gitsafehub
github.com/oai/openapi-specification ↗

oai/openapi-specification

scanned 2026-06-27 · git 2fe12cb
3 of 6 checks flagged a security issue
🟡 Worth a look
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets1Vulnerable dependencies12Known OSS vulnerabilities21Risky code patternsMalicious dependenciesProject health7

Security checks

Leaked secrets — Gitleaks 1 found

API keys, passwords or tokens committed into the repo.

  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    .github/templates/agenda.md:7
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 12 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-12151 undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-12151). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-1526 undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-1526). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-1528 undici: undici: Denial of Service via crafted WebSocket frame with large length
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-1528). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2229 undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-2229). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-1525 undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-1525). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-1527 undici: Undici: HTTP header injection and request smuggling vulnerability
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-1527). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2581 undici: Undici: Denial of Service due to uncontrolled resource consumption
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-2581). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-9678 undici: Undici: Information disclosure due to improper cache-control header parsing
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-9678). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-9679 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-9679). Fix: Update that package to its patched version.
  • Minor CVE-2026-11525 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-11525). Fix: Update that package to its patched version.
  • Minor CVE-2026-6733 undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-6733). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 21 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protection
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-45149). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48988). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiers
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33671). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiers
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33671). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2mjp-6q6p-2qxm Undici has an HTTP Request/Response Smuggling issue
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-1525). Fix: Update that package to its patched version.
  • Worth fixing GHSA-4992-7rv2-5pvq Undici has CRLF Injection in undici via `upgrade` option
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-1527). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f269-vfmq-vjvj Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-1528). Fix: Update that package to its patched version.
  • Worth fixing GHSA-p88m-4jfj-68fv undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9679). Fix: Update that package to its patched version.
  • Worth fixing GHSA-phc3-fgpg-7m6h Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-2581). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pr7r-676h-xcf6 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9678). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v9p9-hfj2-hcw8 Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-2229). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vrm6-8vpv-qv8q Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-1526). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vxpw-j846-p89q undici WebSocket client vulnerable to denial of service via fragment count bypass
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-12151). Fix: Update that package to its patched version.
  • Worth fixing GHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
  • Worth fixing GHSA-48c2-rrv3-qjmp yaml is vulnerable to Stack Overflow via deeply nested YAML collections
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33532). Fix: Update that package to its patched version.
  • Minor GHSA-35p6-xmwp-9g52 undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-6733). Fix: Update that package to its patched version.
  • Minor GHSA-g8m3-5g58-fq7m undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
    /workdirs/scan-e371c3c6-0a7b-4b90-babc-e4a108748aa9/package-lock.json
    A package you depend on has a known security hole (CVE-2026-11525). Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 7 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 5.0/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dangerous-Workflow Dangerous-Workflow scored 0: dangerous workflow patterns detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.