gitsafehub
github.com/lispercat/sailpoint-iiq-dev-accelerator ↗

lispercat/sailpoint-iiq-dev-accelerator

scanned 2026-07-15 · git 89cef02
2 of 6 checks flagged a security issue
🟡 Worth a look
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies38Known OSS vulnerabilities74Risky code patternsMalicious dependenciesProject health8

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 38 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2026-34601 xmldom: xmldom: XML structure injection via CDATA terminator
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-34601). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41672 xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node Injection
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-41672). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41673 @xmldom/xmldom: xmldom: xmldom: Denial of Service via deeply nested XML documents
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-41673). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41674 xmldom: xmldom: Arbitrary XML markup injection
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-41674). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41675 xmldom: xmldom: Arbitrary XML node injection via crafted processing instructions
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-41675). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-58754 axios: Axios DoS via lack of data size check
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-58754). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25639 axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-25639). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype Pollution
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-42033). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype pollution
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-42035). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URL
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-42043). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42264 axios: Axios: Prototype pollution allows information disclosure and request manipulation
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-42264). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44486 axios: Axios: Information disclosure of proxy credentials via HTTP redirects
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-44486). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44487 axios: Axios: Information disclosure of proxy credentials via redirect flows
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-44487). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44488 axios: Axios: Denial of Service due to unenforced request and response size limits
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-44488). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44494 axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-44494). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerability
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-44495). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44496 axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-44496). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-62718 axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-62718). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-40175 axios: Axios: Remote Code Execution via Prototype Pollution escalation
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-40175). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42034 axios: Axios: Denial of Service via oversized streamed uploads bypassing body limits
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-42034). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42036 axios: Axios: Denial of Service via unbounded stream consumption when 'responseType: 'stream'' is used
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-42036). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42037 axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-42037). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42038 axios: Axios: Information disclosure due to `no_proxy` bypass
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-42038). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42039 axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-42039). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42041 axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-42041). Fix: Update that package to its patched version.
… 13 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 74 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2025-64718). Fix: Update that package to its patched version.
  • Worth fixing GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-26996). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27903). Fix: Update that package to its patched version.
  • Worth fixing GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-26996). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27903). Fix: Update that package to its patched version.
  • Worth fixing GHSA-mwcw-c2x4-8c55 Predictable results in nanoid generation when given non-integer values
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2024-55565). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiers
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33671). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5c6j-r48x-rmvq Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-76p7-773f-r4q5 Cross-site Scripting (XSS) in serialize-javascript
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2024-11831). Fix: Update that package to its patched version.
  • Worth fixing GHSA-qj8w-gfj5-8c6v Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-34043). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2v35-w6hq-6mfw xmldom: Uncontrolled recursion in XML serialization leads to DoS
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41673). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f6ww-3ggp-fr8h xmldom has XML injection through unvalidated DocumentType serialization
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41674). Fix: Update that package to its patched version.
  • Worth fixing GHSA-j759-j44w-7fr8 xmldom has XML node injection through unvalidated comment serialization
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41672). Fix: Update that package to its patched version.
  • Worth fixing GHSA-wh4c-j3r5-mjhp xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-34601). Fix: Update that package to its patched version.
  • Worth fixing GHSA-x6wf-f3px-wcqx xmldom has XML node injection through unvalidated processing instruction serialization
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41675). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-35jp-ww65-95wh axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44494). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
    /workdirs/scan-5632a7b6-1d39-4ec9-a410-8c2a59e755d6/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44495). Fix: Update that package to its patched version.
… 49 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited: injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious: typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 8 notes

Maintenance & supply-chain hygiene. A signal about the project, not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 3.6/10
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 16 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Contributors Contributors scored 0: project has 0 contributing companies or organizations -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.