Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate functionCVE-2025-69873 ajv: ReDoS via $data referenceCVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codesCVE-2026-12143 form-data is a library for creating readable multipart/form-data strea ...CVE-2022-29167 hawk: REDoS in hawk.utils.parseHost() when parsing Host headerCVE-2025-15284 qs: qs: Denial of Service via improper input validation in array parsingCVE-2022-25883 nodejs-semver: Regular expression denial of serviceCVE-2022-0355 simple-get: exposure of sensitive information to an unauthorized actorCVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwriteCVE-2021-37713 nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitizationCVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archivesCVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race conditionCVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security checkCVE-2026-26960 node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creationCVE-2026-29786 node-tar: hardlink path traversal via drive-relative linkpathCVE-2026-31802 tar: tar: File overwrite via drive-relative symlink traversalCVE-2024-28863 node-tar: denial of service while parsing a tar file due to lack of folders depth validationCVE-2026-53655 node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (nod ...CVE-2024-12905 tar-fs: link following and path traversal via maliciously crafted tar fileCVE-2025-48387 tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarballCVE-2025-59343 tar-fs: tar-fs symlink validation bypassCVE-2023-26136 tough-cookie: prototype pollution in cookie memstoreCVE-2018-3728 hoek: Prototype pollution in utilities functionYour dependencies cross-checked against the OSV vulnerability database.
GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-957j-59c2-j692 Prototype pollution in getobjectGHSA-896r-f27r-55mw json-schema is vulnerable to Prototype PollutionGHSA-jf85-cpcp-j695 Prototype Pollution in lodashGHSA-jf85-cpcp-j695 Prototype Pollution in lodashGHSA-jf85-cpcp-j695 Prototype Pollution in lodashGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscorePYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions priorGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-v88g-cgmw-v5xw Prototype Pollution in AjvGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-v88g-cgmw-v5xw Prototype Pollution in AjvGHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regexGHSA-fwr7-v2mv-hh25 Prototype Pollution in asyncGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-hmw2-7cc7-3qxx form-data: CRLF injection in form-data via unescaped multipart field names and filenamesGHSA-hmw2-7cc7-3qxx form-data: CRLF injection in form-data via unescaped multipart field names and filenamesGHSA-j383-35pm-c5h4 Path Traversal in GruntGHSA-m5pj-vjjf-4m3h Arbitrary Code Execution in gruntGHSA-rm36-94g8-835r Race Condition in GruntGHSA-44pw-h2cw-w3vq Uncontrolled Resource Consumption in HawkCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 4.2/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 21 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions