Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminatorsCVE-2026-34601 xmldom: xmldom: XML structure injection via CDATA terminatorCVE-2026-41672 xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node InjectionCVE-2026-41673 @xmldom/xmldom: xmldom: xmldom: Denial of Service via deeply nested XML documentsCVE-2026-41674 xmldom: xmldom: Arbitrary XML markup injectionCVE-2026-41675 xmldom: xmldom: Arbitrary XML node injection via crafted processing instructionsCVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype PollutionCVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype pollutionCVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URLCVE-2026-42264 Axios is a promise based HTTP client for the browser and Node.js. From ...CVE-2026-44486 axios: Axios: Information disclosure of proxy credentials via HTTP redirectsCVE-2026-44487 axios: Axios: Information disclosure of proxy credentials via redirect flowsCVE-2026-44488 axios: Axios: Denial of Service due to unenforced request and response size limitsCVE-2026-44492 axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalizationCVE-2026-44494 axios: Axios: Man-in-the-Middle (MITM) attack via Prototype PollutionCVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerabilityCVE-2026-44496 axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie nameCVE-2025-62718 axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalizationCVE-2026-40175 axios: Axios: Remote Code Execution via Prototype Pollution escalationCVE-2026-42034 axios: Axios: Denial of Service via oversized streamed uploads bypassing body limitsCVE-2026-42036 axios: Axios: Denial of Service via unbounded stream consumption when 'responseType: 'stream'' is usedCVE-2026-42037 axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type headerCVE-2026-42038 axios: Axios: Information disclosure due to `no_proxy` bypassCVE-2026-42039 axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request dataCVE-2026-42041 axios: Axios: Authentication bypass due to prototype pollution of HTTP error handlingYour dependencies cross-checked against the OSV vulnerability database.
GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity namesGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-866g-f22w-33x8 @ai-sdk/provider-utils has an Uncontrolled Resource Consumption issueGHSA-92pp-h63x-v22m @hono/node-server: Middleware bypass via repeated slashes in serveStaticGHSA-wc8c-qw6v-h7f6 @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static MiddlewareGHSA-7h2j-956f-4vf2 @isaacs/brace-expansion has Uncontrolled Resource ConsumptionGHSA-2v35-w6hq-6mfw xmldom: Uncontrolled recursion in XML serialization leads to DoSGHSA-f6ww-3ggp-fr8h xmldom has XML injection through unvalidated DocumentType serializationGHSA-j759-j44w-7fr8 xmldom has XML node injection through unvalidated comment serializationGHSA-wh4c-j3r5-mjhp xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertionGHSA-x6wf-f3px-wcqx xmldom has XML node injection through unvalidated processing instruction serializationGHSA-2v35-w6hq-6mfw xmldom: Uncontrolled recursion in XML serialization leads to DoSGHSA-f6ww-3ggp-fr8h xmldom has XML injection through unvalidated DocumentType serializationGHSA-j759-j44w-7fr8 xmldom has XML node injection through unvalidated comment serializationGHSA-wh4c-j3r5-mjhp xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertionGHSA-x6wf-f3px-wcqx xmldom has XML node injection through unvalidated processing instruction serializationGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-35jp-ww65-95wh axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`GHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config MergeGHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRFGHSA-3w6x-2g7m-8v23 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`GHSA-445q-vr5w-6q77 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStreamGHSA-5c9x-8gcm-mpgx Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0GHSA-62hf-57xw-28j9 Axios: unbounded recursion in toFormData causes DoS via deeply nested request dataGHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype PollutionCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.