mercurjs/mercur

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

19 of your 77 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 18.91s · analysis 19.62s · 26.4 MB · GitHub API rate-limit (preflight)

https://github.com/mercurjs/mercur · scanned 2026-05-19 14:54 UTC (2 weeks, 3 days ago) · 10 languages

761 findings (77 legacy + 684 scanner) 8/10 scanners ran 25th percentile · Typescript · large (100-500K LoC) Scanner says 82 (lower by 13)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 3 days ago · v3 · 305 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

100.0% cov · 228 gaps

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	60.0	0.15	9.00
`security_score`	100.0	0.25	25.00
`testing_score`	30.0	0.20	6.00
`documentation_score`	76.0	0.15	11.40
`practices_score`	65.0	0.15	9.75
`code_quality`	80.0	0.10	8.00
Overall		1.00	69.2

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: layer: software × excluding tests × Reset all

Severity: Critical 0 High 40 Medium 16 Low 74 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 77 9-layer 228 Crowd 0 Layer: Quality 87 Security 13 Software 56 Api 1 Frontend 145 Cicd 3

Exclude dismissed / FP Exclude test files

Scan summary Repository scanned at 82.2/100 with 100.0% coverage. It contains 8934 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 228 findings — concentrated in frontend (145), software (50), quality (28). Risk profile is high: 0 critical, 1 high, 12 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 53 of 305 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.

For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.

packages/cli/src/utils/build-vendor-extensions.ts:74 xsslegacy

packages/cli/src/registry/errors.ts:195 xsslegacy

packages/admin/src/pages/orders/order-list/components/order-list-table/order-list-data-table.tsx:58 xsslegacy

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/admin-test/eslint.config.js