gitsafehub
github.com/fuellabs/fuels-ts ↗

fuellabs/fuels-ts

scanned 2026-06-27 · git b3f37c9
3 of 6 checks flagged a security issue
🔴 Needs attention
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets62Vulnerable dependencies147Known OSS vulnerabilities254Risky code patternsMalicious dependenciesProject health6

Security checks

Leaked secrets — Gitleaks 62 found

API keys, passwords or tokens committed into the repo.

  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    .github/workflows/release.yaml:14
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    .github/workflows/publish-preview.yaml:13
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    .github/workflows/release.yaml:14
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    .github/workflows/publish-preview.yaml:13
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    .fuel-core/configs/chainConfig.json:302
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/demo-fuels/fuels.config.full.ts:29
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/scripts/launcher-snippet.ts:10
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/scripts/launcher-snippet.ts:13
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/scripts/launcher-snippet.ts:16
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/scripts/launcher-snippet.ts:19
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/scripts/launcher-snippet.ts:22
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/src/guide/contracts/snippets/storage-slots/override-storage-slots-inline.ts:13
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/src/guide/contracts/snippets/storage-slots/override-storage-slots-inline.ts:17
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/src/guide/contracts/snippets/storage-slots/override-storage-slots-inline.ts:21
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/src/guide/contracts/snippets/storage-slots/override-storage-slots-inline.ts:25
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/src/guide/contracts/snippets/storage-slots/override-storage-slots-inline.ts:29
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/src/guide/wallets/snippets/instantiating/from-private-key.ts:5
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/src/guide/wallets/snippets/instantiating/unlock-from-private-key.ts:7
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/src/guide/wallets/snippets/locking-and-unlocking-wallet-manager.ts:6
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/docs/src/guide/wallets/snippets/locking-and-unlocking-wallet-manager.ts:13
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    packages/account/src/signer/signer.test.ts:11
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    packages/account/src/wallet/keystore-wallet.test.ts:14
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    packages/account/src/wallet/wallet-unlocked.test.ts:23
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    packages/account/src/wallet-manager/wallet-manager.test.ts:18
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    packages/account/src/wallet-manager/wallet-manager.test.ts:106
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
… 37 more not shown

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 147 found · 11 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-53633 Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-53633). Fix: Update that package to its patched version.
  • Serious CVE-2026-53633 Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-53633). Fix: Update that package to its patched version.
  • Serious CVE-2026-27699 basic-ftp: basic-ftp: File overwrite due to path traversal
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-27699). Fix: Update that package to its patched version.
  • Serious CVE-2026-25896 fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-25896). Fix: Update that package to its patched version.
  • Serious CVE-2025-7783 form-data: Unsafe random function in form-data
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious CVE-2026-33937 handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-33937). Fix: Update that package to its patched version.
  • Serious CVE-2025-55182 next: React Server Components: Pre-authentication remote code execution via unsafe deserialization
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-55182). Fix: Update that package to its patched version.
  • Serious CVE-2025-9288 sha.js: Missing type checks leading to hash rewind and passing on crafted data
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-9288). Fix: Update that package to its patched version.
  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious CVE-2026-47429 When Vitest UI server is listening, arbitrary file can be read and executed
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-47429). Fix: Update that package to its patched version.
  • Serious CVE-2026-47429 When Vitest UI server is listening, arbitrary file can be read and executed
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-47429). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8rgj-285w-qcq4 Unknown vulnerability in Coinbase Wallet SDK
    pnpm-lock.yaml
    A package you depend on has a known security hole (GHSA-8rgj-285w-qcq4). Fix: Update that package to its patched version.
  • Worth fixing GHSA-qj3p-xc97-xw74 MetaMask SDK indirectly exposed via malicious [email protected] dependency
    pnpm-lock.yaml
    A package you depend on has a known security hole (GHSA-qj3p-xc97-xw74). Fix: Update that package to its patched version.
  • Worth fixing GHSA-qj3p-xc97-xw74 MetaMask SDK indirectly exposed via malicious [email protected] dependency
    pnpm-lock.yaml
    A package you depend on has a known security hole (GHSA-qj3p-xc97-xw74). Fix: Update that package to its patched version.
  • Worth fixing GHSA-qj3p-xc97-xw74 MetaMask SDK indirectly exposed via malicious [email protected] dependency
    pnpm-lock.yaml
    A package you depend on has a known security hole (GHSA-qj3p-xc97-xw74). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27611 base-x: base-x homograph attack allows Unicode lookalike characters to bypass validation.
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-27611). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27611 base-x: base-x homograph attack allows Unicode lookalike characters to bypass validation.
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-27611). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41324 basic-ftp: basic-ftp: Denial of Service via unbounded memory growth from malicious directory listings
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-41324). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44240 basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is v ...
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-44240). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6v7q-wjvx-w8wg basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands
    pnpm-lock.yaml
    A package you depend on has a known security hole (GHSA-6v7q-wjvx-w8wg). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2739 bn.js: bn.js: Denial of Service via calling maskn(0)
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-2739). Fix: Update that package to its patched version.
… 122 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 254 found · 18 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-g8mr-85jm-7xhm Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-53633). Fix: Update that package to its patched version.
  • Serious GHSA-5rq4-664w-9x2c Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-27699). Fix: Update that package to its patched version.
  • Serious GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-9287). Fix: Update that package to its patched version.
  • Serious GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-25896). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-33937). Fix: Update that package to its patched version.
  • Serious GHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype Pollution
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-29063). Fix: Update that package to its patched version.
  • Serious GHSA-9qr9-h5gf-34mp Next.js is vulnerable to RCE in React flight protocol
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-6545). Fix: Update that package to its patched version.
  • Serious GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-6547). Fix: Update that package to its patched version.
  • Serious GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-9288). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-3qcw-2rhx-2726 Turbo: Unexpected local code execution during Yarn Berry detection
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-45772). Fix: Update that package to its patched version.
  • Serious GHSA-5xrq-8626-4rwp When Vitest UI server is listening, arbitrary file can be read and executed
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-47429). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8rgj-285w-qcq4 Unknown vulnerability in Coinbase Wallet SDK
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-h5c3-5r3r-rr8q @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-25288). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rmvr-2pp2-xj38 @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
    /workdirs/scan-c788ca7b-1037-4b7c-a52c-45c67b3da617/pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-25290). Fix: Update that package to its patched version.
… 229 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 6 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 6.3/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.