Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
115 of your 363 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 5.77s · analysis 17.06s · 7.4 MB · GitHub preflight 406ms

rasbt/LLMs-from-scratch

https://github.com/rasbt/LLMs-from-scratch · scanned 2026-06-05 06:49 UTC (5 days, 23 hours ago) · 10 languages

600 raw signals (262 security + 338 graph) 43rd percentile · Python · medium (20-100K LoC) System graph score 77 (lower by 17)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 23 hours ago · v2 · 242 actionable findings from 2 signal sources. 189 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
65.4
/100
Security checks
54
121 findings
System graph
77
88.9% cov · 121 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 16.0 0.25 4.00
testing_score 97.0 0.20 19.40
documentation_score 65.0 0.15 9.75
practices_score 77.0 0.15 11.55
code_quality 28.0 0.10 2.80
Overall 1.00 60.2
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 93 Medium 34 Low 55 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 121 System graph 121 Crowd 0 Layer: Software 69 Cicd 6 Security 57 Quality 104 Api 1 Hardware 4 Frontend 1
Scan summary Quality grade C+ (60/100). Dimensions: security 16, maintainability 85. 262 findings (95 security). 32,984 lines analyzed.

Showing 183 of 242 actionable findings. 431 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
ch05/01_main-chapter-code/ch05.ipynb:305
critical Security checks software dependencies conf 0.88 torch: GHSA-53q9-r3pm-6pq6
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
requirements.txt
critical Security checks software dependencies conf 0.88 transformers: GHSA-3863-2447-669p
transformers has a Deserialization of Untrusted Data vulnerability
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
ch05/05_bonus_hparam_tuning/hparam_search.py:206
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
ch05/03_bonus_pretraining_on_gutenberg/pretraining_simple.py:141
high Security checks security path traversal conf 0.80 3 occurrences [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
3 files, 3 locations
appendix-E/01_main-chapter-code/gpt_download.py:41
ch05/01_main-chapter-code/gpt_download.py:42
ch05/01_main-chapter-code/gpt_generate.py:56
high Security checks software Resource exhaustion conf 1.00 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants.
Cap user-controlled sizes BEFORE allocation: size = min(int(request.args.get('n', 100)), MAX_SIZE) Set framework-level limits: Flask: app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 FastAPI: use middleware to enforce request size Django: DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py …
ch06/03_bonus_imdb-classification/download_prepare_dataset.py:46
high Security checks quality Quality conf 1.00 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).
Add `filter='data'` (Python ≥ 3.12) or manually validate member paths against `os.path.abspath`.
ch06/03_bonus_imdb-classification/download_prepare_dataset.py:46
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.cache_k` used but never assigned in __init__
Method `forward` of class `MultiHeadAttention` reads `self.cache_k`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
6 files, 25 locations
ch04/10_kv-sharing/gpt_with_kv_sharing.py:61, 62, 64, 65, 66, 69, 70, 121 (12 hits)
ch04/10_kv-sharing/gpt_with_kv_mha.py:58, 59, 61, 62, 63, 111 (9 hits)
ch04/03_kv-cache/gpt_with_kv_cache.py:57
ch06/01_main-chapter-code/previous_chapters.py:99
ch06/02_bonus_additional-experiments/previous_chapters.py:103
ch06/03_bonus_imdb-classification/previous_chapters.py:100
high Security checks software dependencies conf 0.88 chainlit: GHSA-2g59-m95p-pgfq
Chainlit contain a server-side request forgery (SSRF) vulnerability
ch05/06_user_interface/requirements-extra.txt
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile `ADD https://astral.sh/uv/install.sh`
Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers — or if the URL serves a different file later — malicious content gets baked into the image.
setup/03_optional-docker-environment/.devcontainer/Dockerfile:11
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `pytorch/pytorch:2.5.0-cuda12.4-cudnn9-runtime` not pinned by digest
`FROM pytorch/pytorch:2.5.0-cuda12.4-cudnn9-runtime` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
setup/03_optional-docker-environment/.devcontainer/Dockerfile:2
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 34 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
12 files, 34 locations
.github/workflows/basic-tests-windows-uv-pip.yml:27, 30 (4 hits)
.github/workflows/basic-tests-latest-python.yml:25, 28 (3 hits)
.github/workflows/basic-tests-linux-uv.yml:31, 34 (3 hits)
.github/workflows/basic-tests-macos-uv.yml:31, 34 (3 hits)
.github/workflows/basic-tests-old-pytorch.yml:29, 32 (3 hits)
.github/workflows/basic-tests-pip.yml:31, 34 (3 hits)
.github/workflows/basic-tests-pytorch-rc.yml:25, 28 (3 hits)
.github/workflows/check-links.yml:16, 19 (3 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 jupyterlab: GHSA-44cc-43rp-5947
JupyterLab vulnerable to potential authentication and CSRF tokens leak
requirements.txt
high Security checks software dependencies conf 0.88 jupyterlab: GHSA-9q39-rmj3-p4r2
HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering
requirements.txt
high Security checks software dependencies conf 0.88 jupyterlab: GHSA-mqcg-5x36-vfcg
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
requirements.txt
high Security checks software dependencies conf 0.88 jupyterlab: GHSA-rch3-82jr-f9w9
Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS
requirements.txt
high Security checks software dependencies conf 0.88 jupyterlab: PYSEC-2026-164
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The …
requirements.txt
high Security checks software dependencies conf 0.88 scikit-learn: PYSEC-2024-110
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words…
ch06/03_bonus_imdb-classification/requirements-extra.txt
high Security checks software dependencies conf 0.88 sentencepiece: GHSA-38vq-g6vr-w8wf
Sentencepiece has a a heap overflow issue
ch05/07_gpt_to_llama/requirements-extra.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2024-259
In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.
requirements.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2025-191
A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_max_pool2d. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be u…
requirements.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2025-198
In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results.
requirements.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2025-203
An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service (DoS) when performing a slice operation.
requirements.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2025-204
pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_like are used together.
requirements.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2025-205
A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).
requirements.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2025-206
pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long().
requirements.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2025-207
A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).
requirements.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2025-208
A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists of torch.nn.Conv2d, torch.nn.functional.hardshrink, and torch.Tensor.view-torch.mv() and is compiled by Inductor, leading to a Denial of Service (DoS).
requirements.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2025-209
An issue in pytorch v2.7.0 can lead to a Denial of Service (DoS) when a PyTorch model consists of torch.Tensor.to_sparse() and torch.Tensor.to_dense() and is compiled by Inductor.
requirements.txt
high Security checks software dependencies conf 0.88 torch: PYSEC-2026-139
A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project …
requirements.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2023-301
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2024-227
Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in tha…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2024-228
Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability i…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2024-229
Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2025-211
Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2025-212
Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerabili…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2025-213
Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in t…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2025-214
Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2025-215
Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the targ…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2025-216
Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the tar…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2025-217
Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vul…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2025-218
Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the t…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high Security checks software dependencies conf 0.88 transformers: PYSEC-2025-40
A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers…
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
high System graph security security conf 1.00 Insecure pattern 'eval_used' in appendix-A/01_main-chapter-code/DDP-script-torchrun.py:160
Found a known-risky pattern (eval_used). Review and replace if possible.
appendix-A/01_main-chapter-code/DDP-script-torchrun.py:160 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in appendix-A/01_main-chapter-code/DDP-script.py:161
Found a known-risky pattern (eval_used). Review and replace if possible.
appendix-A/01_main-chapter-code/DDP-script.py:161 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in appendix-D/01_main-chapter-code/previous_chapters.py:274
Found a known-risky pattern (eval_used). Review and replace if possible.
appendix-D/01_main-chapter-code/previous_chapters.py:274 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in appendix-E/01_main-chapter-code/previous_chapters.py:351
Found a known-risky pattern (eval_used). Review and replace if possible.
appendix-E/01_main-chapter-code/previous_chapters.py:351 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/01_main-chapter-code/gpt.py:249
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/01_main-chapter-code/gpt.py:249 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/03_kv-cache/gpt_ch04.py:174
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/03_kv-cache/gpt_ch04.py:174 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/03_kv-cache/gpt_with_kv_cache.py:282
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/03_kv-cache/gpt_with_kv_cache.py:282 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/03_kv-cache/gpt_with_kv_cache_optimized.py:307
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/03_kv-cache/gpt_with_kv_cache_optimized.py:307 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/04_gqa/gpt_with_kv_gqa.py:267
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/04_gqa/gpt_with_kv_gqa.py:267 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/04_gqa/gpt_with_kv_mha.py:255
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/04_gqa/gpt_with_kv_mha.py:255 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/05_mla/gpt_with_kv_mha.py:255
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/05_mla/gpt_with_kv_mha.py:255 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/05_mla/gpt_with_kv_mla.py:263
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/05_mla/gpt_with_kv_mla.py:263 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/06_swa/gpt_with_kv_mha.py:255
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/06_swa/gpt_with_kv_mha.py:255 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/06_swa/gpt_with_kv_swa.py:296
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/06_swa/gpt_with_kv_swa.py:296 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/07_moe/gpt_with_kv_ffn.py:281
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/07_moe/gpt_with_kv_ffn.py:281 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/07_moe/gpt_with_kv_moe.py:341
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/07_moe/gpt_with_kv_moe.py:341 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/09_dsa/gpt_with_kv_dsa.py:391
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/09_dsa/gpt_with_kv_dsa.py:391 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/10_kv-sharing/gpt_with_kv_mha.py:255
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/10_kv-sharing/gpt_with_kv_mha.py:255 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch04/10_kv-sharing/gpt_with_kv_sharing.py:272
Found a known-risky pattern (eval_used). Review and replace if possible.
ch04/10_kv-sharing/gpt_with_kv_sharing.py:272 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/01_main-chapter-code/gpt_generate.py:237
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/01_main-chapter-code/gpt_generate.py:237 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/01_main-chapter-code/gpt_train.py:53
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/01_main-chapter-code/gpt_train.py:53 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/01_main-chapter-code/previous_chapters.py:255
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/01_main-chapter-code/previous_chapters.py:255 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/05_bonus_hparam_tuning/hparam_search.py:58
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/05_bonus_hparam_tuning/hparam_search.py:58 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/06_user_interface/app_orig.py:56
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/06_user_interface/app_orig.py:56 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/10_llm-training-speed/00_orig.py:283
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/10_llm-training-speed/00_orig.py:283 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/10_llm-training-speed/01_opt_single_gpu.py:247
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/10_llm-training-speed/01_opt_single_gpu.py:247 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/10_llm-training-speed/02_opt_multi_gpu_ddp.py:290
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/10_llm-training-speed/02_opt_multi_gpu_ddp.py:290 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/11_qwen3/qwen3-chat-interface/qwen3-chat-interface-multiturn.py:86
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/11_qwen3/qwen3-chat-interface/qwen3-chat-interface-multiturn.py:86 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/11_qwen3/qwen3-chat-interface/qwen3-chat-interface.py:85
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/11_qwen3/qwen3-chat-interface/qwen3-chat-interface.py:85 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/18_muon/gpt_train.py:53
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/18_muon/gpt_train.py:53 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/18_muon/gpt_train_muon.py:54
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/18_muon/gpt_train_muon.py:54 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch05/18_muon/previous_chapters.py:255
Found a known-risky pattern (eval_used). Review and replace if possible.
ch05/18_muon/previous_chapters.py:255 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch06/01_main-chapter-code/gpt_class_finetune.py:127
Found a known-risky pattern (eval_used). Review and replace if possible.
ch06/01_main-chapter-code/gpt_class_finetune.py:127 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch06/02_bonus_additional-experiments/additional_experiments.py:193
Found a known-risky pattern (eval_used). Review and replace if possible.
ch06/02_bonus_additional-experiments/additional_experiments.py:193 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch06/03_bonus_imdb-classification/train_bert_hf.py:102
Found a known-risky pattern (eval_used). Review and replace if possible.
ch06/03_bonus_imdb-classification/train_bert_hf.py:102 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch06/03_bonus_imdb-classification/train_bert_hf_spam.py:199
Found a known-risky pattern (eval_used). Review and replace if possible.
ch06/03_bonus_imdb-classification/train_bert_hf_spam.py:199 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch06/03_bonus_imdb-classification/train_gpt.py:83
Found a known-risky pattern (eval_used). Review and replace if possible.
ch06/03_bonus_imdb-classification/train_gpt.py:83 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch06/03_bonus_imdb-classification/train_gpt_muon.py:83
Found a known-risky pattern (eval_used). Review and replace if possible.
ch06/03_bonus_imdb-classification/train_gpt_muon.py:83 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch06/04_user_interface/app.py:59
Found a known-risky pattern (eval_used). Review and replace if possible.
ch06/04_user_interface/app.py:59 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch07/01_main-chapter-code/exercise_experiments.py:414
Found a known-risky pattern (eval_used). Review and replace if possible.
ch07/01_main-chapter-code/exercise_experiments.py:414 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch07/01_main-chapter-code/gpt_instruction_finetuning.py:236
Found a known-risky pattern (eval_used). Review and replace if possible.
ch07/01_main-chapter-code/gpt_instruction_finetuning.py:236 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch07/01_main-chapter-code/previous_chapters.py:330
Found a known-risky pattern (eval_used). Review and replace if possible.
ch07/01_main-chapter-code/previous_chapters.py:330 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in ch07/04_preference-tuning-with-dpo/previous_chapters.py:331
Found a known-risky pattern (eval_used). Review and replace if possible.
ch07/04_preference-tuning-with-dpo/previous_chapters.py:331 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in pkg/llms_from_scratch/ch05.py:99
Found a known-risky pattern (eval_used). Review and replace if possible.
pkg/llms_from_scratch/ch05.py:99 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in pkg/llms_from_scratch/ch06.py:120
Found a known-risky pattern (eval_used). Review and replace if possible.
pkg/llms_from_scratch/ch06.py:120 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in pkg/llms_from_scratch/kv_cache/generate.py:12
Found a known-risky pattern (eval_used). Review and replace if possible.
pkg/llms_from_scratch/kv_cache/generate.py:12 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in pkg/llms_from_scratch/kv_cache_batched/generate.py:12
Found a known-risky pattern (eval_used). Review and replace if possible.
pkg/llms_from_scratch/kv_cache_batched/generate.py:12 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in pkg/llms_from_scratch/utils.py:149
Found a known-risky pattern (exec_used). Review and replace if possible.
pkg/llms_from_scratch/utils.py:149 Exec used
medium Security checks security path traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
pkg/llms_from_scratch/ch06.py:33
medium Security checks security path traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
ch06/03_bonus_imdb-classification/download_prepare_dataset.py:46
low Security checks quality Error handling conf 0.55 ✓ Repobility 9 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
9 files, 9 locations
.github/scripts/check_double_quotes.py:111
appendix-E/01_main-chapter-code/gpt_download.py:91
ch05/01_main-chapter-code/gpt_download.py:91
ch06/01_main-chapter-code/gpt_download.py:91
ch06/02_bonus_additional-experiments/gpt_download.py:91
ch06/03_bonus_imdb-classification/gpt_download.py:91
ch07/01_main-chapter-code/gpt_download.py:91
pkg/llms_from_scratch/ch05.py:323
Error handlingquality
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
setup/03_optional-docker-environment/.devcontainer/Dockerfile:2 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.84 Dockerfile ADD downloads remote content
ADD can fetch remote URLs without checksum verification. This makes builds dependent on mutable network content.
setup/03_optional-docker-environment/.devcontainer/Dockerfile:11 CI/CD securitycontainers
high Security checks software dependencies conf 0.90 GitHub Action `actions/github-script@v8` is 1 major version(s) behind (latest v9.0.0)
`uses: actions/github-script@v8` is 1 major version(s) behind the latest published release v9.0.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/required-checks.yml:18
medium Security checks software dependencies conf 0.88 jupyterlab: GHSA-4m77-cmpx-vjc4
JupyterLab vulnerable to SXSS in Markdown Preview
requirements.txt
medium Security checks quality Quality conf 1.00 ✓ Repobility Mutable default argument in `load_dataset_to_dataframe` (dict)
`def load_dataset_to_dataframe(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
ch06/03_bonus_imdb-classification/download_prepare_dataset.py:51
medium Security checks quality Quality conf 0.82 Parallel implementation file sits beside a canonical file
AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app.
ch04/03_kv-cache/gpt_with_kv_cache_optimized.py:1
high Security checks software dependencies conf 0.70 10 occurrences Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
10 files, 10 locations
.github/workflows/basic-tests-latest-python.yml:34
.github/workflows/basic-tests-linux-uv.yml:41
.github/workflows/basic-tests-macos-uv.yml:41
.github/workflows/basic-tests-old-pytorch.yml:38
.github/workflows/basic-tests-pytorch-rc.yml:34
.github/workflows/check-links.yml:25
.github/workflows/check-spelling-errors.yml:25
.github/workflows/pep8-linter.yml:20
medium Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences requirements.txt: `requests` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
2 files, 3 locations
ch02/02_bonus_bytepair-encoder/requirements-extra.txt:1, 2 (2 hits)
ch04/02_performance-analysis/requirements-extra.txt:1
medium Security checks software dependencies conf 0.88 torch: GHSA-887c-mr87-cxwp
PyTorch Improper Resource Shutdown or Release vulnerability
requirements.txt
medium Security checks software dependencies conf 0.88 transformers: GHSA-37mw-44qp-f5jm
Transformers is vulnerable to ReDoS attack through its DonutProcessor class
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
medium Security checks software dependencies conf 0.88 transformers: GHSA-4w7r-h757-3r74
Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
medium Security checks software dependencies conf 0.88 transformers: GHSA-59p9-h35m-wg4g
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
medium Security checks software dependencies conf 0.88 transformers: GHSA-69w3-r845-3855
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
medium Security checks software dependencies conf 0.88 transformers: GHSA-6rvg-6v2m-4j46
Transformers Regular Expression Denial of Service (ReDoS) vulnerability
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
medium Security checks software dependencies conf 0.88 transformers: GHSA-9356-575x-2w9m
Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
medium Security checks software dependencies conf 0.88 transformers: GHSA-fpwr-67px-3qhx
Transformers Regular Expression Denial of Service (ReDoS) vulnerability
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
medium Security checks software dependencies conf 0.88 transformers: GHSA-jjph-296x-mrcr
Transformers vulnerable to ReDoS attack through its get_imports() function
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
medium Security checks software dependencies conf 0.88 transformers: GHSA-q2wp-rjmx-x6x9
Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
medium Security checks software dependencies conf 0.88 transformers: GHSA-rcv9-qm8p-9p6j
Hugging Face Transformers library has Regular Expression Denial of Service
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
medium System graph hardware Supply chain conf 1.00 Dockerfile ADD downloads remote content without checksum
Remote build inputs can change or be replaced upstream. Use Dockerfile ADD --checksum or download with an explicit digest/signature verification step.
setup/03_optional-docker-environment/.devcontainer/Dockerfile:11 containersChecksum
medium System graph hardware Security conf 1.00 Dockerfile runs as root: setup/03_optional-docker-environment/.devcontainer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — appendix-E/01_main-chapter-code/gpt_download.py:99
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — ch02/02_bonus_bytepair-encoder/bpe_openai_gpt2.py:156
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — ch05/01_main-chapter-code/gpt_download.py:99
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — ch05/03_bonus_pretraining_on_gutenberg/tests.py:27
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — ch05/10_llm-training-speed/00_orig.py:428
`urllib.request.urlopen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — ch06/01_main-chapter-code/gpt_download.py:99
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — ch06/01_main-chapter-code/tests.py:15
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — ch06/02_bonus_additional-experiments/gpt_download.py:99
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — ch06/03_bonus_imdb-classification/gpt_download.py:99
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — ch07/01_main-chapter-code/tests.py:15
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — pkg/llms_from_scratch/ch07.py:42
`urllib.request.urlopen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks software Race condition conf 1.00 3 occurrences [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
3 files, 3 locations
ch05/01_main-chapter-code/gpt_train.py:143
ch05/18_muon/gpt_train.py:143
ch05/18_muon/gpt_train_muon.py:187
low Security checks software dependencies conf 0.88 chainlit: GHSA-v492-6xx2-p57g
Chainlit contains an authorization bypass vulnerability
ch05/06_user_interface/requirements-extra.txt
low Security checks cicd CI/CD security conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
setup/03_optional-docker-environment/.devcontainer/Dockerfile:5 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
setup/03_optional-docker-environment/.devcontainer/Dockerfile:17 CI/CD securitycontainers
low Security checks quality Quality conf 0.64 Duplicate top-level symbol appears in a patch-style file
A generated replacement file defining the same public function or class name as another module can mean the new logic is not actually wired into the running code.
ch04/03_kv-cache/gpt_with_kv_cache_optimized.py:1
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
11 files, 30 locations
ch04/03_kv-cache/gpt_with_kv_cache.py:1, 5, 65, 92 (4 hits)
ch04/05_mla/gpt_with_kv_mha.py:1, 18, 41, 68 (4 hits)
ch04/05_mla/gpt_with_kv_mla.py:50, 54, 66, 71 (4 hits)
ch04/01_main-chapter-code/gpt.py:1, 5, 59 (3 hits)
ch04/01_main-chapter-code/previous_chapters.py:1, 5, 18 (3 hits)
ch04/03_kv-cache/gpt_ch04.py:5, 27, 42 (3 hits)
ch04/04_gqa/gpt_with_kv_mha.py:18, 41, 68 (3 hits)
appendix-E/01_main-chapter-code/previous_chapters.py:12, 66 (2 hits)
duplicationquality
high Security checks software dependencies conf 0.90 10 occurrences GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)
`uses: actions/setup-python@v6` is minor version(s) behind the latest published release v6.2.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
10 files, 10 locations
.github/workflows/basic-tests-latest-python.yml:28
.github/workflows/basic-tests-linux-uv.yml:34
.github/workflows/basic-tests-macos-uv.yml:34
.github/workflows/basic-tests-old-pytorch.yml:32
.github/workflows/basic-tests-pip.yml:34
.github/workflows/basic-tests-pytorch-rc.yml:28
.github/workflows/basic-tests-windows-uv-pip.yml:30
.github/workflows/check-links.yml:19
low Security checks software dependencies conf 0.88 jupyterlab: GHSA-vvfj-2jqx-52jm
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
requirements.txt
low Security checks software dependencies conf 0.88 2 occurrences tqdm: GHSA-g7vv-2v7x-gj9p
tqdm CLI arguments injection attack
2 files, 2 locations
ch07/02_dataset-utilities/requirements-extra.txt
requirements.txt
low Security checks software dependencies conf 0.88 transformers: GHSA-37q5-v5qm-c9v8
Transformers Deserialization of Untrusted Data vulnerability
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
low Security checks software dependencies conf 0.88 transformers: GHSA-phhr-52qp-3mj4
Transformers's Improper Input Validation vulnerability can be exploited through username injection
ch02/02_bonus_bytepair-encoder/requirements-extra.txt
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: pytorch/pytorch:2.5.0-cuda12.4-cudnn9-runtime
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
setup/03_optional-docker-environment/.devcontainer/Dockerfile:2 containersPinned dependencies
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 12 places
Functions with the same first-5-line body hash: ch06/03_bonus_imdb-classification/previous_chapters.py:create_dataloader_v1, ch06/01_main-chapter-code/previous_chapters.py:create_dataloader_v1, ch06/02_bonus_additional-experiments/previous_chapters.py:create_dataloader_v1, ch04/01_main-chapter-code…
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 16 places
Functions with the same first-5-line body hash: ch06/03_bonus_imdb-classification/train_bert_hf.py:evaluate_model, ch06/03_bonus_imdb-classification/train_bert_hf_spam.py:evaluate_model, ch06/01_main-chapter-code/gpt_class_finetune.py:evaluate_model, ch07/01_main-chapter-code/previous_chapters.py:e…
duplicatesduplication
low System graph quality Integrity conf 1.00 11 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: ch06/03_bonus_imdb-classification/train_gpt.py:calc_loss_batch, ch06/03_bonus_imdb-classification/train_gpt_muon.py:calc_loss_batch This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Con…
11 occurrences
repo-level (11 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: ch06/03_bonus_imdb-classification/train_gpt.py:instantiate_model, ch06/03_bonus_imdb-classification/train_gpt_muon.py:instantiate_model, ch06/02_bonus_additional-experiments/additional_experiments.py:instantiate_model This is *the* AI-coder failure m…
duplicatesduplication
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 5 places
Functions with the same first-5-line body hash: ch06/03_bonus_imdb-classification/train_bert_hf.py:calc_accuracy_loader, ch06/03_bonus_imdb-classification/train_bert_hf_spam.py:calc_accuracy_loader, ch06/01_main-chapter-code/gpt_class_finetune.py:calc_accuracy_loader, pkg/llms_from_scratch/ch06.py:…
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 3 occurrences Near-duplicate function bodies in 7 places
Functions with the same first-5-line body hash: ch06/03_bonus_imdb-classification/gpt_download.py:download_and_load_gpt2, ch06/01_main-chapter-code/gpt_download.py:download_and_load_gpt2, ch06/02_bonus_additional-experiments/gpt_download.py:download_and_load_gpt2, ch07/01_main-chapter-code/gpt_down…
3 occurrences
repo-level (3 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 73 places
Functions with the same first-5-line body hash: ch06/03_bonus_imdb-classification/previous_chapters.py:forward, ch06/03_bonus_imdb-classification/previous_chapters.py:forward, ch06/03_bonus_imdb-classification/previous_chapters.py:forward, ch06/03_bonus_imdb-classification/previous_chapters.py:forw…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `aclImdb_v1` in ch06/03_bonus_imdb-classification/download_prepare_dataset.py:86
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in appendix-D/01_main-chapter-code/previous_chapters.py:43
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in appendix-E/01_main-chapter-code/previous_chapters.py:51
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch04/01_main-chapter-code/gpt.py:37
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch04/01_main-chapter-code/previous_chapters.py:34
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch05/01_main-chapter-code/gpt_train.py:14
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch05/01_main-chapter-code/previous_chapters.py:42
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch05/03_bonus_pretraining_on_gutenberg/pretraining_simple.py:23
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch05/05_bonus_hparam_tuning/hparam_search.py:14
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch05/10_llm-training-speed/00_orig.py:44
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch05/10_llm-training-speed/01_opt_single_gpu.py:44
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch05/10_llm-training-speed/02_opt_multi_gpu_ddp.py:82
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch05/18_muon/gpt_train.py:14
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch05/18_muon/gpt_train_muon.py:15
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch05/18_muon/previous_chapters.py:42
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch06/01_main-chapter-code/previous_chapters.py:43
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch06/02_bonus_additional-experiments/previous_chapters.py:43
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch06/03_bonus_imdb-classification/previous_chapters.py:44
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch07/01_main-chapter-code/previous_chapters.py:48
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in ch07/04_preference-tuning-with-dpo/previous_chapters.py:48
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in pkg/llms_from_scratch/ch02.py:34
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in pkg/llms_from_scratch/tests/test_appendix_d.py:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in pkg/llms_from_scratch/tests/test_ch02.py:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in pkg/llms_from_scratch/tests/test_ch05.py:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_dataloader_v1` in pkg/llms_from_scratch/tests/test_generate.py:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `SelfAttention_v1` in pkg/llms_from_scratch/ch03.py:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: context_tick_formatter
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ch04/10_kv-sharing/plot_memory_estimates_kv_sharing.py:44
low System graph software Dead code conf 1.00 Possibly dead Python function: custom_collate_fn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ch07/01_main-chapter-code/gpt_instruction_finetuning.py:56
low System graph software Dead code conf 1.00 Possibly dead Python function: custom_collate_fn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ch07/01_main-chapter-code/exercise_experiments.py:147
low System graph software Dead code conf 1.00 Possibly dead Python function: custom_collate_with_masking_fn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ch07/01_main-chapter-code/exercise_experiments.py:190
low System graph software Dead code conf 1.00 24 occurrences Possibly dead Python function: forward
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
12 files, 12 locations
ch04/01_main-chapter-code/gpt.py:198
ch04/01_main-chapter-code/previous_chapters.py:65
ch04/03_kv-cache/gpt_ch04.py:161
ch04/03_kv-cache/gpt_with_kv_cache.py:212
ch04/03_kv-cache/gpt_with_kv_cache_optimized.py:232
ch04/04_gqa/gpt_with_kv_gqa.py:226
ch04/04_gqa/gpt_with_kv_mha.py:214
ch04/05_mla/gpt_with_kv_mha.py:214
low System graph software Dead code conf 1.00 Possibly dead Python function: reporthook
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ch06/03_bonus_imdb-classification/download_prepare_dataset.py:14
low System graph software Dead code conf 1.00 Possibly dead Python function: savings_percent
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ch04/04_gqa/plot_memory_estimates_gqa.py:19
high Security checks software dependencies conf 0.90 11 occurrences GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)
`uses: actions/checkout@v6` is patch version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
11 files, 11 locations
.github/workflows/basic-tests-latest-python.yml:25
.github/workflows/basic-tests-linux-uv.yml:31
.github/workflows/basic-tests-macos-uv.yml:31
.github/workflows/basic-tests-old-pytorch.yml:29
.github/workflows/basic-tests-pip.yml:31
.github/workflows/basic-tests-pixi.yml:34
.github/workflows/basic-tests-pytorch-rc.yml:25
.github/workflows/basic-tests-windows-uv-pip.yml:27
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/0fcda472-f82b-4312-90c9-2da9b44309aa/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/0fcda472-f82b-4312-90c9-2da9b44309aa/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.