Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
80 of your 355 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.45s · analysis 54.51s · 3.0 MB · GitHub API rate-limit (preflight)

abi/screenshot-to-code

https://github.com/abi/screenshot-to-code · scanned 2026-06-05 08:07 UTC (5 days, 19 hours ago) · 10 languages

549 raw signals (345 security + 204 graph) 42nd percentile · Python · medium (20-100K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 19 hours ago · v2 · 322 actionable findings from 2 signal sources. 125 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
51.2
/100
Security checks
47
222 findings
System graph
55
88.9% cov · 100 findings
Critical
5
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 28.8 0.25 7.20
testing_score 70.0 0.20 14.00
documentation_score 62.0 0.15 9.30
practices_score 54.0 0.15 8.10
code_quality 60.5 0.10 6.05
Overall 1.00 53.6
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 5 High 68 Medium 75 Low 118 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 222 System graph 100 Crowd 0 Layer: Quality 55 Software 211 Cicd 9 Security 17 Frontend 12 Hardware 5 Api 13
Scan summary Quality grade C- (54/100). Dimensions: security 29, maintainability 60. 345 findings (180 security). 24,590 lines analyzed.

Showing 266 of 322 actionable findings. 447 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 3 occurrences basic-ftp: GHSA-5rq4-664w-9x2c
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
critical Security checks software dependencies conf 0.88 h11: GHSA-vqfr-h8mv-ghfj
h11 accepts some malformed Chunked-Encoding bodies
backend/poetry.lock
critical Security checks software dependencies conf 0.88 2 occurrences handlebars: GHSA-2w6w-674q-4c4q
Handlebars.js has JavaScript Injection via AST Type Confusion
2 files, 2 locations
package-lock.json
yarn.lock
high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `queue` used but not imported
The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes.
backend/routes/evals.py:317
critical Security checks software dependencies conf 0.88 4 occurrences vitest: GHSA-5xrq-8626-4rwp
When Vitest UI server is listening, arbitrary file can be read and executed
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
critical Security checks software dependencies conf 0.88 vitest: GHSA-9crc-q9x8-hgqq
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
frontend/yarn.lock
high Security checks software dependencies conf 0.88 @remix-run/router: GHSA-2w69-qvjg-hvjx
React Router vulnerable to XSS via Open Redirects
frontend/yarn.lock
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self._send` used but never assigned in __init__
Method `_stream_code_preview` of class `AgentEngine` reads `self._send`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
2 files, 25 locations
backend/agent/engine.py:94, 95, 98, 99, 125, 142, 143, 146, +10 more (18 hits)
backend/routes/generate_code.py:139, 276, 281, 284, 292, 395, 548 (7 hits)
high Security checks software dependencies conf 0.88 aiohttp: GHSA-6mq8-rvhq-8wgg
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
backend/poetry.lock
high Security checks software dependencies conf 0.88 3 occurrences basic-ftp: GHSA-6v7q-wjvx-w8wg
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences basic-ftp: GHSA-rp42-5vxx-qpwr
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences basic-ftp: GHSA-rpmf-866q-6p89
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 braces: GHSA-grv7-fg5c-xmjg
Uncontrolled resource consumption in braces
frontend/yarn.lock
high Security checks software dependencies conf 0.88 cross-spawn: GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn
frontend/yarn.lock
high Security checks cicd CI/CD security conf 0.92 Dockerfile copies the entire context without .dockerignore
COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.
frontend/Dockerfile:16 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 Dockerfile copies the entire context without .dockerignore
COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.
backend/Dockerfile:21 CI/CD securitycontainers
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `node:22-bullseye-slim` not pinned by digest
`FROM node:22-bullseye-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
frontend/Dockerfile:1
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `python:3.12.3-slim-bullseye` not pinned by digest
`FROM python:3.12.3-slim-bullseye` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
backend/Dockerfile:1
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /api/design-systems/{design_system_id} has no auth
Handler `delete_design_system` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
backend/routes/design_systems.py:153
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PATCH /api/design-systems/{design_system_id} has no auth
Handler `update_design_system` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
backend/routes/design_systems.py:126
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/design-systems has no auth
Handler `create_design_system` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
backend/routes/design_systems.py:110
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/export has no auth
Handler `export_code` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
backend/routes/export.py:451
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/screenshot has no auth
Handler `app_screenshot` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
backend/routes/screenshot.py:86
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /openai-input-compare has no auth
Handler `compare_openai_inputs_for_evals` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
backend/routes/evals.py:233
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /run_evals has no auth
Handler `run_evals` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
backend/routes/evals.py:261
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /run_evals_stream has no auth
Handler `run_evals_stream` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
backend/routes/evals.py:286
high Security checks software dependencies conf 0.88 3 occurrences flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences handlebars: GHSA-3mfm-83xf-c92r
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
2 files, 2 locations
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences handlebars: GHSA-9cx6-37pm-9jff
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
2 files, 2 locations
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences handlebars: GHSA-xhpv-hc6g-r9c6
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
2 files, 2 locations
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences handlebars: GHSA-xjpj-3mr7-gcpf
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
2 files, 2 locations
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 4 occurrences minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 4 occurrences minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 4 occurrences minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 pillow: GHSA-cfh3-3jmp-rvhc
Pillow affected by out-of-bounds write when loading PSD images
backend/poetry.lock
high Security checks software dependencies conf 0.88 pillow: GHSA-pwv6-vv43-88gr
Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)
backend/poetry.lock
high Security checks software dependencies conf 0.88 pillow: GHSA-whj4-6x5x-4v2j
FITS GZIP decompression bomb in Pillow
backend/poetry.lock
high Security checks software dependencies conf 0.88 pillow: PYSEC-2026-165
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
backend/poetry.lock
high Security checks software dependencies conf 0.90 ✓ Repobility pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v3.2.0`
`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v3.2.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
backend/.pre-commit-config.yaml:4
high Security checks software dependencies conf 0.88 protobuf: GHSA-7gcm-g887-7qv7
protobuf affected by a JSON recursion depth bypass
backend/poetry.lock
high Security checks software dependencies conf 0.88 pyasn1: GHSA-63vm-454h-vhhq
pyasn1 has a DoS vulnerability in decoder
backend/poetry.lock
high Security checks software dependencies conf 0.88 pyasn1: GHSA-jr27-m4p2-rc6r
Denial of Service in pyasn1 via Unbounded Recursion
backend/poetry.lock
high Security checks software dependencies conf 0.88 rollup: GHSA-gcx4-mw62-g8wm
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
frontend/yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 setuptools: PYSEC-2025-49
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with…
backend/poetry.lock
high Security checks software dependencies conf 0.88 starlette: GHSA-7f5h-v6xp-fcq8
Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``
backend/poetry.lock
high Security checks software dependencies conf 0.88 starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
backend/poetry.lock
high Security checks software dependencies conf 0.88 tar-fs: GHSA-8cj5-5rvv-wf4v
tar-fs can extract outside the specified dir with a specific tarball
frontend/yarn.lock
high Security checks software dependencies conf 0.88 tar-fs: GHSA-pq67-2wwv-3xjx
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
frontend/yarn.lock
high Security checks software dependencies conf 0.88 tar-fs: GHSA-vj76-c3g6-qr5v
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
frontend/yarn.lock
high Security checks software dependencies conf 0.88 urllib3: GHSA-2xpw-w6gg-jr37
urllib3 streaming API improperly handles highly compressed data
backend/poetry.lock
high Security checks software dependencies conf 0.88 urllib3: GHSA-38jv-5279-wg99
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
backend/poetry.lock
high Security checks software dependencies conf 0.88 urllib3: GHSA-gm62-xv2j-4w53
urllib3 allows an unbounded number of links in the decompression chain
backend/poetry.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
backend/poetry.lock
high Security checks software dependencies conf 0.88 vite: GHSA-c24v-8rfc-w8vw
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
frontend/yarn.lock
high Security checks software dependencies conf 0.88 4 occurrences vite: GHSA-c27g-q93r-2cwf
launch-editor vulnerable to command injection via the crafted request on Windows
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 ws: GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers
frontend/yarn.lock
high System graph api Wiring conf 1.00 Dangling fetch: POST https://backend.buildpicoapps.com/form (frontend/src/components/TermsOfServiceDialog.tsx:23)
`frontend/src/components/TermsOfServiceDialog.tsx:23` calls `POST https://backend.buildpicoapps.com/form` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/backend.buildpicoapps.com/form` If this points at an ex…
Dangling fetchFetch
high System graph security auth conf 1.00 FastAPI DELETE `delete_design_system` without auth dependency — backend/routes/design_systems.py:152
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
backend/routes/design_systems.py:152 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PATCH `update_design_system` without auth dependency — backend/routes/design_systems.py:125
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
backend/routes/design_systems.py:125 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `app_screenshot` without auth dependency — backend/routes/screenshot.py:85
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
backend/routes/screenshot.py:85 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `compare_openai_inputs_for_evals` without auth dependency — backend/routes/evals.py:232
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
backend/routes/evals.py:232 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_design_system` without auth dependency — backend/routes/design_systems.py:109
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
backend/routes/design_systems.py:109 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `export_code` without auth dependency — backend/routes/export.py:450
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
backend/routes/export.py:450 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_evals_stream` without auth dependency — backend/routes/evals.py:285
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
backend/routes/evals.py:285 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `run_evals` without auth dependency — backend/routes/evals.py:260
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
backend/routes/evals.py:260 securityAuth fastapi unauth mutation
medium Security checks software dependencies conf 0.88 @babel/helpers: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 @babel/runtime: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
frontend/yarn.lock
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
frontend/src/components/history/HistoryDisplay.tsx:70
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-6jhg-hg63-jvvf
AIOHTTP vulnerable to denial of service through large payloads
backend/poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-c427-h43c-vf67
AIOHTTP accepts duplicate Host headers
backend/poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-g84x-mcqj-x9qq
AIOHTTP vulnerable to DoS through chunked messages
backend/poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-hg6j-4rv6-33pg
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
backend/poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-jg22-mg44-37j8
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
backend/poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-jj3x-wxrx-4x23
AIOHTTP vulnerable to DoS when bypassing asserts
backend/poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-m5qp-6w8w-w647
AIOHTTP has a Multipart Header Size Bypass
backend/poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-p998-jp59-783m
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
backend/poetry.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-w2fm-2cpv-w7v5
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
backend/poetry.lock
medium Security checks software dependencies conf 0.88 3 occurrences ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
low Security checks quality Error handling conf 0.55 ✓ Repobility 10 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
8 files, 10 locations
backend/evals/runner.py:89, 329 (2 hits)
backend/routes/generate_code.py:647, 797 (2 hits)
backend/agent/tools/parsing.py:73
backend/fs_logging/gemini_prompt_report.py:100
backend/fs_logging/openai_turn_inputs.py:205
backend/routes/evals.py:381
backend/routes/export.py:355
backend/run_image_generation_evals.py:203
Error handlingquality
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
frontend/Dockerfile:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
backend/Dockerfile:1 CI/CD securitycontainers
medium Security checks quality Quality conf 0.80 Documented legal route has no visible implementation
A public legal/privacy/terms/biometric route is referenced, but no matching frontend page or backend route was found.
frontend/src/components/TermsOfServiceDialog.tsx:55
medium Security checks software dependencies conf 0.88 ejs: GHSA-ghr5-ch3p-vcr6
ejs lacks certain pollution protection
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 4 occurrences esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 filelock: GHSA-qmgc-5h2g-mvrw
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
backend/poetry.lock
medium Security checks software dependencies conf 0.88 filelock: GHSA-w853-jp5j-5j7f
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation
backend/poetry.lock
medium Security checks software dependencies conf 0.88 2 occurrences handlebars: GHSA-2qvq-rjwj-gvw9
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
2 files, 2 locations
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 2 occurrences handlebars: GHSA-7rx3-28cr-v5wh
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
2 files, 2 locations
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
backend/poetry.lock
medium Security checks software dependencies conf 0.88 3 occurrences ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 micromatch: GHSA-952p-6rrq-rcjv
Regular Expression Denial of Service (ReDoS) in micromatch
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 nanoid: GHSA-mwcw-c2x4-8c55
Predictable results in nanoid generation when given non-integer values
frontend/yarn.lock
medium Security checks software dependencies conf 0.90 npm package `@types/jest` is 1 major version(s) behind (29.5.14 -> 30.0.0)
`@types/jest` is pinned/resolved at 29.5.14 but the latest stable release on the npm registry is 30.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `@types/react-dom` is 1 major version(s) behind (18.3.7 -> 19.2.3)
`@types/react-dom` is pinned/resolved at 18.3.7 but the latest stable release on the npm registry is 19.2.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.7.0 -> 6.0.2)
`@vitejs/plugin-react` is pinned/resolved at 4.7.0 but the latest stable release on the npm registry is 6.0.2 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `copy-to-clipboard` is 1 major version(s) behind (3.3.3 -> 4.0.2)
`copy-to-clipboard` is pinned/resolved at 3.3.3 but the latest stable release on the npm registry is 4.0.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `dotenv` is 1 major version(s) behind (16.6.1 -> 17.4.2)
`dotenv` is pinned/resolved at 16.6.1 but the latest stable release on the npm registry is 17.4.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `jest` is 1 major version(s) behind (29.7.0 -> 30.4.2)
`jest` is pinned/resolved at 29.7.0 but the latest stable release on the npm registry is 30.4.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `react-dropzone` is 1 major version(s) behind (14.3.8 -> 15.0.0)
`react-dropzone` is pinned/resolved at 14.3.8 but the latest stable release on the npm registry is 15.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `react-icons` is 1 major version(s) behind (4.12.0 -> 5.6.0)
`react-icons` is pinned/resolved at 4.12.0 but the latest stable release on the npm registry is 5.6.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `tailwind-merge` is 1 major version(s) behind (2.6.0 -> 3.6.0)
`tailwind-merge` is pinned/resolved at 2.6.0 but the latest stable release on the npm registry is 3.6.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
medium Security checks software dependencies conf 0.90 npm package `zustand` is 1 major version(s) behind (4.5.7 -> 5.0.14)
`zustand` is pinned/resolved at 4.5.7 but the latest stable release on the npm registry is 5.0.14 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
medium Security checks software dependencies conf 0.88 3 occurrences picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 pillow: GHSA-r73j-pqj5-w3x7
Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
backend/poetry.lock
medium Security checks software dependencies conf 0.88 3 occurrences postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
3 files, 3 locations
frontend/yarn.lock
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 pytest: GHSA-6w46-j5rx-g56g
pytest has vulnerable tmpdir handling
backend/poetry.lock
medium Security checks software dependencies conf 0.90 Python package `attrs` is 2 major version(s) behind (24.3.0 -> 26.1.0)
poetry.lock pins `attrs` at 24.3.0 but the latest stable release on PyPI is 26.1.0 (2 major version(s) behind).
backend/poetry.lock
medium Security checks software dependencies conf 0.90 Python package `certifi` is 2 major version(s) behind (2024.12.14 -> 2026.5.20)
poetry.lock pins `certifi` at 2024.12.14 but the latest stable release on PyPI is 2026.5.20 (2 major version(s) behind).
backend/poetry.lock
medium Security checks software dependencies conf 0.90 Python package `decorator` is 1 major version(s) behind (4.4.2 -> 5.3.1)
poetry.lock pins `decorator` at 4.4.2 but the latest stable release on PyPI is 5.3.1 (1 major version(s) behind).
backend/poetry.lock
medium Security checks software dependencies conf 0.90 Python package `google-genai` is 1 major version(s) behind (1.60.0 -> 2.8.0)
poetry.lock pins `google-genai` at 1.60.0 but the latest stable release on PyPI is 2.8.0 (1 major version(s) behind).
backend/poetry.lock
medium Security checks software dependencies conf 0.88 python-dotenv: GHSA-mf9w-mj56-hr94
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
backend/poetry.lock
medium Security checks software dependencies conf 0.88 4 occurrences react-router: GHSA-2j2x-hqr9-3h42
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 react-router: GHSA-9jcx-v3wj-wh4m
React Router has unexpected external redirect via untrusted paths
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 requests: GHSA-9hjg-9r4m-mvj7
Requests vulnerable to .netrc credentials leak via malicious URLs
backend/poetry.lock
medium Security checks software dependencies conf 0.88 requests: GHSA-gc5v-m9x4-r6x2
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
backend/poetry.lock
medium Security checks software dependencies conf 0.88 starlette: GHSA-2c2j-9gv5-cj73
Starlette has possible denial-of-service vector when parsing large files in multipart forms
backend/poetry.lock
medium Security checks software dependencies conf 0.88 urllib3: GHSA-48p4-8xcf-vxj5
urllib3 does not control redirects in browsers and Node.js
backend/poetry.lock
medium Security checks software dependencies conf 0.88 urllib3: GHSA-pq67-6m6q-mj2v
urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
backend/poetry.lock
medium Security checks software dependencies conf 0.88 virtualenv: GHSA-597g-3phw-6986
virtualenv Has TOCTOU Vulnerabilities in Directory Creation
backend/poetry.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-356w-63v5-8wf4
Vite has an `server.fs.deny` bypass with an invalid `request-target`
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-4r4m-qw57-chr8
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 4 occurrences vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-64vr-g452-qvp3
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-859w-5945-r5v3
Vite's server.fs.deny bypassed with /. for files under project root
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-8jhw-289h-jh2g
Vite's `server.fs.deny` did not deny requests for patterns with directories.
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-92r3-m2mg-pj97
Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 4 occurrences vite: GHSA-93m4-6634-74q7
vite allows server.fs.deny bypass via backslash on Windows
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-9cwx-2883-4wfx
Vite's `server.fs.deny` is bypassed when using `?import&raw`
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-vg6x-rcgg-rjx6
Websites were able to send any requests to the development server and read the response in vite
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-x574-m823-4x7w
Vite bypasses server.fs.deny when using ?raw??
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-xcj6-pq6g-qj4x
Vite allows server.fs.deny to be bypassed with .svg or relative paths
frontend/yarn.lock
medium Security checks software dependencies conf 0.88 4 occurrences ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
frontend/yarn.lock
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — frontend/src/components/evals/PairwiseEvalsPage.tsx:63
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — frontend/src/components/evals/RunEvalsPage.tsx:61
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — frontend/src/components/TermsOfServiceDialog.tsx:23
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: backend/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: frontend/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph cicd CI/CD security conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
CI/CD securityCoverage
low Security checks software Race condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
backend/uploaded_assets/store.py:177
low Security checks software dependencies conf 0.88 aiohttp: GHSA-2vrm-gr82-f7m5
AIOHTTP has CRLF injection through multipart part content type header construction
backend/poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-3wq7-rqq7-wx6j
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
backend/poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-54jq-c3m8-4m76
AIOHTTP vulnerable to brute-force leak of internal static file path components
backend/poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-63hf-3vf5-4wqf
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
backend/poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-69f9-5gxw-wvc2
AIOHTTP's unicode processing of header values could cause parsing discrepancies
backend/poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-9548-qrrj-x5pj
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
backend/poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-966j-vmvw-g2g9
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
backend/poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-fh55-r93g-j68g
AIOHTTP Vulnerable to Cookie Parser Warning Storm
backend/poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-hcc4-c3v8-rx92
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
backend/poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-mqqc-3gqh-h2x8
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
backend/poetry.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-mwh4-6h8g-pg8w
AIOHTTP has HTTP response splitting via \r in reason phrase
backend/poetry.lock
low Security checks software dependencies conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
frontend/yarn.lock
high Security checks cicd CI/CD security conf 0.56 2 occurrences Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
lines 3, 21
docker-compose.yml:3, 21 (2 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 2 occurrences Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
lines 3, 21
docker-compose.yml:3, 21 (2 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
backend/Dockerfile:6 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 7 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
5 files, 7 locations
frontend/src/components/unified-input/UnifiedInputPane.tsx:10, 36 (2 hits)
frontend/src/components/unified-input/tabs/UploadTab.tsx:11, 253 (2 hits)
frontend/src/components/evals/PairwiseEvalsPage.tsx:63
frontend/src/components/unified-input/tabs/TextTab.tsx:43
frontend/src/components/unified-input/tabs/UrlTab.tsx:86
duplicationquality
low Security checks software dependencies conf 0.88 2 occurrences handlebars: GHSA-442j-39wm-28r2
Handlebars.js has a Property Access Validation Bypass in container.lookup
2 files, 2 locations
package-lock.json
yarn.lock
low Security checks software dependencies conf 0.90 npm package `@codemirror/state` is minor version(s) behind (6.5.4 -> 6.6.0)
`@codemirror/state` is pinned/resolved at 6.5.4 but the latest stable release on the npm registry is 6.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
low Security checks software dependencies conf 0.90 npm package `@codemirror/view` is minor version(s) behind (6.39.11 -> 6.43.0)
`@codemirror/view` is pinned/resolved at 6.39.11 but the latest stable release on the npm registry is 6.43.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
low Security checks software dependencies conf 0.90 npm package `autoprefixer` is minor version(s) behind (10.4.23 -> 10.5.0)
`autoprefixer` is pinned/resolved at 10.4.23 but the latest stable release on the npm registry is 10.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
low Security checks software dependencies conf 0.90 npm package `eslint-plugin-react-refresh` is minor version(s) behind (0.4.26 -> 0.5.2)
`eslint-plugin-react-refresh` is pinned/resolved at 0.4.26 but the latest stable release on the npm registry is 0.5.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
frontend/package.json
low Security checks software dependencies conf 0.90 npm package `vite-plugin-checker` is minor version(s) behind (0.9.3 -> 0.14.1)
`vite-plugin-checker` is pinned/resolved at 0.9.3 but the latest stable release on the npm registry is 0.14.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
frontend/package.json
low Security checks software dependencies conf 0.90 Python package `aiohappyeyeballs` is minor version(s) behind (2.4.4 -> 2.6.2)
poetry.lock pins `aiohappyeyeballs` at 2.4.4 but the latest stable release on PyPI is 2.6.2 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `aiosignal` is minor version(s) behind (1.3.2 -> 1.4.0)
poetry.lock pins `aiosignal` at 1.3.2 but the latest stable release on PyPI is 1.4.0 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `anthropic` is minor version(s) behind (0.84.0 -> 0.105.2)
poetry.lock pins `anthropic` at 0.84.0 but the latest stable release on PyPI is 0.105.2 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `anyio` is minor version(s) behind (4.9.0 -> 4.13.0)
poetry.lock pins `anyio` at 4.9.0 but the latest stable release on PyPI is 4.13.0 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `beautifulsoup4` is minor version(s) behind (4.12.3 -> 4.14.3)
poetry.lock pins `beautifulsoup4` at 4.12.3 but the latest stable release on PyPI is 4.14.3 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `cfgv` is minor version(s) behind (3.4.0 -> 3.5.0)
poetry.lock pins `cfgv` at 3.4.0 but the latest stable release on PyPI is 3.5.0 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `click` is minor version(s) behind (8.1.7 -> 8.4.1)
poetry.lock pins `click` at 8.1.7 but the latest stable release on PyPI is 8.4.1 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `distlib` is minor version(s) behind (0.3.9 -> 0.4.1)
poetry.lock pins `distlib` at 0.3.9 but the latest stable release on PyPI is 0.4.1 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `docstring-parser` is minor version(s) behind (0.17.0 -> 0.18.0)
poetry.lock pins `docstring-parser` at 0.17.0 but the latest stable release on PyPI is 0.18.0 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `exceptiongroup` is minor version(s) behind (1.2.2 -> 1.3.1)
poetry.lock pins `exceptiongroup` at 1.2.2 but the latest stable release on PyPI is 1.3.1 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `fastapi` is minor version(s) behind (0.115.6 -> 0.136.3)
poetry.lock pins `fastapi` at 0.115.6 but the latest stable release on PyPI is 0.136.3 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `filelock` is minor version(s) behind (3.16.1 -> 3.29.1)
poetry.lock pins `filelock` at 3.16.1 but the latest stable release on PyPI is 3.29.1 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `frozenlist` is minor version(s) behind (1.5.0 -> 1.8.0)
poetry.lock pins `frozenlist` at 1.5.0 but the latest stable release on PyPI is 1.8.0 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `google-auth` is minor version(s) behind (2.47.0 -> 2.53.0)
poetry.lock pins `google-auth` at 2.47.0 but the latest stable release on PyPI is 2.53.0 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `googleapis-common-protos` is minor version(s) behind (1.70.0 -> 1.75.0)
poetry.lock pins `googleapis-common-protos` at 1.70.0 but the latest stable release on PyPI is 1.75.0 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `h11` is minor version(s) behind (0.14.0 -> 0.16.0)
poetry.lock pins `h11` at 0.14.0 but the latest stable release on PyPI is 0.16.0 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `idna` is minor version(s) behind (3.10 -> 3.18)
poetry.lock pins `idna` at 3.10 but the latest stable release on PyPI is 3.18 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.90 Python package `imageio` is minor version(s) behind (2.36.1 -> 2.37.3)
poetry.lock pins `imageio` at 2.36.1 but the latest stable release on PyPI is 2.37.3 (minor version(s) behind).
backend/poetry.lock
low Security checks software dependencies conf 0.88 4 occurrences vite: GHSA-g4jq-h2w9-997c
Vite middleware may serve files starting with the same name with the public directory
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
low Security checks software dependencies conf 0.88 4 occurrences vite: GHSA-jqfw-vq24-v9c3
Vite's `server.fs` settings were not applied to HTML files
4 files, 4 locations
frontend/pnpm-lock.yaml
frontend/yarn.lock
package-lock.json
yarn.lock
low System graph quality Integrity conf 1.00 17 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `ANTHROPIC_API_KEY`, `DEBUG_DIR`, `EVALS_DIR`, `GEMINI_API_KEY`, `IS_DEBUG_ENABLED`, `IS_PROD`, `LOCAL_ASSET_DIR`, `LOGS_PATH` + 9 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22-bullseye-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
frontend/Dockerfile:1 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.12.3-slim-bullseye
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
backend/Dockerfile:1 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: backend/agent/providers/types.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: backend/config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: backend/custom_types.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: backend/evals/config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: backend/image_generation/core.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: backend/prompts/system_prompt.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: backend/routes/model_choice_sets.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: backend/start.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: backend/ws/constants.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/jest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/commits/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/core/KeyboardShortcutBadge.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/core/StackLabel.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/history/utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/start-pane/StartPane.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/accordion.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/button.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/checkbox.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/collapsible.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/hover-card.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/input.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/label.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/popover.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/progress.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/scroll-area.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/select.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/separator.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/switch.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/tabs.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/components/ui/textarea.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/models.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/prompt-history.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/lib/stacks.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/setupTests.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/store/app-store.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/store/project-store.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/urls.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph security security conf 1.00 Insecure pattern 'document_write' in frontend/src/components/preview/PreviewPane.tsx:28
Found a known-risky pattern (document_write). Review and replace if possible.
frontend/src/components/preview/PreviewPane.tsx:28 Document write
low System graph quality Tests conf 1.00 Low test-to-source ratio
29 tests / 172 src (ratio 0.17).
low System graph quality Integrity conf 1.00 3 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: backend/routes/generate_code.py:send_message, backend/routes/generate_code.py:send_message This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
3 occurrences
repo-level (3 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 7 places
Functions with the same first-5-line body hash: backend/routes/generate_code.py:process, backend/routes/generate_code.py:process, backend/routes/generate_code.py:process, backend/routes/generate_code.py:process This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see http…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `model_copy` in backend/routes/design_systems.py:134
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `schema_copy` in backend/agent/providers/openai.py:79
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: compare_openai_input_json_strings
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
backend/fs_logging/openai_input_compare.py:234
low System graph software Dead code conf 1.00 Possibly dead Python function: pprint_prompt
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
backend/utils.py:8
low System graph software Dead code conf 1.00 Possibly dead Python function: send_runner_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
backend/routes/generate_code.py:570
low System graph software Dead code conf 1.00 Possibly dead Python function: wrapped
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
backend/routes/generate_code.py:150
low System graph software Dead code conf 1.00 Possibly dead Python function: write_to_file
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
backend/debug/DebugFileWriter.py:22
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/src/App.tsx:410
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/src/components/evals/BestOfNEvalsPage.tsx:292
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/src/components/evals/EvalsPage.tsx:93
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/src/components/evals/RunEvalsPage.tsx:228
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/src/generateCode.ts:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`backend/routes/home.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /best-of-n-evals
`backend/routes/evals.py` declares `GET /best-of-n-evals` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /eval_input_files
`backend/routes/evals.py` declares `GET /eval_input_files` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /evals
`backend/routes/evals.py` declares `GET /evals` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /models
`backend/routes/evals.py` declares `GET /models` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /output_folders
`backend/routes/evals.py` declares `GET /output_folders` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /pairwise-evals
`backend/routes/evals.py` declares `GET /pairwise-evals` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/export
`backend/routes/export.py` declares `POST /api/export` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/screenshot
`backend/routes/screenshot.py` declares `POST /api/screenshot` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /openai-input-compare
`backend/routes/evals.py` declares `POST /openai-input-compare` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /run_evals
`backend/routes/evals.py` declares `POST /run_evals` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /run_evals_stream
`backend/routes/evals.py` declares `POST /run_evals_stream` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/0f33f770-51d1-4d73-963a-4fec09e7a7fc/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/0f33f770-51d1-4d73-963a-4fec09e7a7fc/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.