gitsafehub
github.com/yang991178/fluent-reader ↗

yang991178/fluent-reader

scanned 2026-05-29 · git cd331fb
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets1Vulnerable dependenciesKnown OSS vulnerabilities16Risky code patternsMalicious dependenciesProject health11

Security checks

Leaked secrets — Gitleaks 1 found

API keys, passwords or tokens committed into the repo.

  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    src/scripts/models/services/greader.ts:40
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy none found ✓

Packages you depend on that have known security holes (CVEs).

Nothing found by this check. ✓

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 16 found · 2 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscore
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscore
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-q3j6-qgpj-74h6 fast-uri vulnerable to path traversal via percent-encoded dot segments
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-v39h-62p7-jpjc fast-uri vulnerable to host confusion via percent-encoded authority delimiters
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-8j8c-7jfh-h6hx Code Injection in js-yaml
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-339j-hqgx-qrrx Prototype Pollution in nedb
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-ph9p-34f9-6g65 tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-qpx9-hpmf-5gmw Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-qpx9-hpmf-5gmw Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-848j-6mx2-7j84 Elliptic Uses a Cryptographic Primitive with a Risky Implementation
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protection
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-v2v4-37r5-5v8g ip-address has XSS in Address6 HTML-emitting methods
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-2pr6-76vf-7546 Denial of Service in js-yaml
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-q8mj-m7cp-5q26 qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-v2p6-4mp7-3r9v Regular Expression Denial of Service in underscore.string
    /workdirs/scan-5b87a1f0-ac9f-4885-9845-3552c160ac67/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 11 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 4.0/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 3 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 0/15 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Vulnerabilities Vulnerabilities scored 0: 14 existing vulnerabilities detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.