Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2018-3750 nodejs-deep-extend: Prototype pollution can allow attackers to modify object propertiesCVE-2023-45311 Code injection in fseventsCVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying propertiesCVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying propertiesCVE-2020-7788 nodejs-ini: Prototype pollution via malicious INI fileCVE-2018-16487 lodash: Prototype pollution in utilities functionCVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep functionCVE-2021-23337 nodejs-lodash: command injection via templateCVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template importsCVE-2019-1010266 lodash: uncontrolled resource consumption in Data handler causing denial of serviceCVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functionsCVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functionsCVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypassCVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep functionCVE-2021-23337 nodejs-lodash: command injection via templateCVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template importsCVE-2019-1010266 lodash: uncontrolled resource consumption in Data handler causing denial of serviceCVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functionsCVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functionsCVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypassCVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actorCVE-2024-45296 path-to-regexp: Backtracking regular expressions cause ReDoSCVE-2020-7733 nodejs-ua-parser-js: Regular expression denial of service via the regexCVE-2020-7793 nodejs-ua-parser-js: ReDoS in multiple regexesNSWG-ECO-408 deep-extend prototype pollutionYour dependencies cross-checked against the OSV vulnerability database.
GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted dataGHSA-hr2v-3952-633q Prototype Pollution in deep-extendGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsourceGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryMAL-2023-462 Malicious code in fsevents (npm)GHSA-8r6j-v8pm-fqw3 Code injection in fseventsGHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type ConfusionGHSA-765h-qjxv-5f44 Prototype Pollution in handlebarsGHSA-f2jv-r9rf-7988 Remote code execution in handlebars when compiling templatesGHSA-w457-6q6x-cgp9 Prototype Pollution in handlebarsGHSA-896r-f27r-55mw json-schema is vulnerable to Prototype PollutionGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-jf85-cpcp-j695 Prototype Pollution in lodashGHSA-jf85-cpcp-j695 Prototype Pollution in lodashGHSA-pp57-mqmh-44h7 Command Injection in macaddressGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algosGHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keysGHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted dataGHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parseGHSA-pv4c-p2j5-38j4 Open Redirect in url-parseCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.