Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2026-45409 Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fixCVE-2024-47081 requests: Requests vulnerable to .netrc credentials leak via malicious URLsCVE-2026-25645 requests: Requests: Security bypass due to predictable temporary file creationCVE-2025-66418 urllib3: urllib3: Unbounded decompression chain leads to resource exhaustionCVE-2025-66471 urllib3: urllib3 Streaming API improperly handles highly compressed dataCVE-2026-21441 urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)CVE-2026-44431 urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headersCVE-2025-50181 urllib3: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiationCVE-2025-50182 urllib3: urllib3 does not control redirects in browsers and Node.jsCVE-2025-13466 body-parser: body-parser denial of serviceCVE-2026-4926 path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressionsCVE-2026-4923 path-to-regexp: path-to-regexp: Denial of Service via specially crafted paths with multiple wildcardsCVE-2025-15284 qs: qs: Denial of Service via improper input validation in array parsingCVE-2026-8723 ### Summary `qs.stringify` throws `TypeError` when called with `arr ...CVE-2025-64718 js-yaml: js-yaml prototype pollution in mergeCVE-2025-13466 body-parser: body-parser denial of serviceCVE-2026-4926 path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressionsCVE-2026-4923 path-to-regexp: path-to-regexp: Denial of Service via specially crafted paths with multiple wildcardsCVE-2025-15284 qs: qs: Denial of Service via improper input validation in array parsingCVE-2026-8723 ### Summary `qs.stringify` throws `TypeError` when called with `arr ...CVE-2025-13466 body-parser: body-parser denial of serviceCVE-2026-4926 path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressionsCVE-2026-4923 path-to-regexp: path-to-regexp: Denial of Service via specially crafted paths with multiple wildcardsCVE-2025-15284 qs: qs: Denial of Service via improper input validation in array parsingCVE-2026-8723 ### Summary `qs.stringify` throws `TypeError` when called with `arr ...Your dependencies cross-checked against the OSV vulnerability database.
GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-2xpw-w6gg-jr37 urllib3 streaming API improperly handles highly compressed dataGHSA-38jv-5279-wg99 Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)GHSA-gm62-xv2j-4w53 urllib3 allows an unbounded number of links in the decompression chainGHSA-qccp-gfcp-xxvc urllib3: Sensitive headers forwarded across origins in proxied low-level redirectsGHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phaseGHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flattedGHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressionsGHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in patternGHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segmentsGHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressionsGHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in patternGHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segmentsGHSA-j3q9-mxjg-w52f path-to-regexp vulnerable to Denial of Service via sequential optional groupsGHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiersGHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressionsGHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in patternGHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segmentsGHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressionsCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 1.6/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 3 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Code-Review Code-Review scored 0: Found 2/27 approved changesets -- score normalized to 0scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Vulnerabilities Vulnerabilities scored 0: 69 existing vulnerabilities detected