gitsafehub
github.com/streetsidesoftware/vscode-spell-checker ↗

streetsidesoftware/vscode-spell-checker

scanned 2026-07-15 · git 16bcb34
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies13Known OSS vulnerabilities28Risky code patternsMalicious dependenciesProject health7

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 400s

Vulnerable dependencies — Trivy 13 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-55602 http-proxy-middleware: http-proxy-middleware: Unintended backend routing due to crafted Host header
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-55602). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-48038 joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-48038). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53632 launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path access
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5c6j-r48x-rmvq Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
    package-lock.json
    A package you depend on has a known security hole (GHSA-5c6j-r48x-rmvq). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34043 serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-34043). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41907 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-9595 webpack-dev-server: webpack-dev-server: Information disclosure and denial of service via improper proxy configuration
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-9595). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-48779). Fix: Update that package to its patched version.
  • Minor CVE-2026-49356 @babel/core: @babel/core: Arbitrary file read via sourceMappingURL comment
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-49356). Fix: Update that package to its patched version.
  • Minor CVE-2026-24001 jsdiff: denial of service vulnerability in parsePatch and applyPatch
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-24001). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 28 found · 2 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-mp2f-45pm-3cg9 Decompress: Archive extraction can create files and links outside of the target directory
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53486). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hmw2-7cc7-3qxx form-data: CRLF injection in form-data via unescaped multipart field names and filenames
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-12143). Fix: Update that package to its patched version.
  • Worth fixing GHSA-64mm-vxmg-q3vj http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-55602). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q7cg-457f-vx79 joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48038). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Worth fixing GHSA-22p9-wv53-3rq4 LinkifyIt#match scan loop has quadratic algorithmic complexity
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48801). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48988). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5c6j-r48x-rmvq Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-qj8w-gfj5-8c6v Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-34043). Fix: Update that package to its patched version.
  • Worth fixing GHSA-ph9p-34f9-6g65 tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44705). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hm92-r4w5-c3mj undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-6734). Fix: Update that package to its patched version.
  • Worth fixing GHSA-p88m-4jfj-68fv undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9679). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pr7r-676h-xcf6 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9678). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vmh5-mc38-953g undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9697). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vxpw-j846-p89q undici WebSocket client vulnerable to denial of service via fragment count bypass
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-12151). Fix: Update that package to its patched version.
  • Worth fixing GHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fx2h-pf6j-xcff vite: `server.fs.deny` bypass on Windows alternate paths
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53571). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Worth fixing GHSA-mx8g-39q3-5c79 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9595). Fix: Update that package to its patched version.
  • Worth fixing GHSA-96hv-2xvq-fx4p ws: Memory exhaustion DoS from tiny fragments and data chunks
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48779). Fix: Update that package to its patched version.
  • Minor GHSA-4x5r-pxfx-6jf8 @babel/core: Arbitrary File Read via sourceMappingURL Comment
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-49356). Fix: Update that package to its patched version.
  • Minor GHSA-73rr-hh4g-fpgx jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
    /workdirs/scan-78ec6d9d-ea48-4310-9f29-2e93a376e02c/package-lock.json
    A package you depend on has a known security hole (CVE-2026-24001). Fix: Update that package to its patched version.
… 3 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited: injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious: typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 7 notes

Maintenance & supply-chain hygiene. A signal about the project, not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 5.5/10
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 0/3 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene), not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.