gitsafehub
github.com/selectize/selectize.js ↗

selectize/selectize.js

scanned 2026-06-30 · git e6ca6d3
3 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets4Vulnerable dependencies110Known OSS vulnerabilities182Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks 4 found · 1 serious

API keys, passwords or tokens committed into the repo.

  • Serious private-key Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
    docs/.ssl/loopback_website.key:1
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    docs/docusaurus.config.js:110
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    docs/docusaurus.config.js:109
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    docs/docusaurus.config.js:109
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 110 found · 3 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2023-45133 babel: arbitrary code execution
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious CVE-2023-28154 webpack: avoid cross-realm objects
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2023-28154). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69873 ajv: ReDoS via $data reference
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69873 ajv: ReDoS via $data reference
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-3193 algoliasearch-helper: algoliasearch-helper prototype pollution
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-3193). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27152 axios: Possible SSRF and Credential Leakage via Absolute URL in axios Requests
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27152). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25639 axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-25639). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype Pollution
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42033). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype pollution
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42035). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URL
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42043). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44486 axios: Axios: Information disclosure of proxy credentials via HTTP redirects
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44486). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44487 axios: Axios: Information disclosure of proxy credentials via redirect flows
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44487). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44492 axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44492). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerability
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44495). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44496 axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44496). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-45857 axios: exposure of confidential data stored in cookies
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45857). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-62718 axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-62718). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-40175 axios: Axios: Remote Code Execution via Prototype Pollution escalation
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-40175). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42034 axios: Axios: Denial of Service via oversized streamed uploads bypassing body limits
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42034). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42036 axios: Axios: Denial of Service via unbounded stream consumption when 'responseType: 'stream'' is used
    docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42036). Fix: Update that package to its patched version.
… 85 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 182 found · 7 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-hc6q-2mpp-qw7j Cross-realm object access in Webpack 5
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2023-28154). Fix: Update that package to its patched version.
  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33937). Fix: Update that package to its patched version.
  • Serious GHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype Pollution
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/package-lock.json
    A package you depend on has a known security hole (CVE-2026-29063). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-529q-4j3p-7c5r algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-3193). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44495). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-62718). Fix: Update that package to its patched version.
  • Worth fixing GHSA-43fc-jf86-j433 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-25639). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5c9x-8gcm-mpgx Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42034). Fix: Update that package to its patched version.
  • Worth fixing GHSA-62hf-57xw-28j9 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42039). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype Pollution
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42035). Fix: Update that package to its patched version.
  • Worth fixing GHSA-898c-q2cr-xwhg axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44490). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fvcv-3m26-pcqx Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-40175). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hfxv-24rg-xrqf Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44496). Fix: Update that package to its patched version.
  • Worth fixing GHSA-j5f8-grm9-p9fc Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44486). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
    /workdirs/scan-02de0947-e53b-4caa-b232-e2ea3181bdac/docs/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27152). Fix: Update that package to its patched version.
… 157 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.