Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.Packages you depend on that have known security holes (CVEs).
CVE-2023-45133 babel: arbitrary code executionCVE-2022-1650 eventsource: Exposure of Sensitive InformationCVE-2023-45311 Code injection in fseventsCVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.jsCVE-2021-44906 minimist: prototype pollutionCVE-2021-44906 minimist: prototype pollutionCVE-2021-42740 The shell-quote package before 1.7.3 for Node.js allows command inject ...CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled keyCVE-2023-45133 babel: arbitrary code executionCVE-2023-45133 babel: arbitrary code executionCVE-2023-45133 babel: arbitrary code executionCVE-2023-28131 Expo SDK has an OAuth vulnerabilityCVE-2023-45311 Code injection in fseventsCVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying propertiesCVE-2021-44906 minimist: prototype pollutionCVE-2021-44906 minimist: prototype pollutionCVE-2021-44906 minimist: prototype pollutionCVE-2019-10746 nodejs-mixin-deep: prototype pollution in function mixin-deepCVE-2022-22912 Prototype pollution in Plist before 3.0.5 can cause denial of serviceCVE-2022-22912 Prototype pollution in Plist before 3.0.5 can cause denial of serviceCVE-2019-10747 nodejs-set-value: prototype pollution in function set-valueCVE-2019-10747 nodejs-set-value: prototype pollution in function set-valueCVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2022-26260 Prototype Pollution in simple-plistYour dependencies cross-checked against the OSV vulnerability database.
GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted dataGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsourceMAL-2023-462 Malicious code in fsevents (npm)GHSA-8r6j-v8pm-fqw3 Code injection in fseventsGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-92xj-mqp7-vmcj Prototype Pollution in node-forgeGHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algosGHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keysGHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted dataGHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quoteGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parseGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted dataGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsourceGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryMAL-2023-462 Malicious code in fsevents (npm)GHSA-8r6j-v8pm-fqw3 Code injection in fseventsCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.