Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
Nothing found by this check. ✓
Your dependencies cross-checked against the OSV vulnerability database.
GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protectionGHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phaseGHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flattedGHSA-22p9-wv53-3rq4 LinkifyIt#match scan loop has quadratic algorithmic complexityGHSA-f23m-r3pf-42rh lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key namesGHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operationsGHSA-rmmh-p597-ppvv Showdown vulnerable to Regular Expression Denial of Service (ReDoS) in link/anchor parsingCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.