Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.Packages you depend on that have known security holes (CVEs).
CVE-2026-6410 @fastify/static: @fastify/static: Information disclosure via path traversal when directory listing is enabled.CVE-2026-6414 @fastify/static: @fastify/static: Security bypass via percent-encoded path separatorsCVE-2026-53571 vite: `server.fs.deny` bypass on Windows alternate pathsCVE-2026-53632 launch-editor: NTLMv2 hash disclosure via UNC path handling on WindowsCVE-2026-53571 vite: `server.fs.deny` bypass on Windows alternate pathsCVE-2026-53632 launch-editor: NTLMv2 hash disclosure via UNC path handling on WindowsGHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on WindowsGHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on WindowsYour dependencies cross-checked against the OSV vulnerability database.
GHSA-pr96-94w5-mx2h @fastify/static vulnerable to path traversal in directory listingGHSA-x428-ghpx-8j92 @fastify/static vulnerable to route guard bypass via encoded path separatorsGHSA-fx2h-pf6j-xcff vite: `server.fs.deny` bypass on Windows alternate pathsGHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on WindowsGHSA-fx2h-pf6j-xcff vite: `server.fs.deny` bypass on Windows alternate pathsGHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on WindowsGHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on WindowsGHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on WindowsCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 1.5/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Code-Review Code-Review scored 0: Found 0/30 approved changesets -- score normalized to 0scorecard-Contributors Contributors scored 0: project has 0 contributing companies or organizations -- score normalized to 0scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: project was created within the last 90 days. Please review its contents carefullyscorecard-SAST SAST scored 0: no SAST tool detectedscorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.