Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2023-45133 babel: arbitrary code executionCVE-2025-9287 cipher-base: Cipher-base hash manipulationCVE-2022-29078 ejs: server-side template injection in outputFunctionNameGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)CVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2021-23436 immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.jsCVE-2025-6545 pbkdf2: pbkdf2 silently returns predictable key materialCVE-2025-6547 pbkdf2: pbkdf2 silently returns static keysCVE-2025-9288 sha.js: Missing type checks leading to hash rewind and passing on crafted dataCVE-2021-42740 The shell-quote package before 1.7.3 for Node.js allows command inject ...CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2023-45133 babel: arbitrary code executionCVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2025-29927 nextjs: Authorization Bypass in Next.js MiddlewareCVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsCVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsCVE-2026-34601 xmldom: xmldom: XML structure injection via CDATA terminatorCVE-2026-41672 xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node InjectionCVE-2026-41673 @xmldom/xmldom: xmldom: xmldom: Denial of Service via deeply nested XML documentsYour dependencies cross-checked against the OSV vulnerability database.
GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted dataGHSA-phwq-j96m-2c2q ejs template injection vulnerabilityGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-33f9-j839-rf8h Prototype Pollution in immerGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algosGHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keysGHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted dataGHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quoteGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-87r5-mp6g-5w5j jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path ExpressionsGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-399j-vxmf-hjvr @react-native-community/cli has arbitrary OS command injectionGHSA-399j-vxmf-hjvr @react-native-community/cli has arbitrary OS command injectionGHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity namesGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fv66-9v8q-g76r React Server Components are Vulnerable to RCEGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-f82v-jwr5-mffw Authorization Bypass in Next.js MiddlewareGHSA-399j-vxmf-hjvr @react-native-community/cli has arbitrary OS command injectionGHSA-399j-vxmf-hjvr @react-native-community/cli has arbitrary OS command injectionCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.