gitsafehub
github.com/uxsolutions/bootstrap-datepicker ↗

uxsolutions/bootstrap-datepicker

scanned 2026-06-27 · git 722dc29
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies24Known OSS vulnerabilities95Risky code patternsMalicious dependenciesProject health10

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 24 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2025-7783 form-data: Unsafe random function in form-data
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
    yarn.lock
    A package you depend on has a known security hole (CVE-2020-15366). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69873 ajv: ReDoS via $data reference
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-12143 form-data is a library for creating readable multipart/form-data strea ...
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-12143). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-29167 hawk: REDoS in hawk.utils.parseHost() when parsing Host header
    yarn.lock
    A package you depend on has a known security hole (CVE-2022-29167). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-15284 qs: qs: Denial of Service via improper input validation in array parsing
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-15284). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-25883 nodejs-semver: Regular expression denial of service
    yarn.lock
    A package you depend on has a known security hole (CVE-2022-25883). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-0355 simple-get: exposure of sensitive information to an unauthorized actor
    yarn.lock
    A package you depend on has a known security hole (CVE-2022-0355). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-32804). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37713 nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-37713). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-23745). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-23950). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-24842). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-26960 node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-26960). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-29786 node-tar: hardlink path traversal via drive-relative linkpath
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-29786). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-31802 tar: tar: File overwrite via drive-relative symlink traversal
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-31802). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-28863 node-tar: denial of service while parsing a tar file due to lack of folders depth validation
    yarn.lock
    A package you depend on has a known security hole (CVE-2024-28863). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53655 node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (nod ...
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-53655). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-12905 tar-fs: link following and path traversal via maliciously crafted tar file
    yarn.lock
    A package you depend on has a known security hole (CVE-2024-12905). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-48387 tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-48387). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-59343 tar-fs: tar-fs symlink validation bypass
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-59343). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-26136 tough-cookie: prototype pollution in cookie memstore
    yarn.lock
    A package you depend on has a known security hole (CVE-2023-26136). Fix: Update that package to its patched version.
  • Minor CVE-2018-3728 hoek: Prototype pollution in utilities function
    yarn.lock
    A package you depend on has a known security hole (CVE-2018-3728). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 95 found · 11 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-957j-59c2-j692 Prototype pollution in getobject
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2020-28282). Fix: Update that package to its patched version.
  • Serious GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2021-3918). Fix: Update that package to its patched version.
  • Serious GHSA-jf85-cpcp-j695 Prototype Pollution in lodash
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2019-10744). Fix: Update that package to its patched version.
  • Serious GHSA-jf85-cpcp-j695 Prototype Pollution in lodash
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2019-10744). Fix: Update that package to its patched version.
  • Serious GHSA-jf85-cpcp-j695 Prototype Pollution in lodash
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2019-10744). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscore
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2021-23358). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/docs/requirements.txt
    A package you depend on has a known security hole (CVE-2026-45409). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v88g-cgmw-v5xw Prototype Pollution in Ajv
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2020-15366). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v88g-cgmw-v5xw Prototype Pollution in Ajv
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2020-15366). Fix: Update that package to its patched version.
  • Worth fixing GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fwr7-v2mv-hh25 Prototype Pollution in async
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2021-43138). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hmw2-7cc7-3qxx form-data: CRLF injection in form-data via unescaped multipart field names and filenames
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2026-12143). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hmw2-7cc7-3qxx form-data: CRLF injection in form-data via unescaped multipart field names and filenames
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2026-12143). Fix: Update that package to its patched version.
  • Worth fixing GHSA-j383-35pm-c5h4 Path Traversal in Grunt
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2022-0436). Fix: Update that package to its patched version.
  • Worth fixing GHSA-m5pj-vjjf-4m3h Arbitrary Code Execution in grunt
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2020-7729). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rm36-94g8-835r Race Condition in Grunt
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2022-1537). Fix: Update that package to its patched version.
  • Worth fixing GHSA-44pw-h2cw-w3vq Uncontrolled Resource Consumption in Hawk
    /workdirs/scan-3a7aeba7-bdc6-4724-a4b7-4375a9b75ac4/yarn.lock
    A package you depend on has a known security hole (CVE-2022-29167). Fix: Update that package to its patched version.
… 70 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 10 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 4.2/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 21 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.