gitsafehub
github.com/svgdotjs/svg.js ↗

svgdotjs/svg.js

scanned 2026-06-30 · git a73d82c
1 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependenciesKnown OSS vulnerabilities129Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy none found ✓

Packages you depend on that have known security holes (CVEs).

Nothing found by this check. ✓

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 129 found · 23 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-5rq4-664w-9x2c Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27699). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-248r-7h7q-cr24 vm2 Has a Sandbox Breakout Using Async Generator
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-45411). Fix: Update that package to its patched version.
  • Serious GHSA-47x8-96vw-5wg6 vm2 Access to Host Object Enables Sandbox Escape
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-43997). Fix: Update that package to its patched version.
  • Serious GHSA-55hx-c926-fr95 VM2 Has a Sandbox Escape Issue via SuppressedError
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-26332). Fix: Update that package to its patched version.
  • Serious GHSA-6j2x-vhqr-qr7q vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-47210). Fix: Update that package to its patched version.
  • Serious GHSA-76w7-j9cq-rx2j vm2 is Vulnerable to Sandbox Breakout Through Promise Species
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-47208). Fix: Update that package to its patched version.
  • Serious GHSA-8hg8-63c5-gwmx vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44007). Fix: Update that package to its patched version.
  • Serious GHSA-99p7-6v5w-7xg8 vm2 has a Sandbox Escape
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-22709). Fix: Update that package to its patched version.
  • Serious GHSA-9qj6-qjgg-37qq vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44008). Fix: Update that package to its patched version.
  • Serious GHSA-9vg3-4rfj-wgcm vm2 has Sandbox Breakout Through Null Proto Exception
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44009). Fix: Update that package to its patched version.
  • Serious GHSA-cchq-frgv-rjh5 vm2 Sandbox Escape vulnerability
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2023-37466). Fix: Update that package to its patched version.
  • Serious GHSA-ffh4-j6h5-pg66 VM2 Has a WASM Sandbox Escape
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-26956). Fix: Update that package to its patched version.
  • Serious GHSA-g644-9gfx-q4q4 vm2 Sandbox Escape vulnerability
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2023-37903). Fix: Update that package to its patched version.
  • Serious GHSA-grj5-jjm8-h35p VM2 Sandbox Breakout Through __lookupGetter__
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-24118). Fix: Update that package to its patched version.
  • Serious GHSA-m4wx-m65x-ghrr vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-47137). Fix: Update that package to its patched version.
  • Serious GHSA-qcp4-v2jj-fjx8 vm2 has a Sandbox Escape Vulnerability
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44006). Fix: Update that package to its patched version.
  • Serious GHSA-qvjj-29qf-hp7p VM2 Has Sandbox Breakout Through Promise Species
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-24120). Fix: Update that package to its patched version.
  • Serious GHSA-rp36-8xq3-r6c4 NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-47140). Fix: Update that package to its patched version.
  • Serious GHSA-v37h-5mfm-c47c VM2 Has Sandbox Breakout Through Inspect Function
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-24781). Fix: Update that package to its patched version.
  • Serious GHSA-v6mx-mf47-r5wg vm2 has a Sandbox Escape issue
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-47131). Fix: Update that package to its patched version.
  • Serious GHSA-vwrp-x96c-mhwq vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44005). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
    /workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
… 104 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.