gitsafehub
github.com/safing/portmaster ↗

safing/portmaster

scanned 2026-06-30 · git af0c601
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 3 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies104Known OSS vulnerabilities239Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy 104 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2025-66035 angular: Angular HTTP Client Has XSRF Token Leakage via Protocol-Relative URLs
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2025-66035). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-50170 @angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-50170). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-50171 @angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-50171). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54266 @angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-54266). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54268 @angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-54268). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-66412 angular: Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2025-66412). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22610 angular: Angular: Cross-site scripting vulnerability in Template Compiler
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-22610). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-50557 Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-50557). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54265 @angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-54265). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22610 angular: Angular: Cross-site scripting vulnerability in Template Compiler
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-22610). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27970 @angular/core: Angular: Cross-site scripting via compromised translation files
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27970). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54267 Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-54267). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-50557 Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-50557). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-52725 @angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-52725). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-45801 dompurify: XSS vulnerability via prototype pollution
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2024-45801). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-47875 dompurify: nesting-based mutation XSS vulnerability
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2024-47875). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-26791 dompurify: Mutation XSS in DOMPurify Due to Improper Template Literal Handling
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2025-26791). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41239 DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressions
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41239). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41240 DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41240). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-49458 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-49458). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-49459). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-49978 DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-49978). Fix: Update that package to its patched version.
  • Worth fixing GHSA-39q2-94rc-95cp DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (GHSA-39q2-94rc-95cp). Fix: Update that package to its patched version.
  • Worth fixing GHSA-76mc-f452-cxcm DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
    desktop/angular/package-lock.json
    A package you depend on has a known security hole (GHSA-76mc-f452-cxcm). Fix: Update that package to its patched version.
… 79 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 239 found · 2 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-gx9m-whjm-85jf DOMpurify has a nesting-based mXSS
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2024-47875). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Worth fixing GHSA-39pv-4j6c-2g6v @angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-54266). Fix: Update that package to its patched version.
  • Worth fixing GHSA-48r7-hpm6-gfxm @angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-54268). Fix: Update that package to its patched version.
  • Worth fixing GHSA-58c5-g7wp-6w37 Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2025-66035). Fix: Update that package to its patched version.
  • Worth fixing GHSA-p3vc-36g9-x9gr @angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-50171). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q6f4-qqrg-jv6x @angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-50170). Fix: Update that package to its patched version.
  • Worth fixing GHSA-58w9-8g37-x9v5 @angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-54265). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f3m7-gqxr-g87x Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-50557). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jrmj-c5cx-3cw6 Angular has XSS Vulnerability via Unsanitized SVG Script Attributes
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-22610). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v4hv-rgfq-gp49 Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2025-66412). Fix: Update that package to its patched version.
  • Worth fixing GHSA-692r-grfm-v8x7 @angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-52725). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f3m7-gqxr-g87x Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-50557). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jrmj-c5cx-3cw6 Angular has XSS Vulnerability via Unsanitized SVG Script Attributes
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-22610). Fix: Update that package to its patched version.
  • Worth fixing GHSA-prjf-86w9-mfqv Angular i18n vulnerable to Cross-Site Scripting
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27970). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rgjc-h3x7-9mwg Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-54267). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-39q2-94rc-95cp DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-76mc-f452-cxcm DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-cj63-jhhr-wcxv DOMPurify USE_PROFILES prototype pollution allows event handlers
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-cjmm-f4jc-qw8r DOMPurify ADD_ATTR predicate skips URI validation
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-cmwh-pvxp-8882 DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-crv5-9vww-q3g8 DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41239). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h7mw-gpvr-xq4m DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
    /workdirs/scan-67d1bf4e-928a-4383-a632-64cfb880df36/desktop/angular/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41240). Fix: Update that package to its patched version.
… 214 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: go:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.