Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2024-56201 jinja2: Jinja has a sandbox breakout through malicious filenamesCVE-2024-56326 jinja2: Jinja has a sandbox breakout through indirect reference to format methodCVE-2025-27516 jinja2: Jinja sandbox breakout through attr filter selecting format methodYour dependencies cross-checked against the OSV vulnerability database.
GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-33f9-j839-rf8h Prototype Pollution in immerGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-jv35-xqg7-f92r set-getter Prototype Pollution VulnerabilityGHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quoteGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-3936-cmfr-pm3m Black: Arbitrary file writes from unsanitized user input in cache file nameGHSA-qmgc-5h2g-mvrw filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLockGHSA-w853-jp5j-5j7f filelock has a TOCTOU race condition which allows symlink attacks during lock file creationGHSA-cpwx-vrp4-4pq7 Jinja2 vulnerable to sandbox breakout through attr filter selecting format methodGHSA-gmj6-6f8f-6699 Jinja has a sandbox breakout through malicious filenamesGHSA-q2x7-8rv6-6q7h Jinja has a sandbox breakout through indirect reference to format methodGHSA-6w46-j5rx-g56g pytest has vulnerable tmpdir handlingGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious inputGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regexGHSA-fwr7-v2mv-hh25 Prototype Pollution in asyncGHSA-qwcr-r2fm-qrc7 body-parser vulnerable to denial of service when url encoding is enabledGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-grv7-fg5c-xmjg Uncontrolled resource consumption in bracesGHSA-grv7-fg5c-xmjg Uncontrolled resource consumption in bracesGHSA-w8qv-6jwh-64r5 Regular Expression Denial of Service in browserslistCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 6.0/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions