gitsafehub
github.com/sql-js/sql.js ↗

sql-js/sql.js

scanned 2026-06-30 · git 8088a68
1 of 6 checks flagged a security issue
🟡 Worth a look
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependenciesKnown OSS vulnerabilities9Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy none found ✓

Packages you depend on that have known security holes (CVEs).

Nothing found by this check. ✓

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 9 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-487d8d5f-eca2-459e-a5d2-2f917fff9a45/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protection
    /workdirs/scan-487d8d5f-eca2-459e-a5d2-2f917fff9a45/package-lock.json
    A package you depend on has a known security hole (CVE-2026-45149). Fix: Update that package to its patched version.
  • Worth fixing GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase
    /workdirs/scan-487d8d5f-eca2-459e-a5d2-2f917fff9a45/package-lock.json
    A package you depend on has a known security hole (CVE-2026-32141). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted
    /workdirs/scan-487d8d5f-eca2-459e-a5d2-2f917fff9a45/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33228). Fix: Update that package to its patched version.
  • Worth fixing GHSA-22p9-wv53-3rq4 LinkifyIt#match scan loop has quadratic algorithmic complexity
    /workdirs/scan-487d8d5f-eca2-459e-a5d2-2f917fff9a45/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48801). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f23m-r3pf-42rh lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
    /workdirs/scan-487d8d5f-eca2-459e-a5d2-2f917fff9a45/package-lock.json
    A package you depend on has a known security hole (CVE-2026-2950). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key names
    /workdirs/scan-487d8d5f-eca2-459e-a5d2-2f917fff9a45/package-lock.json
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
    /workdirs/scan-487d8d5f-eca2-459e-a5d2-2f917fff9a45/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48988). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rmmh-p597-ppvv Showdown vulnerable to Regular Expression Denial of Service (ReDoS) in link/anchor parsing
    /workdirs/scan-487d8d5f-eca2-459e-a5d2-2f917fff9a45/package-lock.json
    A package you depend on has a known security hole (CVE-2024-1899). Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.