gitsafehub
github.com/styleguidist/react-styleguidist ↗

styleguidist/react-styleguidist

scanned 2026-06-30 · git c223f9a
3 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets1Vulnerable dependencies837Known OSS vulnerabilities1830Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks 1 found

API keys, passwords or tokens committed into the repo.

  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    site/docusaurus.config.js:92
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 837 found · 69 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2023-45133 babel: arbitrary code execution
    examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious CVE-2022-1650 eventsource: Exposure of Sensitive Information
    examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2022-1650). Fix: Update that package to its patched version.
  • Serious CVE-2023-45311 Code injection in fsevents
    examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45311). Fix: Update that package to its patched version.
  • Serious CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js
    examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious CVE-2021-44906 minimist: prototype pollution
    examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious CVE-2021-44906 minimist: prototype pollution
    examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious CVE-2021-42740 The shell-quote package before 1.7.3 for Node.js allows command inject ...
    examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2021-42740). Fix: Update that package to its patched version.
  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key
    examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2022-0686). Fix: Update that package to its patched version.
  • Serious CVE-2023-45133 babel: arbitrary code execution
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious CVE-2023-45133 babel: arbitrary code execution
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious CVE-2023-45133 babel: arbitrary code execution
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious CVE-2023-28131 Expo SDK has an OAuth vulnerability
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2023-28131). Fix: Update that package to its patched version.
  • Serious CVE-2023-45311 Code injection in fsevents
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45311). Fix: Update that package to its patched version.
  • Serious CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2019-10744). Fix: Update that package to its patched version.
  • Serious CVE-2021-44906 minimist: prototype pollution
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious CVE-2021-44906 minimist: prototype pollution
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious CVE-2021-44906 minimist: prototype pollution
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious CVE-2019-10746 nodejs-mixin-deep: prototype pollution in function mixin-deep
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2019-10746). Fix: Update that package to its patched version.
  • Serious CVE-2022-22912 Prototype pollution in Plist before 3.0.5 can cause denial of service
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2022-22912). Fix: Update that package to its patched version.
  • Serious CVE-2022-22912 Prototype pollution in Plist before 3.0.5 can cause denial of service
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2022-22912). Fix: Update that package to its patched version.
  • Serious CVE-2019-10747 nodejs-set-value: prototype pollution in function set-value
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2019-10747). Fix: Update that package to its patched version.
  • Serious CVE-2019-10747 nodejs-set-value: prototype pollution in function set-value
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2019-10747). Fix: Update that package to its patched version.
  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious CVE-2022-26260 Prototype Pollution in simple-plist
    examples/react-native/package-lock.json
    A package you depend on has a known security hole (CVE-2022-26260). Fix: Update that package to its patched version.
… 812 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 1830 found · 202 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2025-9287). Fix: Update that package to its patched version.
  • Serious GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsource
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2022-1650). Fix: Update that package to its patched version.
  • Serious MAL-2023-462 Malicious code in fsevents (npm)
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-8r6j-v8pm-fqw3 Code injection in fsevents
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45311). Fix: Update that package to its patched version.
  • Serious GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-92xj-mqp7-vmcj Prototype Pollution in node-forge
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2020-7720). Fix: Update that package to its patched version.
  • Serious GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2025-6545). Fix: Update that package to its patched version.
  • Serious GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2025-6547). Fix: Update that package to its patched version.
  • Serious GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2025-9288). Fix: Update that package to its patched version.
  • Serious GHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quote
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2021-42740). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parse
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/basic/package-lock.json
    A package you depend on has a known security hole (CVE-2022-0686). Fix: Update that package to its patched version.
  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/cra/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/cra/package-lock.json
    A package you depend on has a known security hole (CVE-2025-9287). Fix: Update that package to its patched version.
  • Serious GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/cra/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsource
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/cra/package-lock.json
    A package you depend on has a known security hole (CVE-2022-1650). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/cra/package-lock.json
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious MAL-2023-462 Malicious code in fsevents (npm)
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/cra/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-8r6j-v8pm-fqw3 Code injection in fsevents
    /workdirs/scan-6c4fdf9b-3134-441a-bd83-79676ae87e6e/examples/cra/package-lock.json
    A package you depend on has a known security hole (CVE-2023-45311). Fix: Update that package to its patched version.
… 1805 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.