Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2025-66035 angular: Angular HTTP Client Has XSRF Token Leakage via Protocol-Relative URLsCVE-2026-50170 @angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCacheCVE-2026-50171 @angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)CVE-2026-54266 @angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State PoisoningCVE-2026-54268 @angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)CVE-2025-66412 angular: Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML AttributesCVE-2026-22610 angular: Angular: Cross-site scripting vulnerability in Template CompilerCVE-2026-50557 Angular: Template and Attribute Namespace Sanitization Bypass (XSS)CVE-2026-54265 @angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)CVE-2026-22610 angular: Angular: Cross-site scripting vulnerability in Template CompilerCVE-2026-27970 @angular/core: Angular: Cross-site scripting via compromised translation filesCVE-2026-54267 Angular Client Hydration DOM Clobbering & Response-Cache PoisoningCVE-2026-50557 Angular: Template and Attribute Namespace Sanitization Bypass (XSS)CVE-2026-52725 @angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsCVE-2024-45801 dompurify: XSS vulnerability via prototype pollutionCVE-2024-47875 dompurify: nesting-based mutation XSS vulnerabilityCVE-2025-26791 dompurify: Mutation XSS in DOMPurify Due to Improper Template Literal HandlingCVE-2026-41239 DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressionsCVE-2026-41240 DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitizationCVE-2026-49458 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checksCVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOMCVE-2026-49978 DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.contentGHSA-39q2-94rc-95cp DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluationGHSA-76mc-f452-cxcm DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`Your dependencies cross-checked against the OSV vulnerability database.
GHSA-gx9m-whjm-85jf DOMpurify has a nesting-based mXSSGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-39pv-4j6c-2g6v @angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State PoisoningGHSA-48r7-hpm6-gfxm @angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)GHSA-58c5-g7wp-6w37 Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP ClientGHSA-p3vc-36g9-x9gr @angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)GHSA-q6f4-qqrg-jv6x @angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCacheGHSA-58w9-8g37-x9v5 @angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)GHSA-f3m7-gqxr-g87x Angular: Template and Attribute Namespace Sanitization Bypass (XSS)GHSA-jrmj-c5cx-3cw6 Angular has XSS Vulnerability via Unsanitized SVG Script AttributesGHSA-v4hv-rgfq-gp49 Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML AttributesGHSA-692r-grfm-v8x7 @angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)GHSA-f3m7-gqxr-g87x Angular: Template and Attribute Namespace Sanitization Bypass (XSS)GHSA-jrmj-c5cx-3cw6 Angular has XSS Vulnerability via Unsanitized SVG Script AttributesGHSA-prjf-86w9-mfqv Angular i18n vulnerable to Cross-Site ScriptingGHSA-rgjc-h3x7-9mwg Angular Client Hydration DOM Clobbering & Response-Cache PoisoningGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-39q2-94rc-95cp DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluationGHSA-76mc-f452-cxcm DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`GHSA-cj63-jhhr-wcxv DOMPurify USE_PROFILES prototype pollution allows event handlersGHSA-cjmm-f4jc-qw8r DOMPurify ADD_ATTR predicate skips URI validationGHSA-cmwh-pvxp-8882 DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)GHSA-crv5-9vww-q3g8 DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM modeGHSA-h7mw-gpvr-xq4m DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)Code that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.