Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2025-69873 ajv: ReDoS via $data referenceCVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace patternCVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace patternCVE-2025-64756 glob: glob: Command Injection Vulnerability via Malicious FilenamesCVE-2026-29063 immutable-js: Immutable.js: Arbitrary code execution via Prototype PollutionCVE-2026-42338 ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted inputCVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template importsCVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functionsCVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypassCVE-2025-66400 mdast-util-to-hast: mdast-util-to-hast: Markdown code elements can appear as regular page contentCVE-2026-26996 minimatch: minimatch: Denial of Service via specially crafted glob patternsCVE-2026-27903 minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patternsCVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressionsCVE-2026-26996 minimatch: minimatch: Denial of Service via specially crafted glob patternsCVE-2026-27903 minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patternsCVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressionsCVE-2026-33671 picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patternsCVE-2026-33672 picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressionsCVE-2026-33671 picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patternsCVE-2026-33672 picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressionsCVE-2026-41305 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tagsCVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archivesCVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race conditionCVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security checkCVE-2026-26960 node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creationYour dependencies cross-checked against the OSV vulnerability database.
GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type ConfusionGHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype PollutionGHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious inputGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-737v-mqg7-c878 defu: Prototype pollution via `__proto__` key in defaults argumentGHSA-67mh-4wv8-2f99 esbuild enables any website to send any requests to the development server and read the responseGHSA-67mh-4wv8-2f99 esbuild enables any website to send any requests to the development server and read the responseGHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phaseGHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flattedGHSA-hmw2-7cc7-3qxx form-data: CRLF injection in form-data via unescaped multipart field names and filenamesGHSA-5j98-mcp5-4vw2 glob CLI: Command injection via -c/--cmd executes matches with shell:trueGHSA-2qvq-rjwj-gvw9 Handlebars.js has Prototype Pollution Leading to XSS through Partial Template InjectionGHSA-3mfm-83xf-c92r Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-blockGHSA-7rx3-28cr-v5wh Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist EntryGHSA-9cx6-37pm-9jff Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template CompilationGHSA-xhpv-hc6g-r9c6 Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partialGHSA-xjpj-3mr7-gcpf Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and OptionsGHSA-v2v4-37r5-5v8g ip-address has XSS in Address6 HTML-emitting methodsGHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesGHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesGHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)Code that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.