update that package to its patched version.
  • Worth fixing GHSA-qpx9-hpmf-5gmw Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27601). Fix: Update that package to its patched version.
  • Worth fixing GHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
  • Worth fixing GHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
  • Worth fixing GHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
  • Minor GHSA-73rr-hh4g-fpgx jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-24001). Fix: Update that package to its patched version.
  • Minor GHSA-w7fw-mjwx-w883 qs's arrayLimit bypass in comma parsing allows denial of service
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-2391). Fix: Update that package to its patched version.
  • Minor GHSA-52f5-9888-hmc6 tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
    /workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-54798). Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited: injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious: typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard timed out

Maintenance & supply-chain hygiene. A signal about the project, not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

error: timeout after 400s

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.