gitsafehub
github.com/donnemartin/interactive-coding-challenges ↗

donnemartin/interactive-coding-challenges

scanned 2026-05-28 · git 358f2cc
1 of 6 checks flagged a security issue
🟡 Worth a look
6 checks ran. Start with known oss vulnerabilities below.

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependenciesKnown OSS vulnerabilities15Risky code patternsMalicious dependenciesProject health8

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy none found ✓

Packages you depend on that have known security holes (CVEs).

Nothing found by this check. ✓

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 15 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GHSA-24qx-w28j-9m6p Jupyter Server has a CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat` (from huntr)
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-5789-5fc7-67v3 Jupyter Server: Path Traversal via incorrect startswith() root directory check allows access to sibling directories
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-5mrq-x3x5-8v8f Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-hrw6-wg82-cm62 Jupyter server on Windows discloses Windows user password hash
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-xm59-rqc7-hhvf nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-65pc-fj4g-8rjx Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI PYSEC-2023-272 The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests c
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI PYSEC-2024-165 The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows use
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI PYSEC-2026-67 Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redi
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI PYSEC-2026-68 Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_di
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI PYSEC-2026-69 Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runti
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-h56g-gq9v-vc8r jupyter-server errors include tracebacks with path information
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-qh7q-6qm3-653w Jupyter Server has an open redirection vulnerability in `next` query parameter
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-4c99-qj7h-p3vg nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-7jqv-fw35-gmx9 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding
    /workdirs/scan-750a59f3-18b4-4ff9-a1df-725d7533deae/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 8 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 3.5/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 30 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.