farm-fe/farm

API keys, passwords or tokens committed into the repo.

• Serious jwt Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
  docs/crowdin.yml:5
  A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
• Serious jwt Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
  docs/scripts/translations.ts:10
  A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
• Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
  crates/create-farm-rs/templates/nestjs/README.md:5
  A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
• Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
  examples/arco-pro/src/routes.ts:122
  A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
• Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
  examples/nestjs/README.md:5
  A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
• Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
  examples/vite-adapter-vue2/src/App.vue:54
  A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
• Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
  examples/vue3/src/pages/Home.vue:14
  A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
• Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
  examples/vue3/src/pages/index.vue:14
  A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Packages you depend on that have known security holes (CVEs).

• Serious CVE-2025-7783 form-data: Unsafe random function in form-data
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
• Serious CVE-2021-44906 minimist: prototype pollution
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
• Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
• Serious CVE-2025-24964 Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2025-24964). Fix: Update that package to its patched version.
• Serious CVE-2026-47429 When Vitest UI server is listening, arbitrary file can be read and executed
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-47429). Fix: Update that package to its patched version.
• Worth fixing CVE-2026-25541 Bytes is a utility library for working with bytes. From version 1.2.1 ...
  crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
• Worth fixing CVE-2025-4574 crossbeam-channel: crossbeam-channel Vulnerable to Double Free on Drop
  crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2025-4574). Fix: Update that package to its patched version.
• Worth fixing GHSA-wrw7-89jp-8q8g Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
  crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (GHSA-wrw7-89jp-8q8g). Fix: Update that package to its patched version.
• Worth fixing CVE-2024-12224 idna: idna accepts Punycode labels that do not produce any non-ASCII when decoded
  crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2024-12224). Fix: Update that package to its patched version.
• Worth fixing CVE-2026-33055 tar-rs is a tar archive reading/writing library for Rust. Versions 0.4 ...
  crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2026-33055). Fix: Update that package to its patched version.
• Worth fixing CVE-2026-33056 tar-rs: tar-rs: Arbitrary directory permission modification via crafted tar archive
  crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2026-33056). Fix: Update that package to its patched version.
• Worth fixing GHSA-3pv8-6f4r-ffg2 tar has a PAX header desynchronization issue
  crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (GHSA-3pv8-6f4r-ffg2). Fix: Update that package to its patched version.
• Worth fixing CVE-2024-35222 iFrames Bypass Origin Checks for Tauri API Access Control
  crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2024-35222). Fix: Update that package to its patched version.
• Worth fixing CVE-2026-25727 time: time affected by a stack exhaustion denial of service attack
  crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2026-25727). Fix: Update that package to its patched version.
• Worth fixing CVE-2026-25541 Bytes is a utility library for working with bytes. From version 1.2.1 ...
  packages/create-farm-plugin/templates/rust/Cargo.lock
  A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
• Worth fixing CVE-2024-12224 idna: idna accepts Punycode labels that do not produce any non-ASCII when decoded
  packages/create-farm-plugin/templates/rust/Cargo.lock
  A package you depend on has a known security hole (CVE-2024-12224). Fix: Update that package to its patched version.
• Worth fixing GHSA-36xm-35qq-795w Inventory exposes reference to non-Sync data to an arbitrary thread
  packages/create-farm-plugin/templates/rust/Cargo.lock
  A package you depend on has a known security hole (GHSA-36xm-35qq-795w). Fix: Update that package to its patched version.
• Worth fixing GHSA-ghc8-5cgm-5rpf Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime
  packages/create-farm-plugin/templates/rust/Cargo.lock
  A package you depend on has a known security hole (GHSA-ghc8-5cgm-5rpf). Fix: Update that package to its patched version.
• Worth fixing CVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
• Worth fixing CVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
• Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
• Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
• Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
• Worth fixing CVE-2024-29409 nest allows a remote attacker to execute arbitrary code via the Content-Type header
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2024-29409). Fix: Update that package to its patched version.
• Worth fixing CVE-2026-35515 @nestjs/core: Nest: Server-Sent Events (SSE) injection and spoofing via unsanitized newline characters
  pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-35515). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Your dependencies cross-checked against the OSV vulnerability database.

• Serious MAL-2026-3849 Malicious code in @antv/adjust (npm)
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole. Fix: Update that package to its patched version.
• Serious MAL-2026-3862 Malicious code in @antv/color-util (npm)
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole. Fix: Update that package to its patched version.
• Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
• Serious GHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype Pollution
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-29063). Fix: Update that package to its patched version.
• Serious GHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype Pollution
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-29063). Fix: Update that package to its patched version.
• Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
• Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
• Serious GHSA-5xrq-8626-4rwp When Vitest UI server is listening, arbitrary file can be read and executed
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-47429). Fix: Update that package to its patched version.
• Serious GHSA-9crc-q9x8-hgqq Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2025-24964). Fix: Update that package to its patched version.
• Serious GHSA-5xrq-8626-4rwp When Vitest UI server is listening, arbitrary file can be read and executed
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-47429). Fix: Update that package to its patched version.
• Serious GHSA-9crc-q9x8-hgqq Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2025-24964). Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2025-0067 `libyml::string::yaml_string_extend` is unsound and unmaintained
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/Cargo.lock
  A package you depend on has a known security hole. Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2025-0068 serde_yml crate is unsound and unmaintained
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/Cargo.lock
  A package you depend on has a known security hole. Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2026-0007 Integer overflow in `BytesMut::reserve`
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2025-0024 crossbeam-channel: double free on Drop
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2025-4574). Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2024-0429 Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole. Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2024-0421 `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2024-12224). Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2026-0067 `unpack_in` can chmod arbitrary directories by following symlinks
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2026-33056). Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2026-0068 tar-rs incorrectly ignores PAX size headers if header size is nonzero
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2026-33055). Fix: Update that package to its patched version.
• Worth fixing GHSA-57fm-592m-34r7 iFrames Bypass Origin Checks for Tauri API Access Control
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2024-35222). Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2026-0009 Denial of Service via Stack Exhaustion
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/crates/create-farm-rs/templates/tauri/vue/src-tauri/Cargo.lock
  A package you depend on has a known security hole (CVE-2026-25727). Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2026-0007 Integer overflow in `BytesMut::reserve`
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/packages/create-farm-plugin/templates/rust/Cargo.lock
  A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
• Worth fixing RUSTSEC-2024-0421 `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/packages/create-farm-plugin/templates/rust/Cargo.lock
  A package you depend on has a known security hole (CVE-2024-12224). Fix: Update that package to its patched version.
• Worth fixing GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
• Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
  /workdirs/scan-49564053-fc82-4097-8fea-ff2e4b573f22/pnpm-lock.yaml
  A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl