Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsCVE-2025-27152 axios: Possible SSRF and Credential Leakage via Absolute URL in axios RequestsCVE-2026-25639 axios: Axios affected by Denial of Service via __proto__ Key in mergeConfigCVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype PollutionCVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype pollutionCVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URLCVE-2026-44486 axios: Axios: Information disclosure of proxy credentials via HTTP redirectsCVE-2026-44487 axios: Axios: Information disclosure of proxy credentials via redirect flowsCVE-2026-44492 axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalizationCVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerabilityCVE-2026-44496 axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie nameCVE-2023-45857 axios: exposure of confidential data stored in cookiesCVE-2025-62718 axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalizationCVE-2026-40175 axios: Axios: Remote Code Execution via Prototype Pollution escalationCVE-2026-42034 axios: Axios: Denial of Service via oversized streamed uploads bypassing body limitsCVE-2026-42036 axios: Axios: Denial of Service via unbounded stream consumption when 'responseType: 'stream'' is usedCVE-2026-42038 axios: Axios: Information disclosure due to `no_proxy` bypassCVE-2026-42039 axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request dataCVE-2026-42041 axios: Axios: Authentication bypass due to prototype pollution of HTTP error handlingCVE-2026-42042 axios: Axios: XSRF token bypass leading to information disclosureCVE-2026-44490 axios: Axios: Information disclosure and denial of service due to prototype pollutionCVE-2023-26159 follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()CVE-2024-28849 follow-redirects: Possible credential leakGHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect TargetsYour dependencies cross-checked against the OSV vulnerability database.
GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted dataGHSA-phwq-j96m-2c2q ejs template injection vulnerabilityGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype PollutionGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algosGHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keysGHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted dataGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious inputGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config MergeGHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRFGHSA-43fc-jf86-j433 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfigGHSA-5c9x-8gcm-mpgx Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0GHSA-62hf-57xw-28j9 Axios: unbounded recursion in toFormData causes DoS via deeply nested request dataGHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype PollutionGHSA-898c-q2cr-xwhg axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functionsCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.