Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace patternCVE-2026-33750 brace-expansion: brace-expansion: Denial of Service via zero step value in brace patternCVE-2026-45149 brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric rangesCVE-2026-42338 ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted inputCVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keysCVE-2026-33671 picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patternsCVE-2026-33672 picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressionsCVE-2026-33671 picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patternsCVE-2026-33672 picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressionsCVE-2026-29786 node-tar: hardlink path traversal via drive-relative linkpathCVE-2026-31802 tar: tar: File overwrite via drive-relative symlink traversalCVE-2026-53655 node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (nod ...CVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragmentsCVE-2026-33532 yaml: yaml: Denial of Service via deeply nested YAML document parsingCVE-2025-27152 axios: Possible SSRF and Credential Leakage via Absolute URL in axios RequestsCVE-2026-25639 axios: Axios affected by Denial of Service via __proto__ Key in mergeConfigCVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype PollutionCVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype pollutionCVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URLCVE-2026-44486 axios: Axios: Information disclosure of proxy credentials via HTTP redirectsCVE-2026-44487 axios: Axios: Information disclosure of proxy credentials via redirect flowsCVE-2026-44492 axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalizationCVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerabilityYour dependencies cross-checked against the OSV vulnerability database.
GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity namesGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity namesGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious inputGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustionGHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protectionGHSA-8gc5-j5rx-235r fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)GHSA-gh4j-gqv2-49f6 fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped DelimitersGHSA-jmr7-xgp7-cmfj fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)GHSA-jp2q-39xq-3w4g Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parserGHSA-v2v4-37r5-5v8g ip-address has XSS in Address6 HTML-emitting methodsGHSA-q7cg-457f-vx79 joi has an uncaught RangeError on deeply nested input through recursive `link()` schemasGHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesGHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliasesGHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on WindowsGHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob MatchingGHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiersGHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob MatchingGHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiersGHSA-q8mj-m7cp-5q26 qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is setGHSA-9ppj-qmqm-q256 node-tar Symlink Path Traversal via Drive-Relative LinkpathGHSA-qffp-2rhf-9h96 tar has Hardlink Path Traversal via Drive-Relative LinkpathCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 4.1/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions