Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2026-46625 JavaScript Cookie is a JavaScript API for handling cookies, client-sid ...CVE-2026-46625 JavaScript Cookie is a JavaScript API for handling cookies, client-sid ...CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keysCVE-2026-48801 LinkifyIt#match scan loop has quadratic algorithmic complexityCVE-2026-2327 markdown-it: markdown-it: Denial of Service via Regular Expression Denial of Service in linkify functionCVE-2026-48988 markdown-it is a Markdown parser. Versions 14.1.1 and below contain a ...CVE-2026-41305 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tagsCVE-2026-8723 ### Summary `qs.stringify` throws `TypeError` when called with `arr ...CVE-2026-33245 react-router: React Router: Cross-Site Scripting vulnerability via untrusted React Server Component redirectsCVE-2026-34077 react-router: React Router: Denial of Service via client-side Cross-Site Scripting in RSC redirect handlingCVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCECVE-2026-42342 react-router: @remix-run/server-runtime: React Router / Remix: Denial of Service via unbounded path expansion in __manifest endpointCVE-2026-33244 react-router: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralizationCVE-2026-40181 react-router: React Router: Open redirect vulnerability via specially crafted URLsCVE-2026-12151 undici: undici: Denial of Service due to unbounded memory growth via WebSocket framesCVE-2026-6734 undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routingCVE-2026-9697 undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxyCVE-2026-9678 undici: Undici: Information disclosure due to improper cache-control header parsingCVE-2026-9679 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decodingCVE-2026-41907 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentialityCVE-2026-53571 vite: `server.fs.deny` bypass on Windows alternate pathsCVE-2026-53632 launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path accessCVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragmentsCVE-2026-45736 ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`Your dependencies cross-checked against the OSV vulnerability database.
GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious inputGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protectionGHSA-848j-6mx2-7j84 Elliptic Uses a Cryptographic Primitive with a Risky ImplementationGHSA-qjx8-664m-686j JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injectionGHSA-qjx8-664m-686j JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injectionGHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesGHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesGHSA-22p9-wv53-3rq4 LinkifyIt#match scan loop has quadratic algorithmic complexityGHSA-38c4-r59v-3vqw markdown-it is has a Regular Expression Denial of Service (ReDoS)GHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operationsGHSA-qx2v-qp2m-jg93 PostCSS has XSS via Unescaped </style> in its CSS Stringify OutputGHSA-q8mj-m7cp-5q26 qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is setGHSA-2j2x-hqr9-3h42 React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretationGHSA-49rj-9fvp-4h2h React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCEGHSA-8646-j5j9-6r62 React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targetsGHSA-8x6r-g9mw-2r78 React Router vulnerable to DoS via unbounded path expansion in __manifest endpointGHSA-f22v-gfqf-p8f3 React Router has stored XSS via unescaped Location header in prerendered redirect HTMLGHSA-rxv8-25v2-qmq8 React Router vulnerable to Denial of Service via reflected user input in single-fetchGHSA-hm92-r4w5-c3mj undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuseGHSA-p88m-4jfj-68fv undici vulnerable to HTTP header injection via Set-Cookie percent-decodingGHSA-pr7r-676h-xcf6 undici vulnerable to cross-user information disclosure via shared cache whitespace bypassCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.