Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.Packages you depend on that have known security holes (CVEs).
CVE-2023-45133 babel: arbitrary code executionCVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2023-45311 Code injection in fseventsCVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerabilityCVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying propertiesCVE-2021-44906 minimist: prototype pollutionCVE-2021-44906 minimist: prototype pollutionCVE-2021-44906 minimist: prototype pollutionCVE-2022-22912 Prototype pollution in Plist before 3.0.5 can cause denial of serviceCVE-2022-22912 Prototype pollution in Plist before 3.0.5 can cause denial of serviceCVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2021-42740 The shell-quote package before 1.7.3 for Node.js allows command inject ...CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2022-26260 Prototype Pollution in simple-plistCVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate functionCVE-2025-69873 ajv: ReDoS via $data referenceCVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codesCVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codesCVE-2021-43138 async: Prototype Pollution in asyncCVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace patternCVE-2024-4068 braces: fails to limit the number of characters it can handleCVE-2024-4068 braces: fails to limit the number of characters it can handleCVE-2024-21538 cross-spawn: regular expression denial of serviceCVE-2022-38900 decode-uri-component: improper input validation resulting in DoSCVE-2026-12143 form-data is a library for creating readable multipart/form-data strea ...Your dependencies cross-checked against the OSV vulnerability database.
GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryMAL-2023-462 Malicious code in fsevents (npm)GHSA-8r6j-v8pm-fqw3 Code injection in fseventsGHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type ConfusionGHSA-765h-qjxv-5f44 Prototype Pollution in handlebarsGHSA-f2jv-r9rf-7988 Remote code execution in handlebars when compiling templatesGHSA-896r-f27r-55mw json-schema is vulnerable to Prototype PollutionGHSA-jf85-cpcp-j695 Prototype Pollution in lodashGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-4cpg-3vgw-4877 Prototype pollution in Plist before 3.0.5 can cause denial of serviceGHSA-4cpg-3vgw-4877 Prototype pollution in Plist before 3.0.5 can cause denial of serviceGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quoteGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-gff7-g5r8-mg8m Prototype Pollution in simple-plistGHSA-crh6-fp67-6883 xmldom allows multiple root nodes in a DOMGHSA-6chw-6frg-f759 Regular Expression Denial of Service in AcornGHSA-6chw-6frg-f759 Regular Expression Denial of Service in AcornGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-v88g-cgmw-v5xw Prototype Pollution in AjvGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-v88g-cgmw-v5xw Prototype Pollution in AjvCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.