gitsafehub
github.com/segmentio/evergreen ↗

segmentio/evergreen

scanned 2026-06-30 · git 9b774ae
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies67Known OSS vulnerabilities295Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 67 found · 2 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2023-45133 babel: arbitrary code execution
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious CVE-2025-29927 nextjs: Authorization Bypass in Next.js Middleware
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2025-29927). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing CVE-2017-20165 A vulnerability classified as problematic has been found in debug-js d ...
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2017-20165). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-21541 dom-iterator code execution vulnerability
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2024-21541). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46625 JavaScript Cookie is a JavaScript API for handling cookies, client-sid ...
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2026-46625). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2022-46175). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2025-13465). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2026-2950). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2022-3517). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-26996 minimatch: minimatch: Denial of Service via specially crafted glob patterns
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2026-26996). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27903 minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2026-27903). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2026-27904). Fix: Update that package to its patched version.
  • Worth fixing CVE-2017-20162 Vercel ms Inefficient Regular Expression Complexity vulnerability
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2017-20162). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-55565 nanoid: nanoid mishandles non-integer values
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2024-55565). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-55565 nanoid: nanoid mishandles non-integer values
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2024-55565). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-51479 next.js: next: authorization bypass in Next.js
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2024-51479). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-47831 next.js: Next.js image optimization has Denial of Service condition
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2024-47831). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-55173 nextjs: Next.js Content Injection Vulnerability for Image Optimization
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2025-55173). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-57752 nextjs: Next.js Affected by Cache Key Confusion for Image Optimization API Routes
    docs/yarn.lock
    A package you depend on has a known security hole (CVE-2025-57752). Fix: Update that package to its patched version.
… 42 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 295 found · 20 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/codemods/yarn.lock
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/codemods/yarn.lock
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/docs/yarn.lock
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-8mmm-9v2q-x3f9 tschaub gh-pages vulnerable to prototype pollution
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/docs/yarn.lock
    A package you depend on has a known security hole (CVE-2022-37611). Fix: Update that package to its patched version.
  • Serious GHSA-f82v-jwr5-mffw Authorization Bypass in Next.js Middleware
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/docs/yarn.lock
    A package you depend on has a known security hole (CVE-2025-29927). Fix: Update that package to its patched version.
  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2025-9287). Fix: Update that package to its patched version.
  • Serious GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-33f9-j839-rf8h Prototype Pollution in immer
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2021-23436). Fix: Update that package to its patched version.
  • Serious GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2021-3918). Fix: Update that package to its patched version.
  • Serious GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2025-6545). Fix: Update that package to its patched version.
  • Serious GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2025-6547). Fix: Update that package to its patched version.
  • Serious GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2025-9288). Fix: Update that package to its patched version.
  • Serious GHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quote
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2021-42740). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/codemods/yarn.lock
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/codemods/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-grv7-fg5c-xmjg Uncontrolled resource consumption in braces
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/codemods/yarn.lock
    A package you depend on has a known security hole (CVE-2024-4068). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawn
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/codemods/yarn.lock
    A package you depend on has a known security hole (CVE-2024-21538). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-f6532caa-c882-4120-be9f-b93b3573ddcd/codemods/yarn.lock
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
… 270 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.