gitsafehub
github.com/wechat-article/wechat-article-exporter ↗

wechat-article/wechat-article-exporter

scanned 2026-06-22 · git 15b391b
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies156Known OSS vulnerabilities160Risky code patternsMalicious dependenciesProject health11

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 1800s

Vulnerable dependencies — Trivy 156 found · 2 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious CVE-2026-28292 simple-git: simple-git: Remote Code Execution via bypass of prior security fixes
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-28292). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-47200 Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-47200). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54285 OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-54285). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41324 basic-ftp: basic-ftp: Denial of Service via unbounded memory growth from malicious directory listings
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-41324). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44240 basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is v ...
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-44240). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-35209 defu: Prototype pollution via `__proto__` key in defaults argument
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-35209). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22774 devalue: devalue: Denial of Service due to excessive resource consumption from untrusted input
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-22774). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22775 devalue: devalue: Denial of Service due to improper input validation
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-22775). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-30226 devalue: Devalue: Denial of Service or type confusion via prototype pollution
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-30226). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-15599 DOMPurify: DOMPurify: Cross-site scripting
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-15599). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-26791 dompurify: Mutation XSS in DOMPurify Due to Improper Template Literal Handling
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-26791). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-0540 DOMPurify: DOMPurify: Cross-site scripting vulnerability
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-0540). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41238 DOMPurify: DOMPurify: Cross-Site Scripting bypass via prototype pollution
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-41238). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41239 DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressions
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-41239). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41240 DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-41240). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-49458 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-49458). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-49459). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-49978 DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-49978). Fix: Update that package to its patched version.
  • Worth fixing GHSA-39q2-94rc-95cp DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
    yarn.lock
    A package you depend on has a known security hole (GHSA-39q2-94rc-95cp). Fix: Update that package to its patched version.
  • Worth fixing GHSA-76mc-f452-cxcm DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
    yarn.lock
    A package you depend on has a known security hole (GHSA-76mc-f452-cxcm). Fix: Update that package to its patched version.
  • Worth fixing GHSA-cj63-jhhr-wcxv DOMPurify USE_PROFILES prototype pollution allows event handlers
    yarn.lock
    A package you depend on has a known security hole (GHSA-cj63-jhhr-wcxv). Fix: Update that package to its patched version.
  • Worth fixing GHSA-cjmm-f4jc-qw8r DOMPurify ADD_ATTR predicate skips URI validation
    yarn.lock
    A package you depend on has a known security hole (GHSA-cjmm-f4jc-qw8r). Fix: Update that package to its patched version.
… 131 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 160 found · 3 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-hffm-xvc3-vprc simple-git is vulnerable to Remote Code Execution
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-6951). Fix: Update that package to its patched version.
  • Serious GHSA-r275-fr43-pm7q simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-28292). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hg3f-28rg-4jxj Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-47200). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8988-4f7v-96qf OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-54285). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rp42-5vxx-qpwr basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-41324). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rpmf-866q-6p89 basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-44240). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-737v-mqg7-c878 defu: Prototype pollution via `__proto__` key in defaults argument
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-35209). Fix: Update that package to its patched version.
  • Worth fixing GHSA-cfw5-2vxh-hr84 devalue has prototype pollution in devalue.parse and devalue.unflatten
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-30226). Fix: Update that package to its patched version.
  • Worth fixing GHSA-g2pg-6438-jwpf devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-22775). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vw5p-8cq8-m7mv Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-22774). Fix: Update that package to its patched version.
  • Worth fixing GHSA-39q2-94rc-95cp DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-76mc-f452-cxcm DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-cj63-jhhr-wcxv DOMPurify USE_PROFILES prototype pollution allows event handlers
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-cjmm-f4jc-qw8r DOMPurify ADD_ATTR predicate skips URI validation
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-cmwh-pvxp-8882 DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-crv5-9vww-q3g8 DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-41239). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h7mw-gpvr-xq4m DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-41240). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h8r8-wccr-v5f2 DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-hpcv-96wg-7vj8 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-49458). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r47g-fvhr-h676 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-49459). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rp9w-3fw7-7cwq DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-49978). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v2wj-7wpq-c8vv DOMPurify contains a Cross-site Scripting vulnerability
    /workdirs/scan-71407110-16b3-45b4-8934-5aa13c0950ce/yarn.lock
    A package you depend on has a known security hole (CVE-2026-0540). Fix: Update that package to its patched version.
… 135 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 11 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 3.9/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 1 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 1/24 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Contributors Contributors scored 0: project has 0 contributing companies or organizations -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.