Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2025-68664 langchain-core: LangChain: Arbitrary code execution via serialization injectionCVE-2025-7783 form-data: Unsafe random function in form-dataCVE-2026-41242 protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fieldsCVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bombCVE-2025-69227 aiohttp: aiohttp: Denial of Service via specially crafted POST requestCVE-2025-69228 aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST requestCVE-2025-69229 aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handlingCVE-2026-22815 aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handlingCVE-2026-34515 aiohttp: AIOHTTP: Information disclosure via static resource handler on WindowsCVE-2026-34516 aiohttp: AIOHTTP: Denial of Service via excessive multipart headersCVE-2026-34525 aiohttp: aiohttp: Security bypass via multiple Host headersCVE-2026-34993 aiohttp: AIOHTTP: Arbitrary code execution via untrusted input to CookieJar.load()CVE-2026-47265 python-aiohttp: AIOHTTP: Information disclosure via improper handling of cookies during cross-origin redirectsCVE-2026-54273 aiohttp: AIOHTTP: Denial of Service via excessive pipelined requestsCVE-2026-54274 aiohttp: aiohttp: Denial of Service via incomplete websocket frame payloadsCVE-2026-54276 aiohttp: aiohttp: Information disclosure via DigestAuthMiddleware after cross-origin redirectCVE-2026-54277 aiohttp: aiohttp: Denial of Service via oversized HTTP request lines bypassing max_line_size checkCVE-2026-54278 aiohttp: aiohttp: Denial of Service due to excessive memory consumption from compressed request bodyCVE-2025-68146 filelock: filelock: Time-of-Check-Time-of-Use (TOCTOU) race condition and symlink attack allows arbitrary file corruption or truncationCVE-2026-22701 filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in SoftFileLockCVE-2025-66034 fonttools: fontTools: Arbitrary file write leading to remote code execution via malicious .designspace fileCVE-2026-42215 GitPython is a python library used to interact with Git repositories. ...CVE-2026-42284 GitPython is a python library used to interact with Git repositories. ...CVE-2026-44243 GitPython: GitPython: Arbitrary file write via crafted reference pathsCVE-2026-44244 GitPython is a python library used to interact with Git repositories. ...Your dependencies cross-checked against the OSV vulnerability database.
GHSA-63hf-3vf5-4wqf AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypassPYSEC-2026-373 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIsGHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundaryGHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algosGHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keysGHSA-xq3m-2v4x-88gg Arbitrary code execution in protobufjsGHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted dataPYSEC-2026-237 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an applicatGHSA-4fvr-rgm6-gqmc aiohttp: HTTP/1 Pipelined Requests Queue Without LimitGHSA-63hw-fmq6-xxg2 aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented LinesGHSA-6jhg-hg63-jvvf AIOHTTP vulnerable to denial of service through large payloadsGHSA-6mq8-rvhq-8wgg AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bombGHSA-966j-vmvw-g2g9 AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirectGHSA-c427-h43c-vf67 AIOHTTP accepts duplicate Host headersGHSA-g3cq-j2xw-wf74 aiohttp: Unread Compressed Request Bodies Bypass client_max_size During CleanupGHSA-g84x-mcqj-x9qq AIOHTTP vulnerable to DoS through chunked messagesGHSA-hg6j-4rv6-33pg AIOHTTP is vulnerable to cross-origin redirect with per-request cookiesGHSA-hpj7-wq8m-9hgp aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect ChallengesGHSA-jg22-mg44-37j8 AIOHTTP is Vulnerable to Deserialization of Untrusted DataGHSA-jj3x-wxrx-4x23 AIOHTTP vulnerable to DoS when bypassing assertsGHSA-m5qp-6w8w-w647 AIOHTTP has a Multipart Header Size BypassGHSA-p998-jp59-783m AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on WindowsGHSA-w2fm-2cpv-w7v5 aiohttp allows unlimited trailer headers, leading to possible uncapped memory usageGHSA-xcgm-r5h9-7989 aiohttp: Incomplete websocket frame payloads bypass memory limitsGHSA-qmgc-5h2g-mvrw filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLockCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.