gitsafehub
github.com/plotly/plotly.py ↗

plotly/plotly.py

scanned 2026-06-28 · git 5cdb606
1 of 6 checks flagged a security issue
🔴 Needs attention
Only 3 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies107Known OSS vulnerabilitiesRisky code patternsMalicious dependenciesProject health6

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 1800s

Vulnerable dependencies — Trivy 107 found · 3 serious

Packages you depend on that have known security holes (CVEs).

  • Serious GHSA-q5fm-55c2-v6j9 Fiona affected by CVE-2023-45853 related to MiniZip madler-zlib
    uv.lock
    A package you depend on has a known security hole (GHSA-q5fm-55c2-v6j9). Fix: Update that package to its patched version.
  • Serious CVE-2026-44727 Jupyter Server is the backend for Jupyter web applications. Prior to 2 ...
    uv.lock
    A package you depend on has a known security hole (CVE-2026-44727). Fix: Update that package to its patched version.
  • Serious CVE-2026-44727 Jupyter Server is the backend for Jupyter web applications. Prior to 2 ...
    uv.lock
    A package you depend on has a known security hole (CVE-2026-44727). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69662 SQL injection vulnerability in geopandas before v.1.1.2 allows an atta ...
    doc/requirements.txt
    A package you depend on has a known security hole (CVE-2025-69662). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-53000 nbconvert: nbconvert: Arbitrary code execution via malicious SVG to PDF conversion on Windows
    doc/requirements.txt
    A package you depend on has a known security hole (CVE-2025-53000). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-32862 The GitHub Security Lab discovered sixteen ways to exploit a cross-sit ...
    doc/requirements.txt
    A package you depend on has a known security hole (CVE-2021-32862). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
    js/package-lock.json
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
    js/package-lock.json
    A package you depend on has a known security hole (CVE-2025-13465). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
    js/package-lock.json
    A package you depend on has a known security hole (CVE-2026-2950). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-5758 protocol-buffers-schema: protocol-buffers-schema: Remote code execution via prototype pollution
    js/package-lock.json
    A package you depend on has a known security hole (CVE-2026-5758). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-41334 Astropy is a project for astronomy in Python that fosters interoperabi ...
    uv.lock
    A package you depend on has a known security hole (CVE-2023-41334). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-41334 Astropy is a project for astronomy in Python that fosters interoperabi ...
    uv.lock
    A package you depend on has a known security hole (CVE-2023-41334). Fix: Update that package to its patched version.
  • Worth fixing GHSA-gj48-438w-jh9v Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes
    uv.lock
    A package you depend on has a known security hole (GHSA-gj48-438w-jh9v). Fix: Update that package to its patched version.
  • Worth fixing GHSA-gj48-438w-jh9v Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes
    uv.lock
    A package you depend on has a known security hole (GHSA-gj48-438w-jh9v). Fix: Update that package to its patched version.
  • Worth fixing GHSA-gj48-438w-jh9v Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes
    uv.lock
    A package you depend on has a known security hole (GHSA-gj48-438w-jh9v). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-68146 filelock: filelock: Time-of-Check-Time-of-Use (TOCTOU) race condition and symlink attack allows arbitrary file corruption or truncation
    uv.lock
    A package you depend on has a known security hole (CVE-2025-68146). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22701 filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in SoftFileLock
    uv.lock
    A package you depend on has a known security hole (CVE-2026-22701). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-68146 filelock: filelock: Time-of-Check-Time-of-Use (TOCTOU) race condition and symlink attack allows arbitrary file corruption or truncation
    uv.lock
    A package you depend on has a known security hole (CVE-2025-68146). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22701 filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in SoftFileLock
    uv.lock
    A package you depend on has a known security hole (CVE-2026-22701). Fix: Update that package to its patched version.
  • Worth fixing GHSA-g4m4-9q4c-mfw6 Fiona affected by CVE-2020-14152 related to madler-zlib
    uv.lock
    A package you depend on has a known security hole (GHSA-g4m4-9q4c-mfw6). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-66034 fonttools: fontTools: Arbitrary file write leading to remote code execution via malicious .designspace file
    uv.lock
    A package you depend on has a known security hole (CVE-2025-66034). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69662 SQL injection vulnerability in geopandas before v.1.1.2 allows an atta ...
    uv.lock
    A package you depend on has a known security hole (CVE-2025-69662). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69662 SQL injection vulnerability in geopandas before v.1.1.2 allows an atta ...
    uv.lock
    A package you depend on has a known security hole (CVE-2025-69662). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45409 Internationalized Domain Names in Applications (IDNA) for Python provi ...
    uv.lock
    A package you depend on has a known security hole (CVE-2026-45409). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-35397 jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability
    uv.lock
    A package you depend on has a known security hole (CVE-2026-35397). Fix: Update that package to its patched version.
… 82 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner timed out

Your dependencies cross-checked against the OSV vulnerability database.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OSV-Scanner v1.9.2 · Apache-2.0

error: timeout after 1800s

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: pypi:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 6 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 6.8/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.