Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
88 of your 180 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 189.43s for a 243.8 MB repo slow.
  • Repobility's analysis ran in 23.97s after the clone landed.

laurent22/joplin

https://github.com/laurent22/joplin · scanned 2026-06-05 10:28 UTC (5 days, 14 hours ago) · 10 languages

904 raw signals (150 security + 754 graph) 11/13 scanners ran 73rd percentile · Typescript · large (100-500K LoC) System graph score 60 (higher by 22)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 14 hours ago · v2 · 652 actionable findings from 2 signal sources. 252 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
70.1
/100
Security checks
80
69 findings
System graph
60
100.0% cov · 583 findings
Critical
58
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 95.0 0.20 19.00
documentation_score 62.0 0.15 9.30
practices_score 73.0 0.15 10.95
code_quality 80.0 0.10 8.00
Overall 1.00 81.2
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 58 High 48 Medium 60 Low 122 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 69 System graph 583 Crowd 0 Layer: Quality 357 Cicd 8 Security 99 Software 60 Frontend 115 Api 13
Scan summary Quality grade A- (81/100). Dimensions: security 100, maintainability 60. 150 findings (41 security). 433,748 lines analyzed.

Showing 281 of 652 actionable findings. 904 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
packages/app-mobile/components/ExtendedWebView/index.web.tsx:111
critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
packages/app-mobile/components/ExtendedWebView/index.jest.tsx:24
critical System graph security Secrets conf 1.00 3 occurrences Possible secret in packages/app-cli/app/command-e2ee.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 38, 84, 94
packages/app-cli/app/command-e2ee.ts:38, 84, 94 (3 hits)
critical System graph security Secrets conf 1.00 Possible secret in packages/app-cli/tools/populateDatabase.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/app-cli/tools/populateDatabase.ts:49
critical System graph security Secrets conf 1.00 Possible secret in packages/app-desktop/app.reducer.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/app-desktop/app.reducer.ts:19
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in packages/app-desktop/gui/EncryptionConfigScreen/EncryptionConfigScreen.tsx
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 368, 476
packages/app-desktop/gui/EncryptionConfigScreen/EncryptionConfigScreen.tsx:368, 476 (2 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/app-mobile/components/screens/encryption-config.tsx
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 145, 188, 207, 261
packages/app-mobile/components/screens/encryption-config.tsx:145, 188, 207, 261 (4 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in packages/lib/JoplinServerApi.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 131, 138
packages/lib/JoplinServerApi.ts:131, 138 (2 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/ar.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 620, 1246, 1862, 2216
packages/lib/locales/ar.json:620, 1246, 1862, 2216 (4 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in packages/lib/locales/bg_BG.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 1001, 1814
packages/lib/locales/bg_BG.json:1001, 1814 (2 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in packages/lib/locales/bs_BA.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 989, 1784
packages/lib/locales/bs_BA.json:989, 1784 (2 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/ca.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 761, 1504, 2287, 2774
packages/lib/locales/ca.json:761, 1504, 2287, 2774 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/cs_CZ.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 623, 1228, 1859, 2234
packages/lib/locales/cs_CZ.json:623, 1228, 1859, 2234 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/da_DK.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 761, 1504, 2287, 2774
packages/lib/locales/da_DK.json:761, 1504, 2287, 2774 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/de_DE.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 761, 1504, 2287, 2774
packages/lib/locales/de_DE.json:761, 1504, 2287, 2774 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/el_GR.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 662, 1323, 2024, 2420
packages/lib/locales/el_GR.json:662, 1323, 2024, 2420 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/en_GB.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 767, 1525, 2311, 2801
packages/lib/locales/en_GB.json:767, 1525, 2311, 2801 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/en_US.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 755, 1510, 2296, 2783
packages/lib/locales/en_US.json:755, 1510, 2296, 2783 (4 hits)
critical System graph security Secrets conf 1.00 3 occurrences Possible secret in packages/lib/locales/eo.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 573, 1098, 1969
packages/lib/locales/eo.json:573, 1098, 1969 (3 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/es_ES.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 761, 1504, 2287, 2774
packages/lib/locales/es_ES.json:761, 1504, 2287, 2774 (4 hits)
critical System graph security Secrets conf 1.00 3 occurrences Possible secret in packages/lib/locales/et_EE.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 530, 951, 1706
packages/lib/locales/et_EE.json:530, 951, 1706 (3 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in packages/lib/locales/eu.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 1039, 1808
packages/lib/locales/eu.json:1039, 1808 (2 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/fa.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 662, 1323, 2021, 2417
packages/lib/locales/fa.json:662, 1323, 2021, 2417 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/fi_FI.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 713, 1329, 2046, 2520
packages/lib/locales/fi_FI.json:713, 1329, 2046, 2520 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/fr_FR.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 767, 1525, 2311, 2801
packages/lib/locales/fr_FR.json:767, 1525, 2311, 2801 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/gl_ES.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 731, 1435, 2178, 2635
packages/lib/locales/gl_ES.json:731, 1435, 2178, 2635 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/hr_HR.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 767, 1512, 2298, 2786
packages/lib/locales/hr_HR.json:767, 1512, 2298, 2786 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/hu_HU.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 761, 1504, 2287, 2774
packages/lib/locales/hu_HU.json:761, 1504, 2287, 2774 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/id_ID.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 755, 1496, 2276, 2762
packages/lib/locales/id_ID.json:755, 1496, 2276, 2762 (4 hits)
critical System graph security Secrets conf 1.00 6 occurrences Possible secret in packages/lib/locales/it_IT.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 662, 663, 1323, 2024, 2420, 2421
packages/lib/locales/it_IT.json:662, 663, 1323, 2024, 2420, 2421 (6 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/ja_JP.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 641, 1286, 1940, 2324
packages/lib/locales/ja_JP.json:641, 1286, 1940, 2324 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/ko.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 644, 1292, 1943, 2324
packages/lib/locales/ko.json:644, 1292, 1943, 2324 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/nb_NO.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 605, 1179, 1784, 2135
packages/lib/locales/nb_NO.json:605, 1179, 1784, 2135 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/nl_BE.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 686, 1378, 2109, 2538
packages/lib/locales/nl_BE.json:686, 1378, 2109, 2538 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/nl_NL.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 752, 1477, 2245, 2711
packages/lib/locales/nl_NL.json:752, 1477, 2245, 2711 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/pl_PL.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 752, 1455, 2217, 2684
packages/lib/locales/pl_PL.json:752, 1455, 2217, 2684 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/pt_BR.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 731, 1435, 2178, 2638
packages/lib/locales/pt_BR.json:731, 1435, 2178, 2638 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/pt_PT.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 662, 1323, 2024, 2420
packages/lib/locales/pt_PT.json:662, 1323, 2024, 2420 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/ro.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 665, 1335, 2035, 2455
packages/lib/locales/ro.json:665, 1335, 2035, 2455 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/ro_MD.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 764, 1503, 2289, 2777
packages/lib/locales/ro_MD.json:764, 1503, 2289, 2777 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/ro_RO.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 764, 1503, 2289, 2777
packages/lib/locales/ro_RO.json:764, 1503, 2289, 2777 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/ru_RU.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 761, 1500, 2274, 2759
packages/lib/locales/ru_RU.json:761, 1500, 2274, 2759 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/sk_SK.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 767, 1512, 2298, 2786
packages/lib/locales/sk_SK.json:767, 1512, 2298, 2786 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/sl_SI.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 602, 1142, 1724, 2063
packages/lib/locales/sl_SI.json:602, 1142, 1724, 2063 (4 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in packages/lib/locales/sr_RS.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 1010, 1847
packages/lib/locales/sr_RS.json:1010, 1847 (2 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/sv.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 761, 1504, 2287, 2774
packages/lib/locales/sv.json:761, 1504, 2287, 2774 (4 hits)
critical System graph security Secrets conf 1.00 3 occurrences Possible secret in packages/lib/locales/th_TH.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 524, 983, 1778
packages/lib/locales/th_TH.json:524, 983, 1778 (3 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/tr_TR.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 758, 1495, 2278, 2765
packages/lib/locales/tr_TR.json:758, 1495, 2278, 2765 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/uk_UA.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 680, 1368, 2101, 2530
packages/lib/locales/uk_UA.json:680, 1368, 2101, 2530 (4 hits)
critical System graph security Secrets conf 1.00 3 occurrences Possible secret in packages/lib/locales/vi.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 593, 1118, 2039
packages/lib/locales/vi.json:593, 1118, 2039 (3 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/zh_CN.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 749, 1484, 2255, 2738
packages/lib/locales/zh_CN.json:749, 1484, 2255, 2738 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in packages/lib/locales/zh_TW.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 662, 1322, 2021, 2417
packages/lib/locales/zh_TW.json:662, 1322, 2021, 2417 (4 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in packages/server/src/env.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 77, 84
packages/server/src/env.ts:77, 84 (2 hits)
critical System graph security Secrets conf 1.00 Possible secret in packages/server/src/models/NotificationModel.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/server/src/models/NotificationModel.ts:11
critical System graph security Secrets conf 1.00 Possible secret in packages/server/src/tools/debug/populateDatabase.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/server/src/tools/debug/populateDatabase.ts:344
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
packages/tools/website/utils/applyTranslations.ts:87
high Security checks software dependencies conf 0.90 ✓ Repobility 5 occurrences [MINED118] Dockerfile FROM `node:24` not pinned by digest: `FROM node:24` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:24@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
3 files, 5 locations
Dockerfile.server:4, 65 (2 hits)
Dockerfile.transcribe.gpu:23, 26 (2 hits)
Dockerfile.transcribe:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `packages/app-mobile/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/app-mobile/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,764 bytes) committed to a repo that otherwise has 3080 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
packages/app-mobile/android/gradle/wrapper/gradle-wrapper.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `packages/react-native-saf-x/android/wrapper/gradle-wrapper.jar` committed in source repo: `packages/react-native-saf-x/android/wrapper/gradle-wrapper.jar` is a .jar binary (59,203 bytes) committed to a repo that otherwise has 3080 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
packages/react-native-saf-x/android/wrapper/gradle-wrapper.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `packages/tools/PortableAppsLauncher/JoplinPortable.exe` committed in source repo: `packages/tools/PortableAppsLauncher/JoplinPortable.exe` is a .exe binary (164,948 bytes) committed to a repo that otherwise has 3080 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
packages/tools/PortableAppsLauncher/JoplinPortable.exe:1
high Security checks software Resource exhaustion conf 1.00 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants.
Cap user-controlled sizes BEFORE allocation: size = min(int(request.args.get('n', 100)), MAX_SIZE) Set framework-level limits: Flask: app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 FastAPI: use middleware to enforce request size Django: DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py …
packages/server/src/utils/strings.ts:28
high Security checks security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state.
packages/app-mobile/utils/fs-driver/fs-driver-rn.web.worker.ts:201
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
Dockerfile.transcribe.gpu:28 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 19 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA …
8 files, 19 locations
.github/workflows/build-android.yml:32, 37, 39 (3 hits)
.github/workflows/build-macos-m1.yml:10, 13, 30 (3 hits)
.github/workflows/check-pr-title.yml:18, 24 (3 hits)
.github/workflows/github-actions-main.yml:15, 150, 152 (3 hits)
.github/workflows/delete-coderabbit-comments.yml:38 (2 hits)
.github/workflows/shared/setup-build-environment/action.yml:54, 74 (2 hits)
.github/workflows/ui-tests.yml:15, 40 (2 hits)
.github/workflows/close-stale-issues.yml:12
CI/CD securitySupply chainGitHub Actions
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
packages/app-desktop/gui/EncryptionConfigScreen/EncryptionConfigScreen.tsx:188
high System graph security Secrets conf 1.00 .env file present in repo: packages/app-clipper/popup/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
Config
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${state.port}/ping (packages/app-clipper/popup/src/bridge.js:242)
`packages/app-clipper/popup/src/bridge.js:242` calls `GET http://127.0.0.1:${state.port}/ping` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/ping` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/laurent22/${repoName}/releases/latest (packages/tools/tool-utils.ts:373)
`packages/tools/tool-utils.ts:373` calls `GET https://api.github.com/repos/laurent22/${repoName}/releases/latest` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/repos/laurent22/<p>/releases/lat…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/laurent22/${repoName}/releases?page=${pageNum} (packages/tools/tool-utils.ts:389)
`packages/tools/tool-utils.ts:389` calls `GET https://api.github.com/repos/laurent22/${repoName}/releases?page=${pageNum}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/repos/laurent22/<p>/rel…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/laurent22/joplin/releases?page=${page}&per_page=${perPage} (packages/tools/tool-utils.ts:411)
`packages/tools/tool-utils.ts:411` calls `GET https://api.github.com/repos/laurent22/joplin/releases?page=${page}&per_page=${perPage}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/repos/laure…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.ipify.org/?format=json (packages/lib/net-utils.ts:4)
`packages/lib/net-utils.ts:4` calls `GET https://api.ipify.org/?format=json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.ipify.org` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://objects.joplinusercontent.com/r/releases (packages/app-desktop/checkForUpdates.ts:28)
`packages/app-desktop/checkForUpdates.ts:28` calls `GET https://objects.joplinusercontent.com/r/releases` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/objects.joplinusercontent.com/r/releases` If this point…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://raw.githubusercontent.com/${organization}/${project}/HEAD/${path} (packages/tools/licenses/buildReport.ts:46)
`packages/tools/licenses/buildReport.ts:46` calls `GET https://raw.githubusercontent.com/${organization}/${project}/HEAD/${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/raw.githubusercontent.com/<p>/<…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /stripe/createCheckoutSession (packages/server/src/routes/index/stripe.ts:445)
`packages/server/src/routes/index/stripe.ts:445` calls `POST /stripe/createCheckoutSession` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/stripe/createcheckoutsession` If this points at an external API, prefix it w…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://localhost:${port} (packages/utils/ipc.ts:214)
`packages/utils/ipc.ts:214` calls `POST http://localhost:${port}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.dropboxapi.com/oauth2/token (packages/lib/DropboxApi.js:85)
`packages/lib/DropboxApi.js:85` calls `POST https://api.dropboxapi.com/oauth2/token` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.dropboxapi.com/oauth2/token` If this points at an external API, prefix i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.github.com/repos/laurent22/${project}/releases (packages/tools/tool-utils.ts:432)
`packages/tools/tool-utils.ts:432` calls `POST https://api.github.com/repos/laurent22/${project}/releases` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/repos/laurent22/<p>/releases` If this p…
Dangling fetchFetch
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/app-mobile/components/ExtendedWebView/index.jest.tsx:24
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/app-mobile/components/ExtendedWebView/index.jest.tsx:24 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/app-mobile/components/ExtendedWebView/index.web.tsx:111
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/app-mobile/components/ExtendedWebView/index.web.tsx:111 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in readme/cla/consent_records/jellyfrostt_73933245.json:73
Found a known-risky pattern (eval_used). Review and replace if possible.
readme/cla/consent_records/jellyfrostt_73933245.json:73 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in Assets/TinyMCE/JoplinLists/src/main/ts/ui/Buttons.ts:62
Found a known-risky pattern (exec_used). Review and replace if possible.
Assets/TinyMCE/JoplinLists/src/main/ts/ui/Buttons.ts:62 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/app-cli/app/fuzzing.js:2073
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/app-cli/app/fuzzing.js:2073 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/plugins/lists.js:2135
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/plugins/lists.js:2135 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/app-desktop/tools/execCommand.js:7
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/app-desktop/tools/execCommand.js:7 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/app-mobile/utils/database-driver-react-native.web.ts:93
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/app-mobile/utils/database-driver-react-native.web.ts:93 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/database-driver-better-sqlite.ts:65
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/database-driver-better-sqlite.ts:65 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/database-driver-node.ts:87
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/database-driver-node.ts:87 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/database-driver.ts:24
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/database-driver.ts:24 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/database.ts:209
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/database.ts:209 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/DropboxApi.js:106
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/DropboxApi.js:106 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/JoplinServerApi.ts:303
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/JoplinServerApi.ts:303 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/onedrive-api.ts:271
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/onedrive-api.ts:271 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/services/interop/InteropService_Importer_Base.ts:28
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/services/interop/InteropService_Importer_Base.ts:28 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/services/interop/InteropService_Importer_Custom.ts:19
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/services/interop/InteropService_Importer_Custom.ts:19 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/services/interop/InteropService_Importer_EnexToHtml.ts:6
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/services/interop/InteropService_Importer_EnexToHtml.ts:6 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/services/interop/InteropService_Importer_EnexToMd.ts:42
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/services/interop/InteropService_Importer_EnexToMd.ts:42 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/services/interop/InteropService_Importer_Jex.ts:9
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/services/interop/InteropService_Importer_Jex.ts:9 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/services/interop/InteropService_Importer_Md.ts:21
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/services/interop/InteropService_Importer_Md.ts:21 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/lib/services/interop/InteropService_Importer_Raw.ts:19
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/lib/services/interop/InteropService_Importer_Raw.ts:19 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/tools/gulp/utils.js:31
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/tools/gulp/utils.js:31 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/tools/tool-utils.ts:121
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/tools/tool-utils.ts:121 Exec used
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
packages/turndown/src/html-parser.js:22
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
packages/tools/website/utils/frontMatter.ts:62
medium Security checks software Open redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
Assets/WebsiteAssets/js/script.js:160
medium Security checks quality Quality conf 1.00 3 occurrences [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
3 files, 3 locations
packages/app-desktop/gui/DialogButtonRow/useKeyboardHandler.ts:14
packages/app-desktop/gui/NoteEditor/utils/resourceHandling.ts:214
packages/app-desktop/gui/OneDriveLoginScreen.tsx:40
medium Security checks security Crypto conf 1.00 [SEC107] Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2): TLS 1.0 and 1.1 were deprecated by IETF in 2021 (RFC 8996). Most browsers no longer support them. Code requesting these protocols is talking to an attacker-controllable downgrade target.
Use TLSv1.2 minimum, TLSv1.3 preferred. Java: `SSLContext.getInstance("TLSv1.2")`. Python: `ssl.PROTOCOL_TLS_CLIENT` + `MinimumVersion = TLSVersion.TLSv1_2`. Go: `MinVersion: tls.VersionTLS12`.
packages/app-mobile/android/app/src/main/java/net/cozic/joplin/ssl/SslUtils.java:31
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
packages/app-mobile/components/screens/onedrive-login.js:18
medium Security checks quality Quality conf 0.76 Compliance or security claim is near a placeholder link
Link trust claims to current evidence, downgrade unverifiable wording, and replace placeholder footer/legal/security links with real destinations.
packages/app-desktop/gui/EncryptionConfigScreen/EncryptionConfigScreen.tsx:228
medium Security checks quality Quality conf 0.76 Compliance or security claim is near a placeholder link
Link trust claims to current evidence, downgrade unverifiable wording, and replace placeholder footer/legal/security links with real destinations.
packages/app-desktop/gui/ConfigScreen/controls/MissingPasswordHelpLink.tsx:20
medium Security checks cicd CI/CD security conf 0.86 Database dump or local database file is included in Docker build context
Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow.
.dockerignore CI/CD securitycontainers
medium Security checks quality Quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
packages/server/src/models/ChangeModel/ChangeModel.old.ts:1
medium Security checks quality Quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
packages/server/src/models/ChangeModel/ChangeModel.new.ts:1
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/app-desktop/gui/EncryptionConfigScreen/EncryptionConfigScreen.tsx:557
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/nodes/FileNode.tsx:180
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/nodes/TextNode.tsx:127
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/useCheckboxToggle.ts:9
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/app-desktop/gui/NoteListItem/utils/getNoteTitleHtml.ts:34
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/app-desktop/plugins/GotoAnything.tsx:593
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-cli/app/command-apidoc.ts:159
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-desktop/checkForUpdates.ts:28
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-desktop/services/autoUpdater/AutoUpdaterService.ts:114
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-desktop/sign.js:35
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-desktop/tools/githubReleasesUtils.ts:28
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-desktop/utils/customProtocols/handleCustomProtocols.ts:234
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-mobile/components/plugins/backgroundPage/startStopPlugin.ts:39
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-mobile/components/voiceTyping/AudioRecordingBanner.tsx:72
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-mobile/PluginAssetsLoader.ts:45
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-mobile/utils/shim-init-react/index.web.ts:58
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/app-mobile/utils/shim-init-react/shimInitShared.ts:46
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/fork-htmlparser2/src/FeedHandler.ts:63
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/lib/DropboxApi.js:85
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/lib/file-api-driver-amazon-s3.js:250
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/lib/geolocation-node.ts:22
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/lib/JoplinServerApi.ts:220
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/lib/net-utils.ts:4
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/lib/onedrive-api.ts:172
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/lib/services/joplinCloudUtils.ts:110
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/lib/shim-init-node.ts:684
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/lib/shim.ts:330
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/lib/WebDavApi.ts:392
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/plugin-repo-cli/commands/updateRelease.ts:39
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/plugin-repo-cli/lib/searchPlugins.ts:47
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/server/src/routes/index/stripe.ts:445
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/tools/build-release-stats.ts:180
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/tools/fetchPatreonPosts.js:29
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/tools/fuzzer/ipc/Client.ts:557
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/tools/licenses/buildReport.ts:46
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/tools/release-android.ts:224
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/tools/saveClaConsentRecords.ts:59
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/tools/tool-utils.ts:326
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/transcribe/src/api/handler/createJob.test.ts:23
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/transcribe/src/services/queue/PgBossQueue.ts:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/transcribe/src/services/queue/SqliteQueue.test.ts:53
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/transcribe/src/services/queue/SqliteQueue.ts:86
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/transcribe/src/types.ts:45
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 7 occurrences GitHub Action is tag-pinned rather than SHA-pinned
pascalgn/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
5 files, 7 locations
.github/workflows/cla.yml:16 (2 hits)
.github/workflows/shared/setup-build-environment/action.yml:50, 52 (2 hits)
.github/workflows/automerge.yml:21
.github/workflows/build-macos-m1.yml:12
.github/workflows/comment-on-failure.yml:14
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/automerge.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/app-desktop/gui/EncryptionConfigScreen/EncryptionConfigScreen.tsx:557
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/app-desktop/gui/EncryptionConfigScreen/EncryptionConfigScreen.tsx:557 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/nodes/FileNode.tsx:180
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/nodes/FileNode.tsx:180 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/nodes/TextNode.tsx:127
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/nodes/TextNode.tsx:127 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/app-desktop/plugins/GotoAnything.tsx:593
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/app-desktop/plugins/GotoAnything.tsx:593 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in readme/cla/consent_records/andy1631_46966845.json:363
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
readme/cla/consent_records/andy1631_46966845.json:363 Dangerous innerhtml
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.72 3 occurrences Dockerfile installs recommended OS packages
Add `--no-install-recommends` and explicitly list only packages the image needs.
3 files, 3 locations
Dockerfile.server:7
Dockerfile.transcribe:3
Dockerfile.transcribe.gpu:28
CI/CD securitycontainers
low Security checks quality Quality conf 0.64 Duplicate top-level symbol appears in a patch-style file
Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol.
packages/server/src/models/ChangeModel/ChangeModel.new.ts:1
low Security checks quality Quality conf 0.60 15 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 12 locations
Assets/TinyMCE/langs/es_ES.js:2
Assets/TinyMCE/langs/es_MX.js:361
Assets/TinyMCE/langs/fa_IR.js:2
Assets/TinyMCE/langs/gl.js:129
Assets/TinyMCE/langs/hr.js:97
Assets/TinyMCE/langs/it_IT.js:2
Assets/TinyMCE/langs/nb_NO.js:30
Assets/TinyMCE/langs/pt_PT.js:30
duplicationquality
low System graph quality Maintenance conf 1.00 193 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: jest.base-setup.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: jest.config.base.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: lint-staged.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/attribute-name.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/attribute-no-space.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/attribute-unquoted.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/bom.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/buffer-overrun.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/case.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/cdata-chunked.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/cdata-end-split.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/cdata-fake-end.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/cdata-multiple.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/cdata.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/cyrillic.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/duplicate-attribute.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/emoji.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/end_empty_stream.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/entities.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/entity-mega.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/entity-nan.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/flush.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/issue-23.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/issue-30.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/issue-35.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/issue-47.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/issue-49.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/issue-84.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/issue-86.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/not-string.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/opentagstart.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/script-close-better.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/script.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/self-closing-child.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/self-closing-tag.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/stray-ending.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/trailing-non-whitespace.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/unclosed-root.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/unquoted.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/utf8-split.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/xml-internal-entities.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/xml_entities.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/xmlns-as-tag-name.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/xmlns-issue-41.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/xmlns-strict.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/xmlns-unbound.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/xmlns-xml-default-ns.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/xmlns-xml-default-prefix-attribute.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/xmlns-xml-default-prefix.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/fork-sax/test/xmlns-xml-default-redefine.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph security security conf 1.00 Insecure pattern 'document_write' in packages/app-desktop/gui/NewWindowOrIFrame.tsx:50
Found a known-risky pattern (document_write). Review and replace if possible.
packages/app-desktop/gui/NewWindowOrIFrame.tsx:50 Document write
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `ChangeModelOld` in packages/server/src/migrations/planned/regroup_changes.test.ts:3
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `ChangeModelOld` in packages/server/src/models/ChangeModel/ChangeModel.test.ts:7
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `ChangeModelOld` in packages/server/src/models/ChangeModel/ChangeModel.ts:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `checksum_v1` in packages/app-desktop/ElectronAppWrapper.ts:220
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_folder_v2` in packages/lib/DropboxApi.js:101
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_folder_v2` in packages/lib/file-api-driver-dropbox.js:172
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `createTextPatchLegacy` in packages/lib/models/Revision.test.ts:112
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `createTextPatchLegacy` in packages/lib/models/Revision.ts:26
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `errorOnDeprecated` in packages/app-desktop/jest.config.js:47
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `errorOnDeprecated` in packages/pdf-viewer/jest.config.js:49
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `errorOnDeprecated` in packages/renderer/jest.config.js:52
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `folder1_v2` in packages/server/src/models/ItemModel.test.ts:482
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `htr_sample_copy` in packages/transcribe/src/workers/JobProcessor.test.ts:42
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `n1_v1` in packages/lib/services/RevisionService.test.ts:50
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `plainTextOld` in packages/lib/services/e2ee/EncryptionService.test.ts:66
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pluginsLegacy` in packages/app-desktop/gui/WindowCommandsAndDialogs/WindowCommandsAndDialogs.tsx:32
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pluginsLegacy` in packages/lib/reducer.ts:179
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 35 occurrences package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
12 files, 12 locations
Assets/TinyMCE/IconPack/package.json
package.json
packages/app-cli/tests/support/plugins/clipboard/package.json
packages/app-cli/tests/support/plugins/codemirror5-and-codemirror6/package.json
packages/app-cli/tests/support/plugins/codemirror6/package.json
packages/app-cli/tests/support/plugins/codemirror_content_script/package.json
packages/app-cli/tests/support/plugins/content_script/package.json
packages/app-cli/tests/support/plugins/dialog/package.json
CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 React Flow <Controls> without dark theming — packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/WhiteboardSurface.tsx:351
`<Controls>` ships with white buttons. Override `.react-flow__controls` and `.react-flow__controls-button` in your stylesheet or pass a styled wrapper. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.controls.no-bg
Fq controls no bg
low System graph frontend Frontend quality conf 1.00 React Flow <MiniMap> without dark background — packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/WhiteboardSurface.tsx:352
A bare <MiniMap> renders with the vendor's white default in dark themes. Wrap the canvas in a class that overrides `.react-flow__minimap` background, or pass an explicit `style`/`maskColor`/`bgColor`. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.minimap.no-bg
Fq minimap no bg
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-cli/tests/support/plugins/codemirror_content_script/src/joplinMatchHighlighter.js:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-cli/tests/support/plugins/nativeModule/src/index.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-clipper/content_scripts/JSDOMParser.js:882
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-desktop/gui/hooks/useEffectDebugger.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-desktop/gui/hooks/useImperativeHandlerDebugger.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-desktop/tools/bundleJs.ts:58
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-desktop/tools/generateLatestArm64Yml.ts:63
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-desktop/tools/githubReleasesUtils.ts:23
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-desktop/tools/modifyReleaseAssets.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-desktop/tools/notarizeMacApp.ts:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-desktop/tools/resolveSourceMap.ts:50
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-mobile/components/plugins/PluginRunnerWebView.tsx:174
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-mobile/contentScripts/markdownEditorBundle/useWebViewSetup.ts:85
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-mobile/tools/buildInjectedJs/BundledFile.ts:88
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/app-mobile/web/serviceWorker.ts:158
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/default-plugins/buildDefaultPlugins.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/default-plugins/commands/editPatch.ts:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/fork-sax/test/script.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/lib/services/search/SearchEngine.test.ts:224
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/lib/services/search/SearchFilter.test.ts:785
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/lib/utils/dom/makeSandboxedIframe.ts:35
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/pdf-viewer/hooks/useScaledSize.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/pdf-viewer/hooks/useScrollSaver.ts:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/plugin-repo-cli/index.ts:144
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/assets/abc/abcjs-basic-min.js:3
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/renderer/htmlUtils.test.ts:95
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/tools/licenses/licenseStatementBuilder.ts:103
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/tools/packageJsonLint.ts:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/tools/release-ios.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/tools/tool-utils.ts:200
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/tools/updateCanary.ts:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/utils/cli.ts:19
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: DELETE
`packages/lib/file-api-driver-webdav.js` declares `DELETE ` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET
`packages/server/src/routes/default.ts` declares `GET ` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: packages/app-clipper/content_scripts/Readability.js (2305 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/plugins/lists.js (2167 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/TinyMCE.tsx (1663 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/app-desktop/utils/checkForUpdatesUtilsTestData.ts (6421 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/app-mobile/components/screens/Note/Note.tsx (1961 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/lib/models/settings/builtInMetadata.ts (2145 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/lib/reducer.ts (1648 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/lib/Synchronizer.ts (1289 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/renderer/MdToHtml/rules/katex_mhchem.js (1732 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/1350e53b-3faa-4b9e-a365-be3c192a7c1a/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/1350e53b-3faa-4b9e-a365-be3c192a7c1a/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.