Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 4.85s · analysis 1.91s · 3.7 MB · GitHub API rate-limit (preflight)

Legcord/Legcord

https://github.com/Legcord/Legcord · scanned 2026-05-31 01:22 UTC (5 days, 6 hours ago) · 10 languages

221 findings (51 legacy + 170 scanner) 56th percentile · Typescript · small (2-20K LoC) Scanner says 65 (higher by 4)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 6 hours ago · v2 · 136 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
76.6
/100
Repobility
88
51 legacy
9-layer
65
88.9% cov · 85 gaps
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 96.0 0.25 24.00
testing_score 0.0 0.20 0.00
documentation_score 76.0 0.15 11.40
practices_score 72.0 0.15 10.80
code_quality 78.8 0.10 7.88
Overall 1.00 69.1
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 23 Medium 19 Low 75 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 51 9-layer 85 Crowd 0 Layer: Security 5 Quality 37 Software 40 Frontend 35 Cicd 15 Api 4
Scan summary Repository scanned at 64.9/100 with 88.9% coverage. It contains 515 nodes across 6 cross-layer flows, written primarily in mixed languages. Engine surfaced 85 findings — concentrated in frontend (35), software (21), cicd (15). Risk profile is high: 0 critical, 3 high, 15 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 119 of 136 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection.
Review and fix per the pattern semantics. See CWE-95 / for context.
src/discord/preload/patches.mts:144 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED035] Js New Function: new Function(...) compiles strings to functions.
Review and fix per the pattern semantics. See CWE-95 / for context.
src/discord/preload/plugins.mts:62 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED002] Dart Null Bang: value! throws on null. Use ?. or null check.
Review and fix per the pattern semantics. See CWE-476 / for context.
src/discord/preload/titlebar.mts:33 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let.
Review and fix per the pattern semantics. See CWE-476 / for context.
src/discord/preload/titlebar.mts:33 qualitylegacy
high Legacy software xxe conf 1.00 [SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs.
Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all.
scripts/utils/updateMeta.mts:55 xxelegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
src/common/themes.ts:27 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/cache/restore` pinned to mutable ref `@v5`
`uses: actions/cache/restore@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/package.yml:47 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/cache/save` pinned to mutable ref `@v5`
`uses: actions/cache/save@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/package.yml:72 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/package.yml:20 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/meta.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/lint.yml:10 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/download-artifact` pinned to mutable ref `@v6`
`uses: actions/download-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/package.yml:96 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`
`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/package.yml:31 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`
`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/meta.yml:23 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/upload-artifact` pinned to mutable ref `@v6`
`uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/package.yml:83 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `biomejs/setup-biome` pinned to mutable ref `@v2`
`uses: biomejs/setup-biome@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/lint.yml:12 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `ncipollo/release-action` pinned to mutable ref `@v1`
`uses: ncipollo/release-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/package.yml:115 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `ncipollo/release-action` pinned to mutable ref `@v1`
`uses: ncipollo/release-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/package.yml:102 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `pnpm/action-setup` pinned to mutable ref `@v6`
`uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/package.yml:28 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `samuelmeuli/action-snapcraft` pinned to mutable ref `@v3`
`uses: samuelmeuli/action-snapcraft@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/package.yml:44 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `vedantmgoyal9/winget-releaser` pinned to mutable ref `@main`
`uses: vedantmgoyal9/winget-releaser@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/winget.yml:9 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility package.json dep `arrpc` pulled from URL/Git
`dependencies.arrpc` = `github:Legcord/arrpc#efe7589762470d32b9ba10d529be5acc23cd0e19` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
package.json:1 dependencylegacy
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/Legcord/Legcord/contributors (src/shelter/settings/components/AboutPopup.tsx:23)
`src/shelter/settings/components/AboutPopup.tsx:23` calls `GET https://api.github.com/repos/Legcord/Legcord/contributors` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/repos/legcord/legcord/co…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://cdn.discordapp.com/icons/${guildID}/${guildIcon}.png (src/discord/touchbar.ts:53)
`src/discord/touchbar.ts:53` calls `GET https://cdn.discordapp.com/icons/${guildID}/${guildIcon}.png` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/cdn.discordapp.com/icons/<p>/<p>.png` If this points at an …
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://legcord.app/latest.json (src/shelter/settings/components/HeroUpdater.tsx:9)
`src/shelter/settings/components/HeroUpdater.tsx:9` calls `GET https://legcord.app/latest.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/legcord.app/latest.json` If this points at an external API, prefi…
wiringdangling-fetchfetch
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
src/discord/screenshare.ts:25 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
src/discord/globalKeybinds.ts:22 error_handlinglegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
src/shelter/settings/components/SupportBanner.tsx:40 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
src/shelter/settings/components/HeroUpdater.tsx:34 securitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/shelter/screenshare/components/ScreensharePicker.tsx:29 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/discord/preload/patches.mts:139 qualitylegacy
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — assets/app/js/monacoLoader.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/common/dom.ts:25
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/common/themes.ts:206
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/discord/extensions/modloader.ts:25
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/discord/touchbar.ts:53
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/protocol.ts:30
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/shelter/settings/components/HeroUpdater.tsx:9
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
biomejs/setup-biome@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/lint.yml:12 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/package.yml:28 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
samuelmeuli/action-snapcraft@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/package.yml:44 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
ncipollo/release-action@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/package.yml:102 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
ncipollo/release-action@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/package.yml:115 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/meta.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 91 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
testscoverage
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/shelter/settings/components/icons/QuickActionIcons.tsx:38 qualitylegacy
low Legacy quality quality conf 0.70 Generated build artifact directory is present at repository root
Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate.
build:1 qualitylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: docs/examples/hello-plugin/main.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: docs/examples/hello-plugin/preload.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: lune.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: rolldown.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/@types/consts.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/@types/cssModules.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/@types/i18nStrings.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/@types/keybind.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/@types/legcordWindow.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/@types/ModBundle.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/@types/settings.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/@types/themeManifest.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/@types/windowState.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/common/consts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/discord/preload/bridge.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/discord/preload/themes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/protocol.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/rpc.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/setup/tray.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/shared/consts/paths.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/updater.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/lint.yml:10 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/meta.yml:23 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/package.yml:20 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/package.yml:31 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache/restore@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/package.yml:47 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache/save@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/package.yml:72 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/package.yml:83 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/download-artifact@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/package.yml:96 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json supply-chainnpminstall-scripts
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — assets/app/js/patchVencordQuickCSS.js:23
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/common/config.ts:89
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/common/detectables.ts:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/common/dom.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/common/flags.ts:133
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/common/keybindActions.ts:52
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/common/lang.ts:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/common/themes.ts:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/common/windowState.ts:45
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/extensions/csp.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/extensions/modloader.ts:35
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/extensions/plugin.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/globalKeybinds.ts:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/ipc.ts:95
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/plugins/manager.ts:167
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/rpcProcess.ts:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/screenshare.ts:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/touchbar.ts:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/venmic.ts:31
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/discord/window.ts:83
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/main.ts:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/rpc.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/setup/main.ts:52
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/setup/setup.tsx:361
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/setup/tray.ts:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/shelter/rpc/index.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/shelter/screenshare/index.tsx:70
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/shelter/settings/components/BackupSection.tsx:138
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/shelter/settings/components/KeybindCard.tsx:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/shelter/settings/components/KeybindMaker.tsx:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/shelter/settings/index.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/shelter/settings/pages/RegisteredGamesPage.tsx:56
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/shelter/settings/pages/ThemesPage.tsx:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/shelter/settings/settings.ts:25
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/shelter/titlebar/index.ts:53
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE
`src/main.ts` declares `DELETE ` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
src/common/themes.ts:205 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
assets/app/js/adguard.js:73 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
src/discord/preload/patches.mts:201 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
src/discord/menu.ts:48 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
src/discord/extensions/modloader.ts:58 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/2025d0cc-4d3e-4226-82d5-1af68c4c8592/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/2025d0cc-4d3e-4226-82d5-1af68c4c8592/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.