Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.Packages you depend on that have known security holes (CVEs).
Nothing found by this check. ✓
Your dependencies cross-checked against the OSV vulnerability database.
GHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscoreGHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscoreGHSA-q3j6-qgpj-74h6 fast-uri vulnerable to path traversal via percent-encoded dot segmentsGHSA-v39h-62p7-jpjc fast-uri vulnerable to host confusion via percent-encoded authority delimitersGHSA-8j8c-7jfh-h6hx Code Injection in js-yamlGHSA-339j-hqgx-qrrx Prototype Pollution in nedbGHSA-ph9p-34f9-6g65 tmp has Path Traversal via unsanitized prefix/postfix that enables directory escapeGHSA-qpx9-hpmf-5gmw Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attackGHSA-qpx9-hpmf-5gmw Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attackGHSA-848j-6mx2-7j84 Elliptic Uses a Cryptographic Primitive with a Risky ImplementationGHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protectionGHSA-v2v4-37r5-5v8g ip-address has XSS in Address6 HTML-emitting methodsGHSA-2pr6-76vf-7546 Denial of Service in js-yamlGHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)GHSA-q8mj-m7cp-5q26 qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is setGHSA-v2p6-4mp7-3r9v Regular Expression Denial of Service in underscore.stringCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 4.0/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 3 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Code-Review Code-Review scored 0: Found 0/15 approved changesets -- score normalized to 0scorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissionsscorecard-Vulnerabilities Vulnerabilities scored 0: 14 existing vulnerabilities detected