Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.Packages you depend on that have known security holes (CVEs).
CVE-2026-53633 Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCECVE-2026-53633 Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCECVE-2026-27699 basic-ftp: basic-ftp: File overwrite due to path traversalCVE-2026-25896 fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handlingCVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2026-33937 handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()CVE-2025-55182 next: React Server Components: Pre-authentication remote code execution via unsafe deserializationCVE-2025-9288 sha.js: Missing type checks leading to hash rewind and passing on crafted dataCVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2026-47429 When Vitest UI server is listening, arbitrary file can be read and executedCVE-2026-47429 When Vitest UI server is listening, arbitrary file can be read and executedCVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsCVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...CVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-8rgj-285w-qcq4 Unknown vulnerability in Coinbase Wallet SDKGHSA-qj3p-xc97-xw74 MetaMask SDK indirectly exposed via malicious [email protected] dependencyGHSA-qj3p-xc97-xw74 MetaMask SDK indirectly exposed via malicious [email protected] dependencyGHSA-qj3p-xc97-xw74 MetaMask SDK indirectly exposed via malicious [email protected] dependencyCVE-2025-27611 base-x: base-x homograph attack allows Unicode lookalike characters to bypass validation.CVE-2025-27611 base-x: base-x homograph attack allows Unicode lookalike characters to bypass validation.CVE-2026-41324 basic-ftp: basic-ftp: Denial of Service via unbounded memory growth from malicious directory listingsCVE-2026-44240 basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is v ...GHSA-6v7q-wjvx-w8wg basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD CommandsCVE-2026-2739 bn.js: bn.js: Denial of Service via calling maskn(0)Your dependencies cross-checked against the OSV vulnerability database.
GHSA-g8mr-85jm-7xhm Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCEGHSA-5rq4-664w-9x2c Basic FTP has Path Traversal Vulnerability in its downloadToDir() methodGHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted dataGHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity namesGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type ConfusionGHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype PollutionGHSA-9qr9-h5gf-34mp Next.js is vulnerable to RCE in React flight protocolGHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algosGHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keysGHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted dataGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-3qcw-2rhx-2726 Turbo: Unexpected local code execution during Yarn Berry detectionGHSA-5xrq-8626-4rwp When Vitest UI server is listening, arbitrary file can be read and executedGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious inputGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-8rgj-285w-qcq4 Unknown vulnerability in Coinbase Wallet SDKGHSA-h5c3-5r3r-rr8q @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic BacktrackingGHSA-rmvr-2pp2-xj38 @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic BacktrackingCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 6.3/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions