gitsafehub
github.com/wix/react-native-navigation ↗

wix/react-native-navigation

scanned 2026-06-27 · git c9bbcb2
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies62Known OSS vulnerabilities132Risky code patternsMalicious dependenciesProject health7

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 1800s

Vulnerable dependencies — Trivy 62 found · 2 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious CVE-2025-7783 form-data: Unsafe random function in form-data
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45149 brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-45149). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42338 ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-42338). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33671 picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33671). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33672 picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressions
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33671 picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33671). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33672 picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressions
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-29786 node-tar: hardlink path traversal via drive-relative linkpath
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-29786). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-31802 tar: tar: File overwrite via drive-relative symlink traversal
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-31802). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53655 node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (nod ...
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-53655). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-48779). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33532 yaml: yaml: Denial of Service via deeply nested YAML document parsing
    test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33532). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27152 axios: Possible SSRF and Credential Leakage via Absolute URL in axios Requests
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-27152). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25639 axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-25639). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype Pollution
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-42033). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype pollution
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-42035). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URL
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-42043). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44486 axios: Axios: Information disclosure of proxy credentials via HTTP redirects
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-44486). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44487 axios: Axios: Information disclosure of proxy credentials via redirect flows
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-44487). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44492 axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-44492). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerability
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-44495). Fix: Update that package to its patched version.
… 37 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 132 found · 5 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-25896). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/yarn.lock
    A package you depend on has a known security hole (CVE-2026-25896). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protection
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-45149). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8gc5-j5rx-235r fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33036). Fix: Update that package to its patched version.
  • Worth fixing GHSA-gh4j-gqv2-49f6 fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-41650). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jmr7-xgp7-cmfj fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-26278). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jp2q-39xq-3w4g Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33349). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v2v4-37r5-5v8g ip-address has XSS in Address6 HTML-emitting methods
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-42338). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q7cg-457f-vx79 joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-48038). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiers
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33671). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiers
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-33671). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q8mj-m7cp-5q26 qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-8723). Fix: Update that package to its patched version.
  • Worth fixing GHSA-9ppj-qmqm-q256 node-tar Symlink Path Traversal via Drive-Relative Linkpath
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-31802). Fix: Update that package to its patched version.
  • Worth fixing GHSA-qffp-2rhf-9h96 tar has Hardlink Path Traversal via Drive-Relative Linkpath
    /workdirs/scan-6809397a-847e-4b11-821a-71f3b4eded4d/test-app/yarn.lock
    A package you depend on has a known security hole (CVE-2026-29786). Fix: Update that package to its patched version.
… 107 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 7 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 4.1/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.