Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2026-28292 simple-git: simple-git: Remote Code Execution via bypass of prior security fixesCVE-2026-47200 Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`CVE-2026-54285 OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagationCVE-2026-41324 basic-ftp: basic-ftp: Denial of Service via unbounded memory growth from malicious directory listingsCVE-2026-44240 basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is v ...CVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace patternCVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace patternCVE-2026-35209 defu: Prototype pollution via `__proto__` key in defaults argumentCVE-2026-22774 devalue: devalue: Denial of Service due to excessive resource consumption from untrusted inputCVE-2026-22775 devalue: devalue: Denial of Service due to improper input validationCVE-2026-30226 devalue: Devalue: Denial of Service or type confusion via prototype pollutionCVE-2025-15599 DOMPurify: DOMPurify: Cross-site scriptingCVE-2025-26791 dompurify: Mutation XSS in DOMPurify Due to Improper Template Literal HandlingCVE-2026-0540 DOMPurify: DOMPurify: Cross-site scripting vulnerabilityCVE-2026-41238 DOMPurify: DOMPurify: Cross-Site Scripting bypass via prototype pollutionCVE-2026-41239 DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressionsCVE-2026-41240 DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitizationCVE-2026-49458 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checksCVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOMCVE-2026-49978 DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.contentGHSA-39q2-94rc-95cp DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluationGHSA-76mc-f452-cxcm DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`GHSA-cj63-jhhr-wcxv DOMPurify USE_PROFILES prototype pollution allows event handlersGHSA-cjmm-f4jc-qw8r DOMPurify ADD_ATTR predicate skips URI validationYour dependencies cross-checked against the OSV vulnerability database.
GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-hffm-xvc3-vprc simple-git is vulnerable to Remote Code ExecutionGHSA-r275-fr43-pm7q simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCEGHSA-hg3f-28rg-4jxj Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`GHSA-8988-4f7v-96qf OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagationGHSA-rp42-5vxx-qpwr basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()GHSA-rpmf-866q-6p89 basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response bufferingGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-737v-mqg7-c878 defu: Prototype pollution via `__proto__` key in defaults argumentGHSA-cfw5-2vxh-hr84 devalue has prototype pollution in devalue.parse and devalue.unflattenGHSA-g2pg-6438-jwpf devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parseGHSA-vw5p-8cq8-m7mv Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parseGHSA-39q2-94rc-95cp DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluationGHSA-76mc-f452-cxcm DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`GHSA-cj63-jhhr-wcxv DOMPurify USE_PROFILES prototype pollution allows event handlersGHSA-cjmm-f4jc-qw8r DOMPurify ADD_ATTR predicate skips URI validationGHSA-cmwh-pvxp-8882 DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)GHSA-crv5-9vww-q3g8 DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM modeGHSA-h7mw-gpvr-xq4m DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)GHSA-h8r8-wccr-v5f2 DOMPurify is vulnerable to mutation-XSS via Re-Contextualization GHSA-hpcv-96wg-7vj8 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checksGHSA-r47g-fvhr-h676 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOMGHSA-rp9w-3fw7-7cwq DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.contentGHSA-v2wj-7wpq-c8vv DOMPurify contains a Cross-site Scripting vulnerabilityCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 3.9/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 1 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Code-Review Code-Review scored 0: Found 1/24 approved changesets -- score normalized to 0scorecard-Contributors Contributors scored 0: project has 0 contributing companies or organizations -- score normalized to 0scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions