Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.Packages you depend on that have known security holes (CVEs).
CVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2025-29927 nextjs: Authorization Bypass in Next.js MiddlewareCVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2026-44728 Babel is a compiler for writing next generation JavaScript. From 7.12. ...CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsCVE-2026-34601 xmldom: xmldom: XML structure injection via CDATA terminatorCVE-2026-41672 xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node InjectionCVE-2026-41673 @xmldom/xmldom: xmldom: xmldom: Denial of Service via deeply nested XML documentsCVE-2026-41674 xmldom: xmldom: Arbitrary XML markup injectionCVE-2026-41675 xmldom: xmldom: Arbitrary XML node injection via crafted processing instructionsCVE-2025-69873 ajv: ReDoS via $data referenceCVE-2025-27152 axios: Possible SSRF and Credential Leakage via Absolute URL in axios RequestsCVE-2026-25639 axios: Axios affected by Denial of Service via __proto__ Key in mergeConfigCVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype PollutionCVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype pollutionCVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URLCVE-2026-44486 axios: Axios: Information disclosure of proxy credentials via HTTP redirectsCVE-2026-44487 axios: Axios: Information disclosure of proxy credentials via redirect flowsCVE-2026-44492 axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalizationCVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerabilityCVE-2026-44496 axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie nameCVE-2023-45857 axios: exposure of confidential data stored in cookiesCVE-2025-62718 axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalizationCVE-2026-40175 axios: Axios: Remote Code Execution via Prototype Pollution escalationCVE-2026-42034 axios: Axios: Denial of Service via oversized streamed uploads bypassing body limitsYour dependencies cross-checked against the OSV vulnerability database.
GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-f82v-jwr5-mffw Authorization Bypass in Next.js MiddlewareGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-33r3-4whc-44c2 Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOMEGHSA-g8mr-85jm-7xhm Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCEGHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious inputGHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groupsGHSA-2v35-w6hq-6mfw xmldom: Uncontrolled recursion in XML serialization leads to DoSGHSA-f6ww-3ggp-fr8h xmldom has XML injection through unvalidated DocumentType serializationGHSA-j759-j44w-7fr8 xmldom has XML node injection through unvalidated comment serializationGHSA-wh4c-j3r5-mjhp xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertionGHSA-x6wf-f3px-wcqx xmldom has XML node injection through unvalidated processing instruction serializationGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config MergeGHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRFGHSA-43fc-jf86-j433 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfigGHSA-5c9x-8gcm-mpgx Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0GHSA-62hf-57xw-28j9 Axios: unbounded recursion in toFormData causes DoS via deeply nested request dataGHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype PollutionGHSA-898c-q2cr-xwhg axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functionsGHSA-fvcv-3m26-pcqx Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection ChainGHSA-hfxv-24rg-xrqf Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name InjectionGHSA-j5f8-grm9-p9fc Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connectionGHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URLGHSA-m7pr-hjqh-92cm Axios: no_proxy bypass via IP alias allows SSRFCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 5.6/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 22 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detected