Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
46 of your 238 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 9.22s · analysis 38.48s · 16.9 MB · GitHub API rate-limit (preflight)

BintzGavin/helios

https://github.com/BintzGavin/helios · scanned 2026-06-05 14:29 UTC (5 days, 4 hours ago) · 10 languages

849 raw signals (191 security + 658 graph) 52nd percentile · Typescript · medium (20-100K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 4 hours ago · v2 · 463 actionable findings from 2 signal sources. 57 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
65.2
/100
Security checks
60
135 findings
System graph
70
88.9% cov · 328 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 52.0 0.25 13.00
testing_score 100.0 0.20 20.00
documentation_score 67.0 0.15 10.05
practices_score 67.0 0.15 10.05
code_quality 70.0 0.10 7.00
Overall 1.00 69.1
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 62 Medium 78 Low 263 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 135 System graph 328 Crowd 0 Layer: Quality 69 Software 160 Cicd 2 Frontend 182 Api 50
Scan summary Quality grade B- (69/100). Dimensions: security 52, maintainability 60. 191 findings (111 security). 85,214 lines analyzed.

Showing 406 of 463 actionable findings. 520 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 form-data: GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary
package-lock.json
critical Security checks software dependencies conf 0.90 ✓ Repobility GHA script injection via github.event.pull_request.head.ref in run-step
Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable.
.github/workflows/auto-merge.yml:67
critical Security checks software dependencies conf 0.88 jsonpath-plus: GHSA-pppg-cpfq-h7wr
JSONPath Plus Remote Code Execution (RCE) Vulnerability
package-lock.json
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-2v35-w6hq-6mfw
xmldom: Uncontrolled recursion in XML serialization leads to DoS
package-lock.json
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-f6ww-3ggp-fr8h
xmldom has XML injection through unvalidated DocumentType serialization
package-lock.json
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-j759-j44w-7fr8
xmldom has XML node injection through unvalidated comment serialization
package-lock.json
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-wh4c-j3r5-mjhp
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
package-lock.json
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-x6wf-f3px-wcqx
xmldom has XML node injection through unvalidated processing instruction serialization
package-lock.json
high Security checks software dependencies conf 0.88 devalue: GHSA-77vg-94rm-hx3p
Svelte devalue: DoS via sparse array deserialization
package-lock.json
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
package-lock.json
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
package-lock.json
high Security checks software dependencies conf 0.88 fast-xml-builder: GHSA-5wm8-gmm8-39j9
fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
package-lock.json
high Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-8gc5-j5rx-235r
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
package-lock.json
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 2 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 21
.github/workflows/auto-merge.yml:21 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 jsonpath-plus: GHSA-hw8r-x6gr-5gjp
JSONPath Plus allows Remote Code Execution
package-lock.json
high Security checks software dependencies conf 0.88 lodash-es: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
examples/vue-dom-animation/package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
examples/vue-dom-animation/package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
examples/vue-dom-animation/package-lock.json
high Security checks software dependencies conf 0.90 ✓ Repobility 12 occurrences package.json dep `@helios-project/core` pulled from URL/Git
`dependencies.@helios-project/core` = `file:../../packages/core` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
11 files, 12 locations
examples/distributed-rendering/package.json:1 (2 hits)
examples/audio-visualization/package.json:1
examples/gsap-animation/package.json:1
examples/lottie-animation/package.json:1
examples/pixi-canvas-animation/package.json:1
examples/react-dom-animation/package.json:1
examples/simple-animation/package.json:1
examples/simple-canvas-animation/package.json:1
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-j3q9-mxjg-w52f
path-to-regexp vulnerable to Denial of Service via sequential optional groups
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
2 files, 2 locations
examples/react-dom-animation/package-lock.json
package-lock.json
high Security checks software dependencies conf 0.88 rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
examples/audio-visualization/package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-34x7-hfp2-rc4v
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-83g3-92jg-28cx
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-8qq5-rm4j-mr97
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-9ppj-qmqm-q256
node-tar Symlink Path Traversal via Drive-Relative Linkpath
package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-qffp-2rhf-9h96
tar has Hardlink Path Traversal via Drive-Relative Linkpath
package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-r6q2-hw4h-h46w
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-p9ff-h696-f583
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
2 files, 2 locations
examples/react-dom-animation/package-lock.json
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-v2wj-q39q-566r
Vite: `server.fs.deny` bypassed with queries
2 files, 2 locations
examples/react-dom-animation/package-lock.json
package-lock.json
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/assets?id=${encodeURIComponent(id)} (packages/studio/src/context/StudioContext.tsx:280)
`packages/studio/src/context/StudioContext.tsx:280` calls `DELETE /api/assets?id=${encodeURIComponent(id)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets` If this points at an external API, prefix it with `h…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/components?name=${encodeURIComponent(name)} (packages/studio/src/components/ComponentsPanel/ComponentsPanel.tsx:94)
`packages/studio/src/components/ComponentsPanel/ComponentsPanel.tsx:94` calls `DELETE /api/components?name=${encodeURIComponent(name)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/components` If this points at an…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/compositions?id=${encodeURIComponent(id)} (packages/studio/src/context/StudioContext.tsx:534)
`packages/studio/src/context/StudioContext.tsx:534` calls `DELETE /api/compositions?id=${encodeURIComponent(id)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/compositions` If this points at an external API, prefi…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/jobs/${jobId} (packages/studio/src/context/StudioContext.tsx:765)
`packages/studio/src/context/StudioContext.tsx:765` calls `DELETE /api/jobs/${jobId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/jobs/<p>` If this points at an external API, prefix it with `https://` so the matc…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: DELETE https://api.hetzner.cloud/v1/servers/${serverId} (packages/infrastructure/src/adapters/hetzner-cloud-adapter.ts:120)
`packages/infrastructure/src/adapters/hetzner-cloud-adapter.ts:120` calls `DELETE https://api.hetzner.cloud/v1/servers/${serverId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.hetzner.cloud/v1/servers/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: DELETE https://api.machines.dev/v1/apps/${this.config.appName}/machines/${machineId} (packages/infrastructure/src/adapters/fly-machines-adapter.ts:60)
`packages/infrastructure/src/adapters/fly-machines-adapter.ts:60` calls `DELETE https://api.machines.dev/v1/apps/${this.config.appName}/machines/${machineId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/ap…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/assets (packages/studio/src/context/StudioContext.tsx:246)
`packages/studio/src/context/StudioContext.tsx:246` calls `GET /api/assets` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/components (packages/studio/src/components/ComponentsPanel/ComponentsPanel.tsx:21)
`packages/studio/src/components/ComponentsPanel/ComponentsPanel.tsx:21` calls `GET /api/components` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/components` If this points at an external API, prefix it with `https…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/compositions (packages/studio/src/context/StudioContext.tsx:372)
`packages/studio/src/context/StudioContext.tsx:372` calls `GET /api/compositions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/compositions` If this points at an external API, prefix it with `https://` so the matc…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/compositions (packages/studio/src/context/StudioContext.tsx:410)
`packages/studio/src/context/StudioContext.tsx:410` calls `GET /api/compositions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/compositions` If this points at an external API, prefix it with `https://` so the matc…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/compositions (packages/studio/src/context/StudioContext.tsx:500)
`packages/studio/src/context/StudioContext.tsx:500` calls `GET /api/compositions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/compositions` If this points at an external API, prefix it with `https://` so the matc…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/compositions (packages/studio/src/context/StudioContext.tsx:569)
`packages/studio/src/context/StudioContext.tsx:569` calls `GET /api/compositions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/compositions` If this points at an external API, prefix it with `https://` so the matc…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/diagnose (packages/studio/src/components/DiagnosticsModal.tsx:38)
`packages/studio/src/components/DiagnosticsModal.tsx:38` calls `GET /api/diagnose` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/diagnose` If this points at an external API, prefix it with `https://` so the matcher…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/documentation (packages/studio/src/components/AssistantModal/AssistantModal.tsx:28)
`packages/studio/src/components/AssistantModal/AssistantModal.tsx:28` calls `GET /api/documentation` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/documentation` If this points at an external API, prefix it with `h…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/jobs (packages/studio/src/context/StudioContext.tsx:705)
`packages/studio/src/context/StudioContext.tsx:705` calls `GET /api/jobs` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/jobs` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/templates (packages/studio/src/context/StudioContext.tsx:560)
`packages/studio/src/context/StudioContext.tsx:560` calls `GET /api/templates` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/templates` If this points at an external API, prefix it with `https://` so the matcher sk…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.hetzner.cloud/v1/servers/${serverId} (packages/infrastructure/src/adapters/hetzner-cloud-adapter.ts:91)
`packages/infrastructure/src/adapters/hetzner-cloud-adapter.ts:91` calls `GET https://api.hetzner.cloud/v1/servers/${serverId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.hetzner.cloud/v1/servers/<p>`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.machines.dev/v1/apps/${this.config.appName}/machines/${machineId} (packages/infrastructure/src/adapters/fly-machines-adapter.ts:84)
`packages/infrastructure/src/adapters/fly-machines-adapter.ts:84` calls `GET https://api.machines.dev/v1/apps/${this.config.appName}/machines/${machineId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.m…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PATCH /api/assets (packages/studio/src/context/StudioContext.tsx:293)
`packages/studio/src/context/StudioContext.tsx:293` calls `PATCH /api/assets` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets` If this points at an external API, prefix it with `https://` so the matcher skips …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PATCH /api/compositions (packages/studio/src/context/StudioContext.tsx:436)
`packages/studio/src/context/StudioContext.tsx:436` calls `PATCH /api/compositions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/compositions` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/assets/mkdir (packages/studio/src/context/StudioContext.tsx:336)
`packages/studio/src/context/StudioContext.tsx:336` calls `POST /api/assets/mkdir` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/mkdir` If this points at an external API, prefix it with `https://` so the mat…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/assets/move (packages/studio/src/context/StudioContext.tsx:313)
`packages/studio/src/context/StudioContext.tsx:313` calls `POST /api/assets/move` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/move` If this points at an external API, prefix it with `https://` so the match…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/assets/upload (packages/studio/src/context/StudioContext.tsx:265)
`packages/studio/src/context/StudioContext.tsx:265` calls `POST /api/assets/upload` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/assets/upload` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/components (packages/studio/src/components/ComponentsPanel/ComponentsPanel.tsx:44)
`packages/studio/src/components/ComponentsPanel/ComponentsPanel.tsx:44` calls `POST /api/components` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/components` If this points at an external API, prefix it with `http…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/compositions (packages/studio/src/context/StudioContext.tsx:358)
`packages/studio/src/context/StudioContext.tsx:358` calls `POST /api/compositions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/compositions` If this points at an external API, prefix it with `https://` so the mat…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/compositions/${encodeURIComponent(id)}/thumbnail (packages/studio/src/context/StudioContext.tsx:489)
`packages/studio/src/context/StudioContext.tsx:489` calls `POST /api/compositions/${encodeURIComponent(id)}/thumbnail` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/compositions/<p>/thumbnail` If this points at an …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/compositions/duplicate (packages/studio/src/context/StudioContext.tsx:396)
`packages/studio/src/context/StudioContext.tsx:396` calls `POST /api/compositions/duplicate` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/compositions/duplicate` If this points at an external API, prefix it with `…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/jobs/${jobId}/cancel (packages/studio/src/context/StudioContext.tsx:754)
`packages/studio/src/context/StudioContext.tsx:754` calls `POST /api/jobs/${jobId}/cancel` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/jobs/<p>/cancel` If this points at an external API, prefix it with `https://`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/render (packages/studio/src/context/StudioContext.tsx:729)
`packages/studio/src/context/StudioContext.tsx:729` calls `POST /api/render` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/render` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/render/job-spec (packages/studio/src/context/StudioContext.tsx:905)
`packages/studio/src/context/StudioContext.tsx:905` calls `POST /api/render/job-spec` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/render/job-spec` If this points at an external API, prefix it with `https://` so t…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.cloudflare.com/client/v4/accounts/${params.accountId}/sandbox (examples/distributed-rendering/cloudflare-workflow/src/render-workflow.ts:58)
`examples/distributed-rendering/cloudflare-workflow/src/render-workflow.ts:58` calls `POST https://api.cloudflare.com/client/v4/accounts/${params.accountId}/sandbox` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/ht…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.cloudflare.com/client/v4/accounts/${this.config.accountId}/sandbox (packages/infrastructure/src/adapters/cloudflare-sandbox-adapter.ts:123)
`packages/infrastructure/src/adapters/cloudflare-sandbox-adapter.ts:123` calls `POST https://api.cloudflare.com/client/v4/accounts/${this.config.accountId}/sandbox` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/htt…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.hetzner.cloud/v1/servers (packages/infrastructure/src/adapters/hetzner-cloud-adapter.ts:63)
`packages/infrastructure/src/adapters/hetzner-cloud-adapter.ts:63` calls `POST https://api.hetzner.cloud/v1/servers` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.hetzner.cloud/v1/servers` If this points…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.machines.dev/v1/apps/${this.config.appName}/machines (packages/infrastructure/src/adapters/fly-machines-adapter.ts:32)
`packages/infrastructure/src/adapters/fly-machines-adapter.ts:32` calls `POST https://api.machines.dev/v1/apps/${this.config.appName}/machines` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.machines.dev/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/components (packages/studio/src/components/ComponentsPanel/ComponentsPanel.tsx:68)
`packages/studio/src/components/ComponentsPanel/ComponentsPanel.tsx:68` calls `PUT /api/components` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/components` If this points at an external API, prefix it with `https…
Dangling fetchFetch
medium Security checks software dependencies conf 0.88 @excalidraw/excalidraw: GHSA-39h7-pwv7-rc3x
Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)
package-lock.json
medium Security checks software dependencies conf 0.88 @excalidraw/mermaid-to-excalidraw: GHSA-39h7-pwv7-rc3x
Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)
package-lock.json
medium Security checks software dependencies conf 0.88 @hono/node-server: GHSA-92pp-h63x-v22m
@hono/node-server: Middleware bypass via repeated slashes in serveStatic
package-lock.json
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
packages/player/src/features/media-session.ts:105
packages/renderer/src/core/BrowserPool.ts:90
packages/renderer/src/drivers/CdpTimeDriver.ts:187
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
examples/promo-video/src/main.js:22
medium Security checks software dependencies conf 0.88 2 occurrences brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
2 files, 2 locations
examples/vue-dom-animation/package-lock.json
package-lock.json
low Security checks quality Error handling conf 0.55 ✓ Repobility 5 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
3 files, 5 locations
.agents/skills/skill-creator/scripts/init_skill.py:217, 232, 259 (3 hits)
.agents/skills/skill-creator/scripts/package_skill.py:80
verify_client_export.py:33
Error handlingquality
medium Security checks software dependencies conf 0.88 devalue: GHSA-cfw5-2vxh-hr84
devalue has prototype pollution in devalue.parse and devalue.unflatten
package-lock.json
medium Security checks software dependencies conf 0.88 dompurify: GHSA-39q2-94rc-95cp
DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
package-lock.json
medium Security checks software dependencies conf 0.88 dompurify: GHSA-cj63-jhhr-wcxv
DOMPurify USE_PROFILES prototype pollution allows event handlers
package-lock.json
medium Security checks software dependencies conf 0.88 dompurify: GHSA-cjmm-f4jc-qw8r
DOMPurify ADD_ATTR predicate skips URI validation
package-lock.json
medium Security checks software dependencies conf 0.88 dompurify: GHSA-crv5-9vww-q3g8
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
package-lock.json
medium Security checks software dependencies conf 0.88 dompurify: GHSA-h7mw-gpvr-xq4m
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
package-lock.json
medium Security checks software dependencies conf 0.88 dompurify: GHSA-h8r8-wccr-v5f2
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
package-lock.json
medium Security checks software dependencies conf 0.88 dompurify: GHSA-v2wj-7wpq-c8vv
DOMPurify contains a Cross-site Scripting vulnerability
package-lock.json
medium Security checks software dependencies conf 0.88 dompurify: GHSA-v8jm-5vwx-cfxm
DOMPurify contains a Cross-site Scripting vulnerability
package-lock.json
medium Security checks software dependencies conf 0.88 dompurify: GHSA-v9jr-rg53-9pgp
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
package-lock.json
medium Security checks software dependencies conf 0.88 dompurify: GHSA-vhxf-7vqr-mrjg
DOMPurify allows Cross-site Scripting (XSS)
package-lock.json
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
examples/audio-visualization/package-lock.json
medium Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-gh4j-gqv2-49f6
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
package-lock.json
medium Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-jp2q-39xq-3w4g
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-26pp-8wgv-hjvm
Hono missing validation of cookie name on write path in setCookie()
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-2gcr-mfcq-wcc3
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-3hrh-pfw6-9m5x
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-458j-xx4x-4375
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-69xw-7hcm-h432
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-9vqf-7f2p-gf9v
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-f577-qrjj-4474
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-p77w-8qqv-26rm
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-qp7p-654g-cw7p
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-r5rp-j6wh-rvv4
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-v8w9-8mx6-g223
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-wmmm-f939-6g9c
Hono: Middleware bypass via repeated slashes in serveStatic
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-xf4j-xp2r-rqqx
Hono: Path traversal in toSSG() allows writing files outside the output directory
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-xpcf-pg52-r92g
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-xrhx-7g5j-rcj5
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
package-lock.json
medium Security checks software dependencies conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
package-lock.json
medium Security checks software dependencies conf 0.88 lodash-es: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
package-lock.json
medium Security checks software dependencies conf 0.88 mermaid: GHSA-6m6c-36f7-fhxh
Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
package-lock.json
medium Security checks software dependencies conf 0.88 mermaid: GHSA-7rqq-prvp-x9jh
Mermaid improperly sanitizes sequence diagram labels leading to XSS
package-lock.json
medium Security checks software dependencies conf 0.88 mermaid: GHSA-87f9-hvmw-gh4p
Mermaid: Improper sanitization of configuration leads to CSS injection
package-lock.json
medium Security checks software dependencies conf 0.88 mermaid: GHSA-ghcm-xqfw-q4vr
Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection
package-lock.json
medium Security checks software dependencies conf 0.88 mermaid: GHSA-xcj9-5m2h-648r
Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection
package-lock.json
medium Security checks software dependencies conf 0.88 nanoid: GHSA-mwcw-c2x4-8c55
Predictable results in nanoid generation when given non-integer values
package-lock.json
medium Security checks software dependencies conf 0.90 npm package `@kubernetes/client-node` is 1 major version(s) behind (0.20.0 -> 1.4.0)
`@kubernetes/client-node` is pinned/resolved at 0.20.0 but the latest stable release on the npm registry is 1.4.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs …
packages/infrastructure/package.json
medium Security checks software dependencies conf 0.90 2 occurrences npm package `@sveltejs/vite-plugin-svelte` is 1 major version(s) behind (6.2.4 -> 7.1.2)
`@sveltejs/vite-plugin-svelte` is pinned/resolved at 6.2.4 but the latest stable release on the npm registry is 7.1.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update …
2 files, 2 locations
package.json
packages/studio/package.json
medium Security checks software dependencies conf 0.90 2 occurrences npm package `@vitejs/plugin-react` is 1 major version(s) behind (5.2.0 -> 6.0.2)
`@vitejs/plugin-react` is pinned/resolved at 5.2.0 but the latest stable release on the npm registry is 6.0.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
2 files, 2 locations
package.json
packages/studio/package.json
medium Security checks software dependencies conf 0.90 npm package `google-auth-library` is 1 major version(s) behind (9.15.1 -> 10.7.0)
`google-auth-library` is pinned/resolved at 9.15.1 but the latest stable release on the npm registry is 10.7.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…
packages/infrastructure/package.json
medium Security checks software dependencies conf 0.90 npm package `jsdom` is 2 major version(s) behind (27.4.0 -> 29.1.1)
`jsdom` is pinned/resolved at 27.4.0 but the latest stable release on the npm registry is 29.1.1 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/studio/package.json
medium Security checks software dependencies conf 0.88 path-to-regexp: GHSA-27v5-c462-wpq7
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
2 files, 2 locations
examples/react-dom-animation/package-lock.json
package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
2 files, 2 locations
examples/audio-visualization/package-lock.json
package-lock.json
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
package-lock.json
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
package-lock.json
medium Security checks software dependencies conf 0.88 request: GHSA-p8p7-x288-28g6
Server-Side Request Forgery in Request
package-lock.json
medium Security checks software dependencies conf 0.88 svelte: GHSA-9rmh-mm8f-r9h6
Svelte: ReDoS in `<svelte:element>` Tag Validation
package-lock.json
medium Security checks software dependencies conf 0.88 svelte: GHSA-f3cj-j4f6-wq85
Svelte: SSR XSS via Insecure Promise Serialization in hydratable
package-lock.json
medium Security checks software dependencies conf 0.88 svelte: GHSA-pr6f-5x2q-rwfp
Svelte SSR vulnerable to cross-site scripting via spread attributes
package-lock.json
medium Security checks software dependencies conf 0.88 svelte: GHSA-rcqx-6q8c-2c42
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
package-lock.json
medium Security checks software dependencies conf 0.88 tough-cookie: GHSA-72xf-g2v4-qvf3
tough-cookie Prototype Pollution vulnerability
package-lock.json
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
2 files, 2 locations
examples/audio-visualization/package-lock.json
package-lock.json
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
package-lock.json
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/distributed-rendering/cloudflare-workflow/src/index.ts:30
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/distributed-rendering/cloudflare-workflow/src/render-workflow.ts:58
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/commands/job.ts:9
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/templates/cloudflare-sandbox.ts:50
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/utils/examples.ts:23
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/infrastructure/src/adapters/cloudflare-sandbox-adapter.ts:123
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/infrastructure/src/adapters/cloudflare-workers-adapter.ts:50
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/infrastructure/src/adapters/fly-machines-adapter.ts:32
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/infrastructure/src/adapters/hetzner-cloud-adapter.ts:63
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/infrastructure/src/adapters/modal-adapter.ts:41
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/player/src/features/dom-capture.ts:200
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/player/src/index.ts:2715
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/studio/src/context/StudioContext.tsx:372
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/auto-merge.yml CI/CD securitySupply chainGithub actions
low Security checks software dependencies conf 0.88 @tootallnate/once: GHSA-vpq2-c234-7xj6
@tootallnate/once vulnerable to Incorrect Control Flow Scoping
package-lock.json
low Security checks software dependencies conf 0.88 devalue: GHSA-mwv9-gp5h-frr4
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties
package-lock.json
low Security checks quality Quality conf 0.60 14 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 12 locations
packages/infrastructure/src/adapters/vercel-adapter.ts:18
packages/infrastructure/src/storage/s3-storage.ts:158
packages/player/src/features/text-tracks.ts:188
packages/player/src/features/video-tracks.ts:58
packages/renderer/src/concat.ts:42
packages/renderer/src/drivers/SeekTimeDriver.ts:199
packages/renderer/src/strategies/DomStrategy.ts:165
packages/studio/src/components/AssetsPanel/FolderItem.tsx:136
duplicationquality
low Security checks software dependencies conf 0.88 hono: GHSA-hm8q-7f3q-5f36
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
package-lock.json
low Security checks software dependencies conf 0.90 npm package `@modelcontextprotocol/sdk` is minor version(s) behind (1.27.1 -> 1.29.0)
`@modelcontextprotocol/sdk` is pinned/resolved at 1.27.1 but the latest stable release on the npm registry is 1.29.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs…
packages/studio/package.json
low Security checks software dependencies conf 0.90 npm package `@react-three/fiber` is minor version(s) behind (9.5.0 -> 9.6.1)
`@react-three/fiber` is pinned/resolved at 9.5.0 but the latest stable release on the npm registry is 9.6.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `autoprefixer` is minor version(s) behind (10.4.27 -> 10.5.0)
`autoprefixer` is pinned/resolved at 10.4.27 but the latest stable release on the npm registry is 10.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `gsap` is minor version(s) behind (3.14.2 -> 3.15.0)
`gsap` is pinned/resolved at 3.14.2 but the latest stable release on the npm registry is 3.15.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `motion` is minor version(s) behind (12.36.0 -> 12.40.0)
`motion` is pinned/resolved at 12.36.0 but the latest stable release on the npm registry is 12.40.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `p5` is minor version(s) behind (2.2.2 -> 2.3.0)
`p5` is pinned/resolved at 2.2.2 but the latest stable release on the npm registry is 2.3.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `three` is minor version(s) behind (0.170.0 -> 0.184.0)
`three` is pinned/resolved at 0.170.0 but the latest stable release on the npm registry is 0.184.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low System graph software Dead code candidate conf 1.00 File has no detected symbols: append_backlog.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evaluate-baseline.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fix-jules.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fix-progress3.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fix_deploy.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fix_deploy_test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fix_dom_strategy.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: modify_timeline.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/api_parity.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/event_handlers.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/api_parity.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/audio-fader.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/audio-menu.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/audio-metering.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/audio-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/caption-parser.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/interaction.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/media-session.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/pip.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/smart-controls.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/track-events.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/video-tracks.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/features/video-volume.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/src/interaction.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/player/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/renderer/tests/verify-captions.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/renderer/tests/verify-stream-copy.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: patch-docs.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: patch-progress.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: patch-status.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: patch-test.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: patch.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: patch_plan.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: plan_script.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: reproduction.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test-canvas-capture.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test-coverage.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test-export-options.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test-index.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test_perf_plan.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test_sandbox.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test_target_bench.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test_timeline.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/e2e/verify-all.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/e2e/verify_excalidraw.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/manual/verify-bridge-export.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vite.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — benchmark.ts:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — evaluate-baseline.js:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/client-export-api/src/app.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/distributed-rendering/src/main.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/promo-video/render.ts:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/promo-video/src/main.js:331
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/simple-canvas-animation/src/main.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/scripts/bundle-skills.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/build.ts:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/components.ts:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/deploy.ts:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/diff.ts:50
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/init.ts:62
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/list.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/merge.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/remove.ts:35
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/render.ts:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/skills.ts:23
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/studio.ts:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/update.ts:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/templates/aws.ts:55
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/utils/ffmpeg.ts:76
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/utils/install.ts:68
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/utils/uninstall.ts:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/aws-lambda.ts:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/azure-functions-adapter.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/cloudflare-workers-adapter-example.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/cloudrun.ts:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/docker-rendering/example.js:11
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/ffmpeg-stitcher.ts:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/file-job-repository.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/fly-machines-adapter.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/gcs-storage.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/hetzner-cloud-adapter.ts:25
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/job-executor-standalone.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/job-manager-standalone.ts:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/kubernetes-adapter-example.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/local-adapter.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/local-storage.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/modal-adapter.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/render-executor.ts:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/s3-storage.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/sync-workspace.ts:11
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/vercel-adapter-example.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/examples/worker-runtime.ts:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/src/index.ts:4
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/src/orchestrator/job-executor.ts:113
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/src/orchestrator/job-manager.ts:258
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/infrastructure/tests/adapters/local-adapter.test.ts:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/player/src/features/exporter.ts:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/player/src/index.ts:2604
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/benchmark-closure.js:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/benchmark-concurrent.ts:35
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/benchmark-perf.ts:29
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/benchmark-seek-promise.js:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/benchmark-test-seek.js:3
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/benchmark-test.js:25
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/render-dom.ts:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/render.ts:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-advanced-audio.ts:11
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-audio-args.ts:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-audio-mixing.ts:40
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-bitrate.ts:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-cancellation.ts:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-diagnostics.ts:4
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-dom-media-preload.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-dom-preload.ts:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-error-handling.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-ffmpeg-path.ts:11
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-trace.ts:50
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/scripts/verify-transparency.ts:70
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/concat.ts:52
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/core/BrowserPool.ts:107
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/core/CaptureLoop.ts:229
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/core/Diagnostics.ts:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/core/FFmpegManager.ts:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/Orchestrator.ts:115
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/Renderer.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/strategies/CanvasStrategy.ts:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/strategies/DomStrategy.ts:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/utils/blob-extractor.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/utils/dom-preload.ts:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/utils/dom-scanner.ts:19
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/src/utils/random-seed.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/tests/fixtures/benchmark.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/tests/manual-verify-format.ts:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/tests/run-all.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/tests/verify-asset-timeout.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/tests/verify-audio-codecs.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/tests/verify-audio-fades.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/tests/verify-audio-loop.ts:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak

Showing first 300 of 406. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/111cca79-b1fd-4658-bc93-2073688e83a6/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/111cca79-b1fd-4658-bc93-2073688e83a6/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.