Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.Packages you depend on that have known security holes (CVEs).
CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keysCVE-2026-12151 undici: undici: Denial of Service due to unbounded memory growth via WebSocket framesCVE-2026-1526 undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompressionCVE-2026-1528 undici: undici: Denial of Service via crafted WebSocket frame with large lengthCVE-2026-2229 undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameterCVE-2026-1525 undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headersCVE-2026-1527 undici: Undici: HTTP header injection and request smuggling vulnerabilityCVE-2026-2581 undici: Undici: Denial of Service due to uncontrolled resource consumptionCVE-2026-9678 undici: Undici: Information disclosure due to improper cache-control header parsingCVE-2026-9679 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decodingCVE-2026-11525 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie headerCVE-2026-6733 undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.Your dependencies cross-checked against the OSV vulnerability database.
GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protectionGHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesGHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operationsGHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob MatchingGHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiersGHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob MatchingGHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiersGHSA-2mjp-6q6p-2qxm Undici has an HTTP Request/Response Smuggling issueGHSA-4992-7rv2-5pvq Undici has CRLF Injection in undici via `upgrade` optionGHSA-f269-vfmq-vjvj Undici: Malicious WebSocket 64-bit length overflows parser and crashes the clientGHSA-p88m-4jfj-68fv undici vulnerable to HTTP header injection via Set-Cookie percent-decodingGHSA-phc3-fgpg-7m6h Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoSGHSA-pr7r-676h-xcf6 undici vulnerable to cross-user information disclosure via shared cache whitespace bypassGHSA-v9p9-hfj2-hcw8 Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits ValidationGHSA-vrm6-8vpv-qv8q Undici has Unbounded Memory Consumption in WebSocket permessage-deflate DecompressionGHSA-vxpw-j846-p89q undici WebSocket client vulnerable to denial of service via fragment count bypassGHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is providedGHSA-48c2-rrv3-qjmp yaml is vulnerable to Stack Overflow via deeply nested YAML collectionsGHSA-35p6-xmwp-9g52 undici vulnerable to HTTP response queue poisoning via keep-alive socket reuseGHSA-g8m3-5g58-fq7m undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matchingCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 5.0/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Dangerous-Workflow Dangerous-Workflow scored 0: dangerous workflow patterns detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions