Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
GHSA-v78c-4p63-2j6c Cleartext Transmission of Sensitive Information in moment-timezoneCVE-2024-55565 nanoid: nanoid mishandles non-integer valuesCVE-2026-41305 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tagsCVE-2026-47759 TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributesCVE-2026-47760 TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGsCVE-2026-47761 TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injectionCVE-2026-47762 TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` commentsCVE-2024-29881 TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elementsGHSA-56x4-j7p9-fcf9 Command Injection in moment-timezoneCVE-2024-9506 vue: Regular Expression Denial of Service (ReDoS)Your dependencies cross-checked against the OSV vulnerability database.
GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted dataGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)GHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype PollutionGHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algosGHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keysGHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted dataGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious inputGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-378v-28hj-76wf bn.js affected by an infinite loopGHSA-378v-28hj-76wf bn.js affected by an infinite loopGHSA-q58r-hwc8-rm9j Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip ComponentsGHSA-vxmc-5x29-h64v Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributesGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawnGHSA-848j-6mx2-7j84 Elliptic Uses a Cryptographic Primitive with a Risky ImplementationGHSA-fc9h-whq2-v747 Valid ECDSA signatures erroneously rejected in EllipticGHSA-q3j6-qgpj-74h6 fast-uri vulnerable to path traversal via percent-encoded dot segmentsGHSA-v39h-62p7-jpjc fast-uri vulnerable to host confusion via percent-encoded authority delimitersGHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect TargetsGHSA-4www-5p9h-95mh http-proxy-middleware can call writeBody twice because "else if" is not usedGHSA-64mm-vxmg-q3vj http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypassCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.