Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
65 of your 244 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.95s · analysis 71.51s · 6.3 MB · GitHub preflight 471ms

libnyanpasu/clash-nyanpasu

https://github.com/libnyanpasu/clash-nyanpasu · scanned 2026-06-05 17:18 UTC (4 days, 21 hours ago) · 10 languages

471 raw signals (211 security + 260 graph) 22nd percentile · Typescript · medium (20-100K LoC) System graph score 78 (lower by 20)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 21 hours ago · v2 · 189 actionable findings from 2 signal sources. 152 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
68.2
/100
Security checks
58
111 findings
System graph
79
100.0% cov · 78 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 55.0 0.25 13.75
testing_score 15.0 0.20 3.00
documentation_score 89.6 0.15 13.44
practices_score 91.0 0.15 13.65
code_quality 57.6 0.10 5.76
Overall 1.00 58.6
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 71 Medium 29 Low 43 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 111 System graph 78 Crowd 0 Layer: Software 110 Quality 41 Security 4 Cicd 6 Api 1 Frontend 23 Network 4
Scan summary Quality grade C (59/100). Dimensions: security 55, maintainability 60. 211 findings (95 security). 71,375 lines analyzed.

Showing 139 of 189 actionable findings. 341 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks software dependencies conf 0.88 adler: RUSTSEC-2025-0056
adler crate is unmaintained, use adler2 instead
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 adler: RUSTSEC-2025-0056
adler crate is unmaintained, use adler2 instead
backend/Cargo.lock
high Security checks software dependencies conf 0.88 atk-sys: RUSTSEC-2024-0416
gtk-rs GTK3 bindings - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 atk: RUSTSEC-2024-0413
gtk-rs GTK3 bindings - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 atomic-polyfill: RUSTSEC-2023-0089
atomic-polyfill is unmaintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 bincode: RUSTSEC-2025-0141
Bincode is unmaintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 bytes: RUSTSEC-2026-0007
Integer overflow in `BytesMut::reserve`
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 core2: RUSTSEC-2026-0105
core2 is unmaintained, all versions yanked
backend/Cargo.lock
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fxhash: RUSTSEC-2025-0057
fxhash - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 gdk-sys: RUSTSEC-2024-0418
gtk-rs GTK3 bindings - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 gdk: RUSTSEC-2024-0412
gtk-rs GTK3 bindings - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 gdkwayland-sys: RUSTSEC-2024-0411
gtk-rs GTK3 bindings - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 gdkx11-sys: RUSTSEC-2024-0414
gtk-rs GTK3 bindings - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 gdkx11: RUSTSEC-2024-0417
gtk-rs GTK3 bindings - no longer maintained
backend/Cargo.lock
high Security checks cicd CI/CD security conf 0.90 ✓ Repobility GitHub Action is tag-pinned rather than SHA-pinned
Action `cargo-bins/cargo-binstall` pinned to mutable ref `@main` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
.github/workflows/deps-build-linux.yaml:59 CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 glib: RUSTSEC-2024-0429
Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
backend/Cargo.lock
high Security checks software dependencies conf 0.88 gtk-sys: RUSTSEC-2024-0420
gtk-rs GTK3 bindings - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 gtk3-macros: RUSTSEC-2024-0419
gtk-rs GTK3 bindings - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 gtk: RUSTSEC-2024-0415
gtk-rs GTK3 bindings - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 hashbrown: RUSTSEC-2024-0402
Borsh serialization of HashMap is non-canonical
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 idna: RUSTSEC-2024-0421
`idna` accepts Punycode labels that do not produce any non-ASCII when decoded
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 js-cookie: GHSA-qjx8-664m-686j
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 kysely: GHSA-pv5w-4p9q-p3v2
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lru: RUSTSEC-2026-0002
`IterMut` violates Stacked Borrows by invalidating internal pointer
backend/Cargo.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 paste: RUSTSEC-2024-0436
paste - no longer maintained
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 paste: RUSTSEC-2024-0436
paste - no longer maintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 proc-macro-error: RUSTSEC-2024-0370
proc-macro-error is unmaintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 quinn-proto: RUSTSEC-2026-0037
Denial of service in Quinn endpoints
backend/Cargo.lock
high Security checks software dependencies conf 0.88 rand: RUSTSEC-2026-0097
Rand is unsound with a custom logger using `rand::rng()`
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 rand: RUSTSEC-2026-0097
Rand is unsound with a custom logger using `rand::rng()`
backend/Cargo.lock
high Security checks software dependencies conf 0.88 ring: RUSTSEC-2025-0009
Some AES functions may panic when overflow checking is enabled.
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0049
CRLs not considered authoritative by Distribution Point due to faulty matching logic
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0049
CRLs not considered authoritative by Distribution Point due to faulty matching logic
backend/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0098
Name constraints for URI names were incorrectly accepted
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0098
Name constraints for URI names were incorrectly accepted
backend/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0099
Name constraints were accepted for certificates asserting a wildcard name
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0099
Name constraints were accepted for certificates asserting a wildcard name
backend/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0104
Reachable panic in certificate revocation list parsing
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0104
Reachable panic in certificate revocation list parsing
backend/Cargo.lock
high Security checks software dependencies conf 0.88 rustls: RUSTSEC-2024-0399
rustls network-reachable panic in `Acceptor::accept`
backend/nyanpasu-egui/Cargo.lock
high Security checks software dependencies conf 0.88 tar: RUSTSEC-2026-0067
`unpack_in` can chmod arbitrary directories by following symlinks
backend/Cargo.lock
high Security checks software dependencies conf 0.88 tar: RUSTSEC-2026-0068
tar-rs incorrectly ignores PAX size headers if header size is nonzero
backend/Cargo.lock
high Security checks software dependencies conf 0.88 thin-vec: RUSTSEC-2026-0103
Use-After-Free and Double Free in IntoIter::drop When Element Drop Panics
backend/Cargo.lock
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 unic-char-property: RUSTSEC-2025-0081
`unic-char-property` is unmaintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 unic-char-range: RUSTSEC-2025-0075
`unic-char-range` is unmaintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 unic-common: RUSTSEC-2025-0080
`unic-common` is unmaintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 unic-ucd-ident: RUSTSEC-2025-0100
`unic-ucd-ident` is unmaintained
backend/Cargo.lock
high Security checks software dependencies conf 0.88 unic-ucd-version: RUSTSEC-2025-0098
`unic-ucd-version` is unmaintained
backend/Cargo.lock
high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch
cargo-bins/cargo-binstall@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deps-build-linux.yaml:59 CI/CD securitySupply chainGithub actions
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-39q2-94rc-95cp
DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-cj63-jhhr-wcxv
DOMPurify USE_PROFILES prototype pollution allows event handlers
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-cjmm-f4jc-qw8r
DOMPurify ADD_ATTR predicate skips URI validation
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-crv5-9vww-q3g8
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-h7mw-gpvr-xq4m
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-h8r8-wccr-v5f2
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-v2wj-7wpq-c8vv
DOMPurify contains a Cross-site Scripting vulnerability
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-v9jr-rg53-9pgp
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
pnpm-lock.yaml
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
frontend/interface/src/hooks/use-kv-storage.ts:24
medium Security checks software dependencies conf 0.88 mdast-util-to-hast: GHSA-4fh9-h7wg-q85m
mdast-util-to-hast has unsanitized class attribute
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 tar: GHSA-3pv8-6f4r-ffg2
tar has a PAX header desynchronization issue
backend/Cargo.lock
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — frontend/nyanpasu/src/pages/(main)/main/settings/system/_modules/system-service-ctrl.tsx:214
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/check.ts:196
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/manifest.ts:38
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/telegram-notify.ts:80
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/updater-nightly.ts:101
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/utils/cache-client.ts:32
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/utils/file-server.ts:65
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 25 occurrences GitHub Action is tag-pinned rather than SHA-pinned
denoland/setup-deno@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
12 files, 25 locations
backend/tauri-plugin-deep-link/.github/workflows/release.yml:24, 31 (4 hits)
.github/workflows/publish.yml:53, 84, 91 (3 hits)
.github/workflows/ci.yml:148, 240 (2 hits)
.github/workflows/daily.yml:26, 71 (2 hits)
.github/workflows/deps-build-linux.yaml:86, 91 (2 hits)
.github/workflows/deps-create-updater.yaml:88, 102 (2 hits)
.github/workflows/deps-delete-releases.yaml:27 (2 hits)
.github/workflows/deps-update-tag.yaml:35, 52 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 5 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
5 files, 5 locations
.github/workflows/deps-create-updater.yaml
.github/workflows/deps-update-tag.yaml
.github/workflows/deps-upload-release-assets.yaml
.github/workflows/publish.yml
.github/workflows/stale.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in frontend/nyanpasu/src/pages/(main)/main/settings/system/_modules/system-service-ctrl.tsx:214
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
frontend/nyanpasu/src/pages/(main)/main/settings/system/_modules/system-service-ctrl.tsx:214 Dangerous innerhtml
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
8 test file(s) for 475 source file(s) (ratio 0.02). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks software dependencies conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 diff: GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
pnpm-lock.yaml
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 15 locations
backend/nyanpasu-core/src/state/manager/simple.rs:63, 65 (2 hits)
backend/nyanpasu-core/src/state/manager/weak_persistent_state.rs:1, 79 (2 hits)
frontend/nyanpasu/src/pages/(main)/main/profiles/$type/_modules/remote-profile-button.tsx:88, 151 (2 hits)
backend/nyanpasu-core/src/state/manager/persistent_state.rs:1
backend/nyanpasu-egui/src/widget/network_statistic_small.rs:25
backend/tauri/src/core/migration/units/unit_200.rs:85
backend/tauri/src/core/state.rs:146
backend/tauri/src/core/sysopt.rs:55
duplicationquality
high Security checks software dependencies conf 0.90 GitHub Action `actions-rs/audit-check@v1` is minor version(s) behind (latest v1.2.0)
`uses: actions-rs/audit-check@v1` is minor version(s) behind the latest published release v1.2.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
backend/tauri-plugin-deep-link/.github/workflows/audit.yml:24
high Security checks software dependencies conf 0.90 3 occurrences GitHub Action `actions/setup-node@v6` is minor version(s) behind (latest v6.4.0)
`uses: actions/setup-node@v6` is minor version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
3 files, 3 locations
.github/workflows/daily.yml:17
.github/workflows/deps-build-linux.yaml:83
.github/workflows/deps-message-telegram.yaml:39
high Security checks software dependencies conf 0.90 GitHub Action `orhun/git-cliff-action@v4` is minor version(s) behind (latest v4.8.0)
`uses: orhun/git-cliff-action@v4` is minor version(s) behind the latest published release v4.8.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
backend/tauri-plugin-deep-link/.github/workflows/release.yml:24
high Security checks software dependencies conf 0.90 3 occurrences GitHub Action `Swatinem/rust-cache@v2` is minor version(s) behind (latest v2.9.1)
`uses: Swatinem/rust-cache@v2` is minor version(s) behind the latest published release v2.9.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
3 files, 3 locations
.github/workflows/deps-build-linux.yaml:108
backend/tauri-plugin-deep-link/.github/workflows/format.yml:23
backend/tauri-plugin-deep-link/.github/workflows/lint.yml:26
high Security checks quality Quality conf 0.62 3 occurrences Source file name looks like an AI patch artifact
Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area.
3 files, 3 locations
backend/nyanpasu-macro/src/builder_update.rs:1
frontend/nyanpasu/src/pages/(main)/main/providers/_modules/use-proxies-provider-update.tsx:1
frontend/nyanpasu/src/pages/(main)/main/providers/_modules/use-rules-provider-update.tsx:1
low Security checks software dependencies conf 0.88 tmp: GHSA-52f5-9888-hmc6
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
pnpm-lock.yaml
low System graph quality Maintenance conf 1.00 106 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: .lintstagedrc.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: .stylelintrc.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: commitlint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/interface/src/ipc/consts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/interface/src/service/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/auto-imports.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/components/ui/dnd-grid/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/consts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/generated/data-slots.gen.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/pages/(main)/main/dashboard/_modules/consts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/pages/(main)/main/logs/_modules/consts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/pages/(main)/main/profiles/_modules/consts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/pages/-__root.module.scss.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/route-tree.gen.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/services/monaco.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/services/types.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/src/utils/monaco-yaml.worker.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/tailwind.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/nyanpasu/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: knip.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/extract-data-slots.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/generate-latest-version.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/upload-macos-updater.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/utils/logger.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 49 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
12 files, 46 locations
.github/workflows/deps-build-linux.yaml:50, 83, 100, 229, 238, 246, 281 (9 hits)
.github/workflows/deps-build-windows-nsis.yaml:80, 93, 200, 210, 230, 339, 349, 369 (8 hits)
.github/workflows/deps-message-telegram.yaml:38, 39, 50 (5 hits)
.github/workflows/daily.yml:15, 17, 58, 62 (4 hits)
.github/workflows/deps-build-macos.yaml:48, 69, 150, 178 (4 hits)
.github/workflows/deps-upload-release-assets.yaml:19, 22 (4 hits)
.github/workflows/ci.yml:62, 143, 235 (3 hits)
.github/workflows/deps-create-updater.yaml:39, 46 (2 hits)
CI/CD securitySupply chainGitHub Actions
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `common_copy` in frontend/nyanpasu/src/components/providers/context-menu-provider.tsx:408
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `common_copy` in frontend/nyanpasu/src/pages/(main)/main/settings/system/_modules/system-service-ctrl.tsx:223
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `common_copy` in frontend/nyanpasu/src/pages/(main)/main/settings/web-ui/_modules/core-secret-config.tsx:151
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/interface/src/provider/mutation-provider.tsx:70
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/nyanpasu/src/pages/(editor)/editor/_modules/utils.tsx:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/nyanpasu/src/services/monaco.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/check.ts:1102
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/extract-data-slots.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/publish.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/updater-nightly.ts:105
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: backend/nyanpasu-core/src/state/coordinator.rs (1573 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
high Security checks software dependencies conf 0.90 GitHub Action `actions/cache@v5` is patch version(s) behind (latest v5.0.5)
`uses: actions/cache@v5` is patch version(s) behind the latest published release v5.0.5. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/deps-build-linux.yaml:100
high Security checks software dependencies conf 0.90 9 occurrences GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)
`uses: actions/checkout@v6` is patch version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
9 files, 9 locations
.github/workflows/daily.yml:15
.github/workflows/deps-build-linux.yaml:50
.github/workflows/deps-delete-releases.yaml:24
.github/workflows/deps-message-telegram.yaml:38
.github/workflows/deps-upload-release-assets.yaml:19
backend/tauri-plugin-deep-link/.github/workflows/audit.yml:23
backend/tauri-plugin-deep-link/.github/workflows/format.yml:19
backend/tauri-plugin-deep-link/.github/workflows/lint.yml:22
high Security checks software dependencies conf 0.90 GitHub Action `actions/download-artifact@v8` is patch version(s) behind (latest v8.0.1)
`uses: actions/download-artifact@v8` is patch version(s) behind the latest published release v8.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage f…
.github/workflows/deps-message-telegram.yaml:50
high Security checks software dependencies conf 0.90 GitHub Action `actions/download-artifact@v8` is patch version(s) behind (latest v8.0.1)
`uses: actions/download-artifact@v8` is patch version(s) behind the latest published release v8.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage f…
.github/workflows/deps-upload-release-assets.yaml:22
high Security checks software dependencies conf 0.90 GitHub Action `actions/upload-artifact@v7` is patch version(s) behind (latest v7.0.1)
`uses: actions/upload-artifact@v7` is patch version(s) behind the latest published release v7.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/deps-build-linux.yaml:229
high Security checks software dependencies conf 0.90 GitHub Action `denoland/setup-deno@v2` is patch version(s) behind (latest v2.0.4)
`uses: denoland/setup-deno@v2` is patch version(s) behind the latest published release v2.0.4. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/deps-build-linux.yaml:91
high Security checks software dependencies conf 0.90 GitHub Action `denoland/setup-deno@v2` is patch version(s) behind (latest v2.0.4)
`uses: denoland/setup-deno@v2` is patch version(s) behind the latest published release v2.0.4. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/deps-message-telegram.yaml:43
high Security checks software dependencies conf 0.90 GitHub Action `pnpm/action-setup@v6` is patch version(s) behind (latest v6.0.8)
`uses: pnpm/action-setup@v6` is patch version(s) behind the latest published release v6.0.8. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/daily.yml:20
high Security checks software dependencies conf 0.90 GitHub Action `pnpm/action-setup@v6` is patch version(s) behind (latest v6.0.8)
`uses: pnpm/action-setup@v6` is patch version(s) behind the latest published release v6.0.8. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/deps-build-linux.yaml:86
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/2f46b2d1-2838-44e3-ad93-6e6b582c017b/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/2f46b2d1-2838-44e3-ad93-6e6b582c017b/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.