Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2023-45311 Code injection in fseventsCVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep functionCVE-2021-23337 nodejs-lodash: command injection via templateCVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template importsNSWG-ECO-516 Allocation of Resources Without Limits or ThrottlingCVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functionsCVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functionsCVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypassCVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template importsCVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functionsCVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypassCVE-2021-37712 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwriteCVE-2021-37713 nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitizationCVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archivesCVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race conditionCVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security checkCVE-2026-26960 node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creationCVE-2026-29786 node-tar: hardlink path traversal via drive-relative linkpathCVE-2026-31802 tar: tar: File overwrite via drive-relative symlink traversalCVE-2024-28863 node-tar: denial of service while parsing a tar file due to lack of folders depth validationCVE-2026-53655 node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (nod ...Your dependencies cross-checked against the OSV vulnerability database.
GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted dataGHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryMAL-2023-462 Malicious code in fsevents (npm)GHSA-8r6j-v8pm-fqw3 Code injection in fseventsGHSA-896r-f27r-55mw json-schema is vulnerable to Prototype PollutionGHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utilsGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-xvch-5gv4-984h Prototype Pollution in minimistGHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algosGHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keysGHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted dataGHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quoteGHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op valuesGHSA-p8p7-x288-28g6 Server-Side Request Forgery in RequestGHSA-6chw-6frg-f759 Regular Expression Denial of Service in AcornGHSA-6chw-6frg-f759 Regular Expression Denial of Service in AcornGHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` optionGHSA-v88g-cgmw-v5xw Prototype Pollution in AjvGHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regexGHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regexGHSA-fwr7-v2mv-hh25 Prototype Pollution in asyncGHSA-7p89-p6hx-q4fw basic-auth-connect's callback uses time unsafe string comparisonGHSA-378v-28hj-76wf bn.js affected by an infinite loopCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 3.4/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 15 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.