Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
62 of your 145 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 6.19s · analysis 12.12s · 95.0 MB · GitHub API rate-limit (preflight)

PostHog/posthog-js

https://github.com/PostHog/posthog-js · scanned 2026-06-05 18:32 UTC (4 days, 18 hours ago) · 10 languages

1216 raw signals (120 security + 1096 graph) 11/13 scanners ran 85th percentile · Typescript · large (100-500K LoC) System graph score 52 (higher by 32)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 18 hours ago · v2 · 596 actionable findings from 2 signal sources. 72 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
66.9
/100
Security checks
82
57 findings
System graph
52
100.0% cov · 539 findings
Critical
119
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 95.0 0.20 19.00
documentation_score 91.0 0.15 13.65
practices_score 73.0 0.15 10.95
code_quality 70.0 0.10 7.00
Overall 1.00 84.6
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 119 High 36 Medium 43 Low 255 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 57 System graph 539 Crowd 0 Layer: Security 131 Cicd 8 Quality 176 Software 55 Frontend 178 Hardware 3 Api 45
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Ranks in the 53rd percentile among medium-sized repos. Strongest dependencies (90), testing (75); weakest security (32), practices (48). 50 findings. Most common pattern: cpp-new-without-delete.

Showing 452 of 596 actionable findings. 668 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks security auth conf 0.88 Token handoff appears to use a callback URL or fragment
Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments.
packages/browser/src/posthog-surveys.ts:217
high Security checks security auth conf 0.88 Token handoff appears to use a callback URL or fragment
Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments.
packages/browser/src/posthog-featureflags.ts:1154
critical System graph security Secrets conf 1.00 Possible secret in packages/browser/playground/redux-todo-list/src/store.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/browser/playground/redux-todo-list/src/store.ts:330
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.10.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.10.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.10.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.10.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.10.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.10.2.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.12.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.12.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.15.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.15.0.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.16.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.16.0.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.17.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.17.0.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.17.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.17.1.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.17.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.17.2.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.17.3.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.17.3.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.17.4.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.17.4.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.18.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.18.0.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.18.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.18.1.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.19.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.19.0.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.20.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.20.0.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.21.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.21.0.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.21.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.21.1.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.21.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.21.2.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.22.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.22.0.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.23.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.23.0.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.0.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.1.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.10.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.10.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.11.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.11.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.12.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.12.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.13.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.13.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.14.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.14.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.15.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.15.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.16.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.16.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.17.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.17.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.2.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.3.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.3.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.4.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.4.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.5.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.5.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.6.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.6.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.7.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.7.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.8.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.8.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.24.9.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.24.9.json:75
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.25.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.25.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.26.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.26.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.26.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.26.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.26.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.26.2.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.27.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.27.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.27.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.27.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.10.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.10.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.11.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.11.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.2.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.3.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.3.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.4.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.4.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.5.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.5.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.6.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.6.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.7.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.7.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.8.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.8.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.28.9.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.28.9.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.29.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.29.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.29.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.29.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.29.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.29.2.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.29.3.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.29.3.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.29.4.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.29.4.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.29.5.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.29.5.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.29.6.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.29.6.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.29.7.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.29.7.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.30.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.30.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.30.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.30.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.30.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.30.2.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.30.3.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.30.3.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.30.4.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.30.4.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.30.5.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.30.5.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.30.6.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.30.6.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.30.7.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.30.7.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.30.8.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.30.8.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.31.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.31.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.32.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.32.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.32.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.32.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.33.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.33.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.33.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.33.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.33.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.33.2.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.33.3.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.33.3.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.33.4.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.33.4.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.33.5.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.33.5.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.33.6.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.33.6.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.33.7.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.33.7.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.10.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.10.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.2.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.3.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.3.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.4.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.4.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.5.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.5.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.6.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.6.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.7.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.7.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.8.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.8.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.34.9.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.34.9.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.10.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.10.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.11.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.11.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.12.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.12.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.13.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.13.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.14.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.14.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.15.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.15.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.2.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.3.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.3.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.4.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.4.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.5.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.5.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.6.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.6.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.7.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.7.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.8.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.8.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.35.9.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.35.9.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.36.0.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.36.0.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.36.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.36.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.36.2.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.36.2.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.36.3.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.36.3.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/references/posthog-node-references-5.9.1.json
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/references/posthog-node-references-5.9.1.json:54
critical System graph security Secrets conf 1.00 Possible secret in packages/node/src/client.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/node/src/client.ts:156
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
scripts/docs/utils.js:141
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
compliance/node/adapter.js:68
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /capture has no auth: Express route POST /capture declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/capture', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
compliance/node/adapter.js:92
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /capture has no auth: Express route POST /capture declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/capture', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
compliance/browser/adapter.js:241
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /flags has no auth: Express route POST /flags declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/flags', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
packages/browser/playground/session-recordings/server.js:16
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /flush has no auth: Express route POST /flush declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/flush', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
compliance/node/adapter.js:123
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /flush has no auth: Express route POST /flush declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/flush', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
compliance/browser/adapter.js:270
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /get_feature_flag has no auth: Express route POST /get_feature_flag declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/get_feature_flag', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
compliance/node/adapter.js:148
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /get_feature_flag has no auth: Express route POST /get_feature_flag declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/get_feature_flag', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
compliance/browser/adapter.js:291
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /init has no auth: Express route POST /init declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/init', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
compliance/node/adapter.js:32
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /init has no auth: Express route POST /init declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/init', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
compliance/browser/adapter.js:198
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /reset has no auth: Express route POST /reset declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/reset', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
compliance/node/adapter.js:187
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /reset has no auth: Express route POST /reset declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/reset', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
compliance/browser/adapter.js:375
high Security checks software dependencies conf 0.90 ✓ Repobility 6 occurrences [MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
3 files, 6 locations
packages/browser/playground/react-router/Dockerfile:1, 5, 10, 16 (4 hits)
compliance/browser/Dockerfile:1
compliance/node/Dockerfile:1
high Security checks software dependencies conf 0.90 ✓ Repobility 13 occurrences [MINED122] package.json dep `posthog-node` pulled from URL/Git: `dependencies.posthog-node` = `file:../../target/posthog-node.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
11 files, 13 locations
examples/example-convex/package.json:1 (3 hits)
package.json:1
packages/browser/package.json:1
packages/browser/playground/chakra-emotion/package.json:1
packages/browser/playground/csp-violations/package.json:1
packages/browser/playground/error-tracking/next-ts-app/package.json:1
packages/browser/playground/error-tracking/react-ts-esbuild/package.json:1
packages/browser/playground/error-tracking/vue-ts-esbuild/package.json:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `examples/example-expo-53/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/example-expo-53/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,583 bytes) committed to a repo that otherwise has 1278 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
examples/example-expo-53/android/gradle/wrapper/gradle-wrapper.jar:1
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
packages/browser/src/utils/event-utils.ts:141
high Security checks cicd CI/CD security conf 0.92 2 occurrences Dockerfile copies the entire context without .dockerignore
Create .dockerignore before using broad context copies, or copy only the required files and directories.
lines 2, 12
packages/browser/playground/react-router/Dockerfile:2, 12 (2 hits)
CI/CD securitycontainers
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
packages/browser/playground/copy-autocapture/demo.html:37
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/socket (playground/nextjs/pages/_app.tsx:38)
`playground/nextjs/pages/_app.tsx:38` calls `GET /api/socket` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/socket` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://${d}/api/test (packages/browser/playwright/mocked/tracing-headers.spec.ts:42)
`packages/browser/playwright/mocked/tracing-headers.spec.ts:42` calls `GET https://${d}/api/test` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/<p>/api/test` If this points at an external API, prefix it with…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.com/path (packages/browser/src/__tests__/tracing-headers.test.ts:221)
`packages/browser/src/__tests__/tracing-headers.test.ts:221` calls `GET https://example.com/path` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com/path` If this points at an external API, prefix it …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.com/path (packages/browser/src/__tests__/tracing-headers.test.ts:230)
`packages/browser/src/__tests__/tracing-headers.test.ts:230` calls `GET https://example.com/path` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com/path` If this points at an external API, prefix it …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.com/path (packages/browser/src/__tests__/tracing-headers.test.ts:242)
`packages/browser/src/__tests__/tracing-headers.test.ts:242` calls `GET https://example.com/path` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com/path` If this points at an external API, prefix it …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.com/path (packages/browser/src/__tests__/tracing-headers.test.ts:250)
`packages/browser/src/__tests__/tracing-headers.test.ts:250` calls `GET https://example.com/path` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com/path` If this points at an external API, prefix it …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://example.com/path (packages/browser/src/__tests__/tracing-headers.test.ts:328)
`packages/browser/src/__tests__/tracing-headers.test.ts:328` calls `GET https://example.com/path` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com/path` If this points at an external API, prefix it …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/auth/login (playground/nextjs/src/AuthModal.tsx:11)
`playground/nextjs/src/AuthModal.tsx:11` calls `POST /api/auth/login` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth/login` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/auth/logout (playground/nextjs/src/AuthModal.tsx:27)
`playground/nextjs/src/AuthModal.tsx:27` calls `POST /api/auth/logout` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth/logout` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/endpoint (packages/node/src/client.ts:368)
`packages/node/src/client.ts:368` calls `POST /api/endpoint` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/endpoint` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://${d}/api/internal/surveys (packages/browser/playwright/mocked/session-recording/csrf-headers-preserved.spec.ts:138)
`packages/browser/playwright/mocked/session-recording/csrf-headers-preserved.spec.ts:138` calls `POST https://${d}/api/internal/surveys` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/<p>/api/internal/surveys…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://${d}/api/internal/surveys (packages/browser/playwright/mocked/session-recording/csrf-headers-preserved.spec.ts:181)
`packages/browser/playwright/mocked/session-recording/csrf-headers-preserved.spec.ts:181` calls `POST https://${d}/api/internal/surveys` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios Normalized path used for matching: `/https:/<p>/api/internal/surveys…
Dangling fetchAxios
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/browser/playground/csp-violations/server.js:275
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/browser/playground/csp-violations/server.js:275 Eval used
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
packages/core/src/utils/promise-queue.ts:10
packages/react-native/src/native-deps.tsx:216
packages/react-native/src/optional/OptionalAsyncStorage.ts:8
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
playground/nextjs/pages/_app.tsx:28
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
packages/core/src/gzip.ts:130
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
packages/rrweb/rrweb/src/replay/canvas/webgl.ts:22
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
packages/react-native/src/native-deps.tsx:150
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
packages/browser/playground/react-router/Dockerfile:17 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Dockerfile installs dependencies after copying the full source tree
Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree.
packages/browser/playground/react-router/Dockerfile:4 CI/CD securitycontainers
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/browser/src/extensions/product-tours/components/ProductTourBanner.tsx:91
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/browser/src/extensions/product-tours/components/ProductTourTooltipInner.tsx:81
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/browser/src/extensions/surveys/surveys-extension-utils.tsx:650
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-ai-anthropic/chat.ts:28
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-ai-gemini/chat.ts:43
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-ai-mastra/workflow.ts:20
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-ai-openai/chat-completions.ts:28
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-ai-openai/responses.ts:28
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-ai-vercel-ai/anthropic-streaming.ts:29
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-ai-vercel-ai/generate-text.ts:47
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-ai-vercel-ai/google-streaming.ts:29
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-cloudflare-kv-cache/src/worker.ts:12
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-cloudflare/src/index.ts:19
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/example-node/server.ts:16
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/ai/src/prompts.ts:288
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/browser/playground/csp-violations/server.js:399
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/browser/playwright/global-setup-compat.ts:10
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/browser/playwright/mocked/session-recording/csrf-headers-preserved.spec.ts:138
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/browser/playwright/mocked/tracing-headers.spec.ts:42
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/browser/src/__tests__/extensions/replay/external/fetch-wrapper-invariants.test.ts:413
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/browser/src/__tests__/tracing-headers.test.ts:173
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/browser/src/entrypoints/tracing-headers.ts:184
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/browser/src/extensions/replay/external/network-plugin.ts:627
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/browser/testcafe/helpers.js:202
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/src/posthog-core-stateless.ts:204
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/src/testing/PostHogCoreTestClient.ts:44
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/node/src/client.ts:368
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-native/src/posthog-rn.ts:572
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/web/src/posthog-web.ts:67
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/nextjs/pages/_app.tsx:38
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/nextjs/src/AuthModal.tsx:11
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/remix/app/routes/ph-relay-xyz123.$.tsx:19
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: packages/browser/playground/react-router/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/browser/src/extensions/product-tours/components/ProductTourBanner.tsx:91
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/browser/src/extensions/product-tours/components/ProductTourBanner.tsx:91 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/browser/src/extensions/product-tours/components/ProductTourTooltipInner.tsx:81
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/browser/src/extensions/product-tours/components/ProductTourTooltipInner.tsx:81 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/browser/src/extensions/surveys/surveys-extension-utils.tsx:650
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/browser/src/extensions/surveys/surveys-extension-utils.tsx:650 Dangerous innerhtml
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
compliance/node/docker-compose.yml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
compliance/browser/docker-compose.yml:1 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 18 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 13 locations
packages/react-native/src/surveys/surveys-utils.ts:209, 294 (2 hits)
compliance/node/adapter.js:111
packages/ai/src/openai/index.ts:71
packages/browser/playground/redux-todo-list/src/todoLogic.ts:9
packages/browser/playwright.config.ts:3
packages/core/src/types.ts:392
packages/mcp/rslib.config.ts:1
packages/node/rslib.config.ts:1
duplicationquality
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt.
examples/example-web/public/robots.txt
low System graph quality Integrity conf 1.00 38 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `AUDIO_PATH`, `AWS_DEFAULT_REGION`, `AWS_ENDPOINT_URL_S3`, `BROWSER`, `BROWSER_ONLY`, `CI`, `COMPAT_VERSION`, `DEV` + 30 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph quality Maintenance conf 1.00 88 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 6 occurrences Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
3 files, 6 locations
packages/browser/playground/react-router/Dockerfile:1, 5, 10, 16 (4 hits)
compliance/browser/Dockerfile:1
compliance/node/Dockerfile:1
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: compliance/node/adapter.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/next/tests/config.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/next/tests/PagesPostHogPageView.test.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/next/tests/PostHogPageView.test.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/next/tests/waitUntil.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/node/rslib.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/node/src/__tests__/crypto.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/node/src/__tests__/experimental.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/node/src/__tests__/extensions/tracing-headers.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/node/src/__tests__/feature-flags.flags.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/node/src/__tests__/feature-flags.overrides.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/node/src/entrypoints/nestjs.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/node/src/experimental.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/node/src/exports.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/node/src/extensions/context/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/nuxt/src/runtime/nitro-plugin.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/types/rslib.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/types/src/capture-log.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/types/src/capture.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/types/src/common.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/types/src/feature-flags.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/types/src/session-recording.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/types/src/survey.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/types/src/toolbar.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/types/src/tree-shakeable.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/react-nextjs/next.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/remix/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/vite/src/main.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/vite/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/webpack/webpack.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/docs/constants.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/.eslintrc.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/custom-eslint-rules.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-add-event-listener.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-array-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-boolean-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-date-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-document-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-file-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-form-data-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-mutation-observer.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-null-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-number-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-object-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-string-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-direct-undefined-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/eslint-plugin-posthog-js/no-external-replay-imports.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/release/src/release-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/release/src/s3.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tooling/release/src/upload-posthog-js-s3.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `__preview_flags_v2` in packages/browser/functional_tests/feature-flags.test.ts:378
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `__preview_flags_v2` in packages/types/src/posthog-config.ts:1682
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `__preview_flags_v2` in playground/nextjs/src/posthog.ts:99
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `indexInOld` in packages/rrweb/rrdom/src/diff.ts:393
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isMethodDeprecated` in scripts/docs/methods.js:29
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isMethodDeprecated` in scripts/docs/parser.js:61
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `OptionalExpoFileSystemLegacy` in packages/react-native/src/native-deps.tsx:11
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `OptionalExpoFileSystemLegacy` in packages/react-native/src/optional/OptionalExpoFileSystemLegacy.ts:7
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `OptionalExpoFileSystemLegacy` in packages/react-native/test/storage-expo54-stable.spec.ts:34
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `OptionalExpoFileSystemLegacy` in packages/react-native/test/storage-expo55.spec.ts:34
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `posthogWithDeprecated` in packages/node/src/__tests__/posthog-node.spec.ts:2780
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `signup_flow_v2` in packages/browser/src/posthog-core.ts:1686
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 5 occurrences package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
5 files, 5 locations
examples/example-nuxt/package.json
packages/browser/package.json
packages/browser/playground/error-tracking/next-ts-app/package.json
packages/browser/playground/nuxtjs/package.json
packages/nuxt/package.json
CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — compliance/browser/adapter.js:389
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — compliance/node/adapter.js:205
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-anthropic/chat.ts:65
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-anthropic/streaming.ts:44
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-aws-bedrock/chat.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-azure-openai/chat.ts:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-cerebras/chat.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-cloudflare-ai-gateway/chat.ts:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-cohere/chat.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-convex/generate.ts:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-dedalus/chat.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-deepseek/chat.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-fireworks-ai/chat.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-gemini/chat.ts:63
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-gemini/image-generation.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-gemini/streaming.ts:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-groq/chat.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-helicone/chat.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-hugging-face/chat.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-instructor/extract.ts:45
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-langchain/callback-handler.ts:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-langgraph/agent.ts:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-mastra/workflow.ts:65
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-mistral/chat.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-ollama/chat.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-openai-agents/multi-agent.ts:66
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-openai-agents/single-agent.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-openai/chat-completions-streaming.ts:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-openai/chat-completions.ts:75
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-openai/embeddings.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/example-ai-openai/image-generation.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak

Showing first 300 of 452. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/1874ab3f-846a-4195-84e6-26fee77143c6/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/1874ab3f-846a-4195-84e6-26fee77143c6/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.