gitsafehub
github.com/zenoamaro/react-quill ↗

zenoamaro/react-quill

scanned 2026-06-27 · git 615b4bf
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies21Known OSS vulnerabilities112Risky code patternsMalicious dependenciesProject health8

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 21 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2023-45311 Code injection in fsevents
    yarn.lock
    A package you depend on has a known security hole (CVE-2023-45311). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
    yarn.lock
    A package you depend on has a known security hole (CVE-2020-8203). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-23337 nodejs-lodash: command injection via template
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-23337). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing NSWG-ECO-516 Allocation of Resources Without Limits or Throttling
    yarn.lock
    A package you depend on has a known security hole (NSWG-ECO-516). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
    yarn.lock
    A package you depend on has a known security hole (CVE-2020-28500). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-13465). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-2950). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
    yarn.lock
    A package you depend on has a known security hole (CVE-2025-13465). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-2950). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37712 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-37712). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37713 nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
    yarn.lock
    A package you depend on has a known security hole (CVE-2021-37713). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-23745). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-23950). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-24842). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-26960 node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-26960). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-29786 node-tar: hardlink path traversal via drive-relative linkpath
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-29786). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-31802 tar: tar: File overwrite via drive-relative symlink traversal
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-31802). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-28863 node-tar: denial of service while parsing a tar file due to lack of folders depth validation
    yarn.lock
    A package you depend on has a known security hole (CVE-2024-28863). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53655 node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (nod ...
    yarn.lock
    A package you depend on has a known security hole (CVE-2026-53655). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 112 found · 15 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2025-9287). Fix: Update that package to its patched version.
  • Serious GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious MAL-2023-462 Malicious code in fsevents (npm)
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-8r6j-v8pm-fqw3 Code injection in fsevents
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2023-45311). Fix: Update that package to its patched version.
  • Serious GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2021-3918). Fix: Update that package to its patched version.
  • Serious GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2025-6545). Fix: Update that package to its patched version.
  • Serious GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2025-6547). Fix: Update that package to its patched version.
  • Serious GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2025-9288). Fix: Update that package to its patched version.
  • Serious GHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quote
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2021-42740). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing GHSA-p8p7-x288-28g6 Server-Side Request Forgery in Request
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2023-28155). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6chw-6frg-f759 Regular Expression Denial of Service in Acorn
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-6chw-6frg-f759 Regular Expression Denial of Service in Acorn
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v88g-cgmw-v5xw Prototype Pollution in Ajv
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2020-15366). Fix: Update that package to its patched version.
  • Worth fixing GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
  • Worth fixing GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fwr7-v2mv-hh25 Prototype Pollution in async
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2021-43138). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7p89-p6hx-q4fw basic-auth-connect's callback uses time unsafe string comparison
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2024-47178). Fix: Update that package to its patched version.
  • Worth fixing GHSA-378v-28hj-76wf bn.js affected by an infinite loop
    /workdirs/scan-6ff366ce-cce5-4e59-b5b9-a1ccb8d07959/yarn.lock
    A package you depend on has a known security hole (CVE-2026-2739). Fix: Update that package to its patched version.
… 87 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 8 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 3.4/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 15 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.