gitsafehub
github.com/wxt-dev/wxt ↗

wxt-dev/wxt

scanned 2026-06-21 · git c8e93b1
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies29Known OSS vulnerabilities55Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 29 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    bun.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45149 brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges
    bun.lock
    A package you depend on has a known security hole (CVE-2026-45149). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-30226 devalue: Devalue: Denial of Service or type confusion via prototype pollution
    bun.lock
    A package you depend on has a known security hole (CVE-2026-30226). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33891 node-forge: node-forge: Denial of Service via infinite loop in BigInteger.modInverse()
    bun.lock
    A package you depend on has a known security hole (CVE-2026-33891). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33894 node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1.5 Verification
    bun.lock
    A package you depend on has a known security hole (CVE-2026-33894). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33895 node-forge: Forge: Authentication bypass via forged Ed25519 cryptographic signatures
    bun.lock
    A package you depend on has a known security hole (CVE-2026-33895). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33896 node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance
    bun.lock
    A package you depend on has a known security hole (CVE-2026-33896). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41305 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
    bun.lock
    A package you depend on has a known security hole (CVE-2026-41305). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27606 rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability
    bun.lock
    A package you depend on has a known security hole (CVE-2026-27606). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27119 svelte: Svelte affected by XSS in SSR `<option>` element
    bun.lock
    A package you depend on has a known security hole (CVE-2026-27119). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27121 svelte: Svelte affected by cross-site scripting via spread attributes in Svelte SSR
    bun.lock
    A package you depend on has a known security hole (CVE-2026-27121). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27122 svelte: Svelte SSR does not validate dynamic element tag names in `<svelte:element>`
    bun.lock
    A package you depend on has a known security hole (CVE-2026-27122). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27125 svelte: Svelte SSR attribute spreading includes inherited properties from prototype chain
    bun.lock
    A package you depend on has a known security hole (CVE-2026-27125). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27901 svelte: Svelte: Cross-Site Scripting and HTML injection via improper escaping of bind:innerText and bind:textContent
    bun.lock
    A package you depend on has a known security hole (CVE-2026-27901). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42573 Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
    bun.lock
    A package you depend on has a known security hole (CVE-2026-42573). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42599 svelte: Svelte: Cross-Site Scripting via untrusted data in spread attributes
    bun.lock
    A package you depend on has a known security hole (CVE-2026-42599). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f3cj-j4f6-wq85 Svelte: SSR XSS via Insecure Promise Serialization in hydratable
    bun.lock
    A package you depend on has a known security hole (GHSA-f3cj-j4f6-wq85). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44705 tmp is a temporary file and directory creator for node.js. Prior to 0. ...
    bun.lock
    A package you depend on has a known security hole (CVE-2026-44705). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41907 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality
    bun.lock
    A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39363 Vite: Vite: Information disclosure via WebSocket connection bypasses access control
    bun.lock
    A package you depend on has a known security hole (CVE-2026-39363). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39364 vite: Vite: Information disclosure via query parameter manipulation on the development server
    bun.lock
    A package you depend on has a known security hole (CVE-2026-39364). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53571 vite: `server.fs.deny` bypass on Windows alternate paths
    bun.lock
    A package you depend on has a known security hole (CVE-2026-53571). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39365 vite: Vite: Information disclosure via path traversal in dev server's .map request handling
    bun.lock
    A package you depend on has a known security hole (CVE-2026-39365). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53632 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
    bun.lock
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Minor CVE-2026-49356 @babel/core: Arbitrary File Read via sourceMappingURL Comment
    bun.lock
    A package you depend on has a known security hole (CVE-2026-49356). Fix: Update that package to its patched version.
… 4 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 55 found · 2 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype Pollution
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-29063). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protection
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-45149). Fix: Update that package to its patched version.
  • Worth fixing GHSA-737v-mqg7-c878 defu: Prototype pollution via `__proto__` key in defaults argument
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-35209). Fix: Update that package to its patched version.
  • Worth fixing GHSA-cfw5-2vxh-hr84 devalue has prototype pollution in devalue.parse and devalue.unflatten
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-30226). Fix: Update that package to its patched version.
  • Worth fixing GHSA-67mh-4wv8-2f99 esbuild enables any website to send any requests to the development server and read the response
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-32141). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-33228). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-48988). Fix: Update that package to its patched version.
  • Worth fixing GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-27904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-26996). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-27903). Fix: Update that package to its patched version.
  • Worth fixing GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-27904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-26996). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-27903). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2328-f5f3-gj25 Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-33896). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5m6q-g25r-mvwx Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-33891). Fix: Update that package to its patched version.
  • Worth fixing GHSA-ppp5-5v6c-4jwp Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-33894). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q67f-28xg-22rw Forge has signature forgery in Ed25519 due to missing S > L check
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-33895). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiers
    /workdirs/scan-35b4c33e-34fc-4608-af9d-3947f4624d1c/bun.lock
    A package you depend on has a known security hole (CVE-2026-33671). Fix: Update that package to its patched version.
… 30 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard timed out

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

error: timeout after 1800s

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.