Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2026-55602 http-proxy-middleware: http-proxy-middleware: Unintended backend routing due to crafted Host headerCVE-2026-48038 joi has an uncaught RangeError on deeply nested input through recursive `link()` schemasCVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keysCVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keysCVE-2026-53632 launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path accessGHSA-5c6j-r48x-rmvq Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()CVE-2026-34043 serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serializationCVE-2026-41907 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentialityCVE-2026-9595 webpack-dev-server: webpack-dev-server: Information disclosure and denial of service via improper proxy configurationCVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragmentsCVE-2026-49356 @babel/core: @babel/core: Arbitrary file read via sourceMappingURL commentCVE-2026-24001 jsdiff: denial of service vulnerability in parsePatch and applyPatchYour dependencies cross-checked against the OSV vulnerability database.
GHSA-mp2f-45pm-3cg9 Decompress: Archive extraction can create files and links outside of the target directoryGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-hmw2-7cc7-3qxx form-data: CRLF injection in form-data via unescaped multipart field names and filenamesGHSA-64mm-vxmg-q3vj http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypassGHSA-q7cg-457f-vx79 joi has an uncaught RangeError on deeply nested input through recursive `link()` schemasGHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesGHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesGHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on WindowsGHSA-22p9-wv53-3rq4 LinkifyIt#match scan loop has quadratic algorithmic complexityGHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operationsGHSA-5c6j-r48x-rmvq Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()GHSA-qj8w-gfj5-8c6v Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objectsGHSA-ph9p-34f9-6g65 tmp has Path Traversal via unsanitized prefix/postfix that enables directory escapeGHSA-hm92-r4w5-c3mj undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuseGHSA-p88m-4jfj-68fv undici vulnerable to HTTP header injection via Set-Cookie percent-decodingGHSA-pr7r-676h-xcf6 undici vulnerable to cross-user information disclosure via shared cache whitespace bypassGHSA-vmh5-mc38-953g undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgentGHSA-vxpw-j846-p89q undici WebSocket client vulnerable to denial of service via fragment count bypassGHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is providedGHSA-fx2h-pf6j-xcff vite: `server.fs.deny` bypass on Windows alternate pathsGHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on WindowsGHSA-mx8g-39q3-5c79 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxiesGHSA-96hv-2xvq-fx4p ws: Memory exhaustion DoS from tiny fragments and data chunksGHSA-4x5r-pxfx-6jf8 @babel/core: Arbitrary File Read via sourceMappingURL CommentGHSA-73rr-hh4g-fpgx jsdiff has a Denial of Service vulnerability in parsePatch and applyPatchCode that can be exploited: injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious: typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project, not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 5.5/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Code-Review Code-Review scored 0: Found 0/3 approved changesets -- score normalized to 0scorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions