gitsafehub
github.com/orhun/git-cliff ↗

orhun/git-cliff

scanned 2026-06-30 · git 03a9c80
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies72Known OSS vulnerabilities108Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy 72 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25541 Bytes is a utility library for working with bytes. From version 1.2.1 ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-31812 quinn-proto: quinn-proto: Denial of Service via crafted QUIC Initial packet
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-31812). Fix: Update that package to its patched version.
  • Worth fixing GHSA-82j2-j2ch-gfr8 rustls-webpki: Denial of service via panic on malformed CRL BIT STRING
    Cargo.lock
    A package you depend on has a known security hole (GHSA-82j2-j2ch-gfr8). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pwjx-qhcg-rvj4 webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic
    Cargo.lock
    A package you depend on has a known security hole (GHSA-pwjx-qhcg-rvj4). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25727 time: time affected by a stack exhaustion denial of service attack
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25727). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69873 ajv: ReDoS via $data reference
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69873 ajv: ReDoS via $data reference
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-21538 cross-spawn: regular expression denial of service
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2024-21538). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-32014 estree-util-value-to-estree allows prototype pollution in generated ESTree
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2025-32014). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
    website/yarn.lock
    A package you depend on has a known security hole (GHSA-r4q5-vmmm-2653). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-55602 http-proxy-middleware: http-proxy-middleware: Unintended backend routing due to crafted Host header
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2026-55602). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-48038 joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2026-48038). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-64718 js-yaml: js-yaml prototype pollution in merge
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2025-64718). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-64718 js-yaml: js-yaml prototype pollution in merge
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2025-64718). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53632 launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path access
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
    website/yarn.lock
    A package you depend on has a known security hole (CVE-2025-13465). Fix: Update that package to its patched version.
… 47 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 108 found · 1 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/website/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0007 Integer overflow in `BytesMut::reserve`
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0037 Denial of service in Quinn endpoints
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-31812). Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0185 Remote memory exhaustion in quinn-proto from unbounded out-of-order stream reassembly
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0049 CRLs not considered authoritative by Distribution Point due to faulty matching logic
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0104 Reachable panic in certificate revocation list parsing
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0009 Denial of Service via Stack Exhaustion
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25727). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7h2j-956f-4vf2 @isaacs/brace-expansion has Uncontrolled Resource Consumption
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-25547). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protection
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-45149). Fix: Update that package to its patched version.
  • Worth fixing GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-32141). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33228). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v2v4-37r5-5v8g ip-address has XSS in Address6 HTML-emitting methods
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-42338). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-27904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-26996). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-27903). Fix: Update that package to its patched version.
  • Worth fixing GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-27904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-26996). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-27903). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiers
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33671). Fix: Update that package to its patched version.
  • Worth fixing GHSA-mw96-cpmx-2vgc Rollup 4 has Arbitrary File Write via Path Traversal
    /workdirs/scan-d1c8b865-c3ff-47d5-af36-69aebc66306f/npm/git-cliff/yarn.lock
    A package you depend on has a known security hole (CVE-2026-27606). Fix: Update that package to its patched version.
… 83 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.