woodser/monero-ts

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

17 of your 121 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 6.94s · analysis 23.44s · 9.6 MB · GitHub API rate-limit (preflight)

https://github.com/woodser/monero-ts · scanned 2026-06-05 12:48 UTC (5 days, 9 hours ago) · 10 languages

290 raw signals (116 security + 174 graph) 54th percentile · Typescript · medium (20-100K LoC) System graph score 76 (lower by 5)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 9 hours ago · v2 · 185 actionable findings from 2 signal sources. 18 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

77.8% cov · 79 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	100.0	0.15	15.00
`security_score`	55.0	0.25	13.75
`testing_score`	69.0	0.20	13.80
`documentation_score`	73.0	0.15	10.95
`practices_score`	67.0	0.15	10.05
`code_quality`	69.5	0.10	6.95
Overall		1.00	70.5

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 16 High 24 Medium 41 Low 60 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 106 System graph 79 Crowd 0 Layer: Software 101 Quality 33 Cicd 1 Security 12 Api 1 Frontend 37

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B (70/100). Dimensions: security 55, maintainability 100. 116 findings (67 security). 36,900 lines analyzed.

Showing 136 of 185 actionable findings. 203 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 cipher-base: GHSA-cpq7-6gpm-g9rc

cipher-base is missing type checks, leading to hash rewind and passing on crafted data

package-lock.json

critical Security checks security secrets conf 0.95 4 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

Gitleaks detected a committed secret or credential pattern.

4 files, 4 locations

docs/developer_guide/getting_started_p1.md:105

docs/developer_guide/sending_funds.md:52

docs/developer_guide/view_only_offline.md:28

src/test/TestSampleCode.ts:393

critical Security checks software dependencies conf 0.88 elliptic: GHSA-vjh7-7g9h-fjfh

Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)

package-lock.json

critical Security checks software dependencies conf 0.88 form-data: GHSA-fjxv-7rqg-78g4

form-data uses unsafe random function in form-data for choosing boundary

package-lock.json

critical Security checks software dependencies conf 0.88 pbkdf2: GHSA-h7cp-r72f-jxh6

pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos

package-lock.json

critical Security checks software dependencies conf 0.88 pbkdf2: GHSA-v62p-rq8g-8h59

pbkdf2 silently disregards Uint8Array input, returning static keys

package-lock.json

critical Security checks software dependencies conf 0.88 sha.js: GHSA-95m3-7q98-8xr5

sha.js is missing type checks leading to hash rewind and passing on crafted data

package-lock.json

critical System graph security Secrets conf 1.00 4 occurrences Possible secret in index.ts

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

lines 182, 193, 201, 239

index.ts:182, 193, 201, 239 (4 hits)

critical System graph security Secrets conf 1.00 Possible secret in src/main/ts/common/MoneroConnectionManager.ts

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

src/main/ts/common/MoneroConnectionManager.ts:25

critical System graph security Secrets conf 1.00 2 occurrences Possible secret in src/main/ts/common/MoneroRpcConnection.ts

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

lines 59, 498

src/main/ts/common/MoneroRpcConnection.ts:59, 498 (2 hits)

critical System graph security Secrets conf 1.00 Possible secret in src/main/ts/wallet/MoneroWalletRpc.ts

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

src/main/ts/wallet/MoneroWalletRpc.ts:142

high Security checks software dependencies conf 0.88 @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp

@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input

package-lock.json

high Security checks software Prototype pollution conf 1.00 [SEC033] Prototype Pollution — unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie).

Sanitize keys BEFORE merge: function sanitize(obj) { delete obj.__proto__; delete obj.constructor; delete obj.prototype; return obj; } Or use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation.

src/main/ts/common/HttpClient.ts:78

high Security checks software dependencies conf 0.88 axios: GHSA-35jp-ww65-95wh

axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-3g43-6gmg-66jw

axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-43fc-jf86-j433

Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-4hjh-wcwx-xvwj

Axios is vulnerable to DoS attack through lack of data size check

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-6chq-wfr3-2hj9

Axios: Header Injection via Prototype Pollution

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-777c-7fjr-54vf

Allocation of Resources Without Limits or Throttling in Axios

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-hfxv-24rg-xrqf

Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-j5f8-grm9-p9fc

Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-jr5f-v2jv-69x6

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-p92q-9vqr-4j8v

Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-pf86-5x62-jrwf

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-pjwm-pj3p-43mv

axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

package-lock.json

high Security checks software dependencies conf 0.88 axios: GHSA-q8qp-cvcw-x6jj

Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking

package-lock.json

high Security checks software dependencies conf 0.88 cross-spawn: GHSA-3xgq-45jj-v275

Regular Expression Denial of Service (ReDoS) in cross-spawn

package-lock.json

high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f

flatted vulnerable to unbounded recursion DoS in parse() revive phase

package-lock.json

high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh

Prototype Pollution via parse() in NodeJS flatted

package-lock.json

medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 2 occurrences GitHub Action is tag-pinned rather than SHA-pinned

Action `peter-evans/create-or-update-comment` pinned to mutable ref `@v2` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.

lines 13

.github/workflows/label.yml:13 (2 hits)

CI/CD securitySupply chainGitHub Actions

high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc

lodash vulnerable to Code Injection via `_.template` imports key names

package-lock.json

high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74

minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

package-lock.json

high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26

minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

package-lock.json

high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj

minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

package-lock.json

high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj

Picomatch has a ReDoS vulnerability via extglob quantifiers

package-lock.json

high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq

Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()

package-lock.json

medium Security checks software dependencies conf 0.88 @babel/helpers: GHSA-968p-4wvh-cqc8

Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups

package-lock.json

medium Security checks software dependencies conf 0.88 @babel/runtime: GHSA-968p-4wvh-cqc8

Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups

package-lock.json

medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).

Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).

src/main/ts/common/HttpClient.ts:169

medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6

ajv has ReDoS when using `$data` option

package-lock.json

medium Security checks software dependencies conf 0.88 axios: GHSA-3w6x-2g7m-8v23

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

package-lock.json

medium Security checks software dependencies conf 0.88 axios: GHSA-445q-vr5w-6q77

Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream

package-lock.json

medium Security checks software dependencies conf 0.88 axios: GHSA-5c9x-8gcm-mpgx

Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

package-lock.json

medium Security checks software dependencies conf 0.88 axios: GHSA-62hf-57xw-28j9

Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

package-lock.json

medium Security checks software dependencies conf 0.88 axios: GHSA-898c-q2cr-xwhg

axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

package-lock.json

medium Security checks software dependencies conf 0.88 axios: GHSA-fvcv-3m26-pcqx

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

package-lock.json

medium Security checks software dependencies conf 0.88 axios: GHSA-m7pr-hjqh-92cm

Axios: no_proxy bypass via IP alias allows SSRF

package-lock.json

medium Security checks software dependencies conf 0.88 axios: GHSA-vf2m-468p-8v99

Axios: HTTP adapter streamed responses bypass maxContentLength

package-lock.json

medium Security checks software dependencies conf 0.88 axios: GHSA-w9j2-pvgh-6h63

Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

package-lock.json

medium Security checks software dependencies conf 0.88 axios: GHSA-xx6v-rp6x-q39c

Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

package-lock.json

medium Security checks software dependencies conf 0.88 bn.js: GHSA-378v-28hj-76wf

bn.js affected by an infinite loop

package-lock.json

medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v

brace-expansion: Zero-step sequence causes process hang and memory exhaustion

package-lock.json

medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653

follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets

package-lock.json

medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m

js-yaml has prototype pollution in merge (<<)

package-lock.json

medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

package-lock.json

medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg

Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions

package-lock.json

medium Security checks software dependencies conf 0.88 micromatch: GHSA-952p-6rrq-rcjv

Regular Expression Denial of Service (ReDoS) in micromatch

package-lock.json

medium Security checks software dependencies conf 0.88 nanoid: GHSA-mwcw-c2x4-8c55

Predictable results in nanoid generation when given non-integer values

package-lock.json

medium Security checks software dependencies conf 0.90 npm package `@types/jquery` is 1 major version(s) behind (3.5.20 -> 4.0.0)

`@types/jquery` is pinned/resolved at 3.5.20 but the latest stable release on the npm registry is 4.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

medium Security checks software dependencies conf 0.90 npm package `@types/mocha` is 1 major version(s) behind (9.1.1 -> 10.0.10)

`@types/mocha` is pinned/resolved at 9.1.1 but the latest stable release on the npm registry is 10.0.10 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

medium Security checks software dependencies conf 0.90 npm package `ajv` is 2 major version(s) behind (6.12.6 -> 8.20.0)

`ajv` is pinned/resolved at 6.12.6 but the latest stable release on the npm registry is 8.20.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

medium Security checks software dependencies conf 0.90 npm package `async` is 1 major version(s) behind (2.6.4 -> 3.2.6)

`async` is pinned/resolved at 2.6.4 but the latest stable release on the npm registry is 3.2.6 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

medium Security checks software dependencies conf 0.90 npm package `babel-loader` is 1 major version(s) behind (9.1.3 -> 10.1.1)

`babel-loader` is pinned/resolved at 9.1.3 but the latest stable release on the npm registry is 10.1.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

medium Security checks software dependencies conf 0.90 npm package `eslint-config-prettier` is 2 major version(s) behind (8.10.0 -> 10.1.8)

`eslint-config-prettier` is pinned/resolved at 8.10.0 but the latest stable release on the npm registry is 10.1.8 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs …

package.json

medium Security checks software dependencies conf 0.90 npm package `eslint-import-resolver-typescript` is 1 major version(s) behind (3.6.1 -> 4.4.5)

`eslint-import-resolver-typescript` is pinned/resolved at 3.6.1 but the latest stable release on the npm registry is 4.4.5 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-up…

package.json

medium Security checks software dependencies conf 0.90 npm package `serialize-javascript` is 1 major version(s) behind (6.0.0 -> 7.0.5)

`serialize-javascript` is pinned/resolved at 6.0.0 but the latest stable release on the npm registry is 7.0.5 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…

package.json

medium Security checks software dependencies conf 0.90 npm package `uuid` is 11 major version(s) behind (3.3.2 -> 14.0.0)

`uuid` is pinned/resolved at 3.3.2 but the latest stable release on the npm registry is 14.0.0 (11 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p

Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching

package-lock.json

medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p

qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

package-lock.json

medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26

qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set

package-lock.json

medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-76p7-773f-r4q5

Cross-site Scripting (XSS) in serialize-javascript

package-lock.json

medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v

Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

package-lock.json

medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

package-lock.json

medium Security checks software dependencies conf 0.88 webpack: GHSA-4vvj-4cpr-p986

Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS

package-lock.json

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/typedocs/assets/main.js:3

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph security Coverage conf 1.00 No auth library detected

The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.

auth

low Security checks software dependencies conf 0.88 axios: GHSA-xhjh-pmcv-23jw

Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

package-lock.json

low Security checks software dependencies conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw

brace-expansion Regular Expression Denial of Service vulnerability

package-lock.json

low Security checks software dependencies conf 0.88 diff: GHSA-73rr-hh4g-fpgx

jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch

package-lock.json

low Security checks software dependencies conf 0.88 elliptic: GHSA-848j-6mx2-7j84

Elliptic Uses a Cryptographic Primitive with a Risky Implementation

package-lock.json

low Security checks software dependencies conf 0.88 elliptic: GHSA-fc9h-whq2-v747

Valid ECDSA signatures erroneously rejected in Elliptic

package-lock.json

low Security checks quality Quality conf 0.70 Generated build artifact directory is present at repository root

Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate.

dist:1

low Security checks software dependencies conf 0.90 npm package `@babel/node` is minor version(s) behind (7.22.19 -> 7.29.7)

`@babel/node` is pinned/resolved at 7.22.19 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 npm package `@babel/preset-env` is minor version(s) behind (7.22.20 -> 7.29.7)

`@babel/preset-env` is pinned/resolved at 7.22.20 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 3 occurrences npm package `@babel/preset-typescript` is minor version(s) behind (7.23.0 -> 7.29.7)

`@babel/preset-typescript` is pinned/resolved at 7.23.0 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs …

3 occurrences

package.json (3 hits)

low Security checks software dependencies conf 0.90 2 occurrences npm package `@babel/register` is minor version(s) behind (7.22.15 -> 7.29.7)

`@babel/register` is pinned/resolved at 7.22.15 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

2 occurrences

package.json (2 hits)

low Security checks software dependencies conf 0.90 npm package `axios` is minor version(s) behind (1.7.4 -> 1.17.0)

`axios` is pinned/resolved at 1.7.4 but the latest stable release on the npm registry is 1.17.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 npm package `decimal.js` is minor version(s) behind (10.4.3 -> 10.6.0)

`decimal.js` is pinned/resolved at 10.4.3 but the latest stable release on the npm registry is 10.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 npm package `eslint-plugin-import` is minor version(s) behind (2.28.1 -> 2.32.0)

`eslint-plugin-import` is pinned/resolved at 2.28.1 but the latest stable release on the npm registry is 2.32.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…

package.json

low Security checks software dependencies conf 0.90 npm package `eslint-plugin-jsx-a11y` is minor version(s) behind (6.7.1 -> 6.10.2)

`eslint-plugin-jsx-a11y` is pinned/resolved at 6.7.1 but the latest stable release on the npm registry is 6.10.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…

package.json

low Security checks software dependencies conf 0.90 npm package `memfs` is minor version(s) behind (4.11.1 -> 4.57.6)

`memfs` is pinned/resolved at 4.11.1 but the latest stable release on the npm registry is 4.57.6 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 npm package `shx` is minor version(s) behind (0.3.4 -> 0.4.0)

`shx` is pinned/resolved at 0.3.4 but the latest stable release on the npm registry is 0.4.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 npm package `ts-loader` is minor version(s) behind (9.4.4 -> 9.6.0)

`ts-loader` is pinned/resolved at 9.4.4 but the latest stable release on the npm registry is 9.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.90 npm package `web-worker` is minor version(s) behind (1.3.0 -> 1.5.0)

`web-worker` is pinned/resolved at 1.3.0 but the latest stable release on the npm registry is 1.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

package.json

low Security checks software dependencies conf 0.88 qs: GHSA-w7fw-mjwx-w883

qs's arrayLimit bypass in comma parsing allows denial of service

package-lock.json

low Security checks software dependencies conf 0.88 webpack: GHSA-38r7-794h-5758

webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence

package-lock.json

low Security checks software dependencies conf 0.88 webpack: GHSA-8fgc-7cc6-rx7x

webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

package-lock.json

low System graph quality Maintenance conf 1.00 195 TODO/FIXME markers

High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/typedocs/assets/navigation.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/typedocs/assets/search.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/main/ts/daemon/model/ConnectionType.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/main/ts/daemon/model/MoneroKeyImageSpentStatus.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/main/ts/wallet/model/MoneroMessageSignatureType.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/main/ts/wallet/model/MoneroTxPriority.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/test/Scratchpad.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/test/TestAll.ts

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: webpack.base.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: webpack.tests.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: webpack.worker.js

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph security security conf 1.00 Insecure pattern 'document_write' in src/main/ts/common/GenUtils.ts:952

Found a known-risky pattern (document_write). Review and replace if possible.

src/main/ts/common/GenUtils.ts:952 Document write

low System graph quality Tests conf 1.00 Low test-to-source ratio

18 tests / 83 src (ratio 0.22).

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isOld` in src/main/ts/wallet/model/MoneroMessageSignatureResult.ts:9

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isOld` in src/main/ts/wallet/MoneroWalletFull.ts:1124

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isOld` in src/main/ts/wallet/MoneroWalletRpc.ts:1134

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isOld` in src/test/TestMoneroWalletCommon.ts:2341

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/main/ts/common/LibraryUtils.ts:41