gitsafehub
github.com/smol-ai/developer ↗

smol-ai/developer

scanned 2026-06-30 · git a6747d1
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies74Known OSS vulnerabilities75Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 74 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2025-43859 h11: h11 accepts some malformed Chunked-Encoding bodies
    poetry.lock
    A package you depend on has a known security hole (CVE-2025-43859). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-23334 aiohttp: follow_symlinks directory traversal vulnerability
    poetry.lock
    A package you depend on has a known security hole (CVE-2024-23334). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-30251 aiohttp: DoS when trying to parse malformed POST requests
    poetry.lock
    A package you depend on has a known security hole (CVE-2024-30251). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
    poetry.lock
    A package you depend on has a known security hole (CVE-2025-69223). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-47627 python-aiohttp: numerous issues in HTTP parser with header parsing
    poetry.lock
    A package you depend on has a known security hole (CVE-2023-47627). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-49081 aiohttp: HTTP request modification
    poetry.lock
    A package you depend on has a known security hole (CVE-2023-49081). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-49082 aiohttp: CRLF injection if user controls the HTTP method using aiohttp client
    poetry.lock
    A package you depend on has a known security hole (CVE-2023-49082). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-23829 python-aiohttp: http request smuggling
    poetry.lock
    A package you depend on has a known security hole (CVE-2024-23829). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-27306 aiohttp: XSS on index pages for static file handling
    poetry.lock
    A package you depend on has a known security hole (CVE-2024-27306). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-52304 aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions
    poetry.lock
    A package you depend on has a known security hole (CVE-2024-52304). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69227 aiohttp: aiohttp: Denial of Service via specially crafted POST request
    poetry.lock
    A package you depend on has a known security hole (CVE-2025-69227). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69228 aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST request
    poetry.lock
    A package you depend on has a known security hole (CVE-2025-69228). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69229 aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handling
    poetry.lock
    A package you depend on has a known security hole (CVE-2025-69229). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22815 aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handling
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-22815). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34515 aiohttp: AIOHTTP: Information disclosure via static resource handler on Windows
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-34515). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34516 aiohttp: AIOHTTP: Denial of Service via excessive multipart headers
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-34516). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34525 aiohttp: aiohttp: Security bypass via multiple Host headers
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-34525). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34993 aiohttp: AIOHTTP: Arbitrary code execution via untrusted input to CookieJar.load()
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-34993). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-47265 python-aiohttp: AIOHTTP: Information disclosure via improper handling of cookies during cross-origin redirects
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-47265). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54273 aiohttp: AIOHTTP: Denial of Service via excessive pipelined requests
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-54273). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54274 aiohttp: aiohttp: Denial of Service via incomplete websocket frame payloads
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-54274). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54276 aiohttp: aiohttp: Information disclosure via DigestAuthMiddleware after cross-origin redirect
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-54276). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54277 aiohttp: aiohttp: Denial of Service via oversized HTTP request lines bypassing max_line_size check
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-54277). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54278 aiohttp: aiohttp: Denial of Service due to excessive memory consumption from compressed request body
    poetry.lock
    A package you depend on has a known security hole (CVE-2026-54278). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pjjw-qhg8-p2p9 aiohttp has vulnerable dependency that is vulnerable to request smuggling
    poetry.lock
    A package you depend on has a known security hole (GHSA-pjjw-qhg8-p2p9). Fix: Update that package to its patched version.
… 49 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 75 found · 2 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-63hf-3vf5-4wqf AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-34520). Fix: Update that package to its patched version.
  • Serious PYSEC-2026-348 h11 accepts some malformed Chunked-Encoding bodies
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2025-43859). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2023-246 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2023-47627). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2023-250 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2023-49081). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2023-251 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even crea
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2023-49082). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2024-24 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static fi
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2024-23334). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2024-26 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must tri
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2024-23829). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-237 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an applicat
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-54275). Fix: Update that package to its patched version.
  • Worth fixing GHSA-4fvr-rgm6-gqmc aiohttp: HTTP/1 Pipelined Requests Queue Without Limit
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-54273). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5m98-qgg9-wh84 aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2024-30251). Fix: Update that package to its patched version.
  • Worth fixing GHSA-63hw-fmq6-xxg2 aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-54277). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6jhg-hg63-jvvf AIOHTTP vulnerable to denial of service through large payloads
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2025-69228). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6mq8-rvhq-8wgg AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2025-69223). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7gpw-8wmc-pm8g aiohttp Cross-site Scripting vulnerability on index pages for static file handling
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2024-27306). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8495-4g3g-x7pr aiohttp allows request smuggling due to incorrect parsing of chunk extensions
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2024-52304). Fix: Update that package to its patched version.
  • Worth fixing GHSA-966j-vmvw-g2g9 AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-34518). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c427-h43c-vf67 AIOHTTP accepts duplicate Host headers
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-34525). Fix: Update that package to its patched version.
  • Worth fixing GHSA-g3cq-j2xw-wf74 aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-54278). Fix: Update that package to its patched version.
  • Worth fixing GHSA-g84x-mcqj-x9qq AIOHTTP vulnerable to DoS through chunked messages
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2025-69229). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hg6j-4rv6-33pg AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-47265). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hpj7-wq8m-9hgp aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-54276). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jg22-mg44-37j8 AIOHTTP is Vulnerable to Deserialization of Untrusted Data
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-34993). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jj3x-wxrx-4x23 AIOHTTP vulnerable to DoS when bypassing asserts
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2025-69227). Fix: Update that package to its patched version.
  • Worth fixing GHSA-m5qp-6w8w-w647 AIOHTTP has a Multipart Header Size Bypass
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-34516). Fix: Update that package to its patched version.
  • Worth fixing GHSA-p998-jp59-783m AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
    /workdirs/scan-9c20e87e-f33d-4346-b124-9630c53e3002/poetry.lock
    A package you depend on has a known security hole (CVE-2026-34515). Fix: Update that package to its patched version.
… 50 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.