Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Your dependencies cross-checked against the OSV vulnerability database.
GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity namesGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-2j26-frm8-cmj9 Rails Active Support has a possible DoS vulnerability in its number helpersGHSA-89vf-4333-qx8v Rails Active Support has a possible XSS vulnerability in SafeBuffer#%GHSA-cg4j-q9v8-6v38 Rails Active Support has a possible ReDoS vulnerability in number_to_delimitedGHSA-h27x-rffw-24p4 Addressable has a Regular Expression Denial of Service in Addressable templatesGHSA-h8w8-99g7-qmvj Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN`GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious inputGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawnGHSA-8gc5-j5rx-235r fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)GHSA-gh4j-gqv2-49f6 fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped DelimitersGHSA-jmr7-xgp7-cmfj fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)GHSA-jp2q-39xq-3w4g Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parserGHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phaseGHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flattedGHSA-5j98-mcp5-4vw2 glob CLI: Command injection via -c/--cmd executes matches with shell:trueGHSA-m5qc-5hw7-8vg7 image-size Denial of Service via Infinite Loop during Image ProcessingGHSA-v2v4-37r5-5v8g ip-address has XSS in Address6 HTML-emitting methodsGHSA-q7cg-457f-vx79 joi has an uncaught RangeError on deeply nested input through recursive `link()` schemasGHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 3.5/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detected