gitsafehub
github.com/ptmt/react-native-macos ↗

ptmt/react-native-macos

scanned 2026-06-30 · git 1bb1d25
3 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets1Vulnerable dependencies96Known OSS vulnerabilities133Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks 1 found

API keys, passwords or tokens committed into the repo.

  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    bots/code-analysis-bot.js:20
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 96 found · 14 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2023-45133 babel: arbitrary code execution
    yarn.lock
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious CVE-2025-7783 form-data: Unsafe random function in form-data
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious CVE-2023-45311 Code injection in fsevents
    yarn.lock
    A package you depend on has a known security hole (CVE-2023-45311). Fix: Update that package to its patched version.
  • Serious CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-3918). Fix: Update that package to its patched version.
  • Serious CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
    yarn.lock
    A package you depend on has a known security hole (CVE-2019-10744). Fix: Update that package to its patched version.
  • Serious CVE-2021-44906 minimist: prototype pollution
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious CVE-2021-44906 minimist: prototype pollution
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious CVE-2021-44906 minimist: prototype pollution
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious CVE-2022-22912 Prototype pollution in Plist before 3.0.5 can cause denial of service
    yarn.lock
    A package you depend on has a known security hole (CVE-2022-22912). Fix: Update that package to its patched version.
  • Serious CVE-2022-22912 Prototype pollution in Plist before 3.0.5 can cause denial of service
    yarn.lock
    A package you depend on has a known security hole (CVE-2022-22912). Fix: Update that package to its patched version.
  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious CVE-2021-42740 The shell-quote package before 1.7.3 for Node.js allows command inject ...
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-42740). Fix: Update that package to its patched version.
  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious CVE-2022-26260 Prototype Pollution in simple-plist
    yarn.lock
    A package you depend on has a known security hole (CVE-2022-26260). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
    yarn.lock
    A package you depend on has a known security hole (CVE-2020-15366). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69873 ajv: ReDoS via $data reference
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-43138 async: Prototype Pollution in async
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-43138). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-4068 braces: fails to limit the number of characters it can handle
    yarn.lock
    A package you depend on has a known security hole (CVE-2024-4068). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-4068 braces: fails to limit the number of characters it can handle
    yarn.lock
    A package you depend on has a known security hole (CVE-2024-4068). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-21538 cross-spawn: regular expression denial of service
    yarn.lock
    A package you depend on has a known security hole (CVE-2024-21538). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS
    yarn.lock
    A package you depend on has a known security hole (CVE-2022-38900). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-12143 form-data is a library for creating readable multipart/form-data strea ...
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-12143). Fix: Update that package to its patched version.
… 71 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 133 found · 19 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious MAL-2023-462 Malicious code in fsevents (npm)
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-8r6j-v8pm-fqw3 Code injection in fsevents
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2023-45311). Fix: Update that package to its patched version.
  • Serious GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33937). Fix: Update that package to its patched version.
  • Serious GHSA-765h-qjxv-5f44 Prototype Pollution in handlebars
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2021-23383). Fix: Update that package to its patched version.
  • Serious GHSA-f2jv-r9rf-7988 Remote code execution in handlebars when compiling templates
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2021-23369). Fix: Update that package to its patched version.
  • Serious GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2021-3918). Fix: Update that package to its patched version.
  • Serious GHSA-jf85-cpcp-j695 Prototype Pollution in lodash
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2019-10744). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-4cpg-3vgw-4877 Prototype pollution in Plist before 3.0.5 can cause denial of service
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2022-22912). Fix: Update that package to its patched version.
  • Serious GHSA-4cpg-3vgw-4877 Prototype pollution in Plist before 3.0.5 can cause denial of service
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2022-22912). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quote
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2021-42740). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-gff7-g5r8-mg8m Prototype Pollution in simple-plist
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2022-26260). Fix: Update that package to its patched version.
  • Serious GHSA-crh6-fp67-6883 xmldom allows multiple root nodes in a DOM
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2022-39353). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6chw-6frg-f759 Regular Expression Denial of Service in Acorn
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-6chw-6frg-f759 Regular Expression Denial of Service in Acorn
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v88g-cgmw-v5xw Prototype Pollution in Ajv
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2020-15366). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v88g-cgmw-v5xw Prototype Pollution in Ajv
    /workdirs/scan-ffa15100-970b-43b7-bead-5367abf7d132/yarn.lock
    A package you depend on has a known security hole (CVE-2020-15366). Fix: Update that package to its patched version.
… 108 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.