Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2023-45133 babel: arbitrary code executionCVE-2023-45133 babel: arbitrary code executionCVE-2023-45133 babel: arbitrary code executionCVE-2023-45133 babel: arbitrary code executionCVE-2023-45133 babel: arbitrary code executionCVE-2023-45133 babel: arbitrary code executionCVE-2025-9287 cipher-base: Cipher-base hash manipulationCVE-2022-29078 ejs: server-side template injection in outputFunctionNameCVE-2022-29078 ejs: server-side template injection in outputFunctionNameGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)CVE-2022-1650 eventsource: Exposure of Sensitive InformationCVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2026-33937 handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()CVE-2026-33937 handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()CVE-2021-23436 immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerabilityCVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.jsCVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.jsCVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.jsCVE-2025-29927 nextjs: Authorization Bypass in Next.js MiddlewareCVE-2025-6545 pbkdf2: pbkdf2 silently returns predictable key materialCVE-2025-6547 pbkdf2: pbkdf2 silently returns static keysCVE-2025-9288 sha.js: Missing type checks leading to hash rewind and passing on crafted dataCVE-2021-42740 The shell-quote package before 1.7.3 for Node.js allows command inject ...Your dependencies cross-checked against the OSV vulnerability database.
GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious codeGHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted dataGHSA-phwq-j96m-2c2q ejs template injection vulnerabilityGHSA-phwq-j96m-2c2q ejs template injection vulnerabilityGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsourceGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type ConfusionGHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type ConfusionGHSA-33f9-j839-rf8h Prototype Pollution in immerGHSA-896r-f27r-55mw json-schema is vulnerable to Prototype PollutionGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-f82v-jwr5-mffw Authorization Bypass in Next.js MiddlewareGHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algosCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.