← Back to scan
File as GitHub Issue repo: hoppscotch/hoppscotch

Push this scan report to hoppscotch/hoppscotch

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Unsafe Deserialization

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
MED SEC091 [SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/Read… packages/hoppscotch-selfhost-web/webapp…:68
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … packages/hoppscotch-common/src/platform…:216
MED SEC041 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blan… packages/hoppscotch-kernel/src/io/impl/…:53
MED SEC041 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blan… packages/hoppscotch-common/src/platform…:40
MED SEC007 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code. packages/hoppscotch-common/src/helpers/…:6
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … packages/hoppscotch-js-sandbox/src/web/…:14
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … packages/hoppscotch-common/src/helpers/…:13
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … packages/hoppscotch-common/src/composab…:22
MED SEC087 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; … packages/hoppscotch-data/src/predefined…:55
MED SEC087 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; … packages/hoppscotch-common/src/helpers/…:44
MED SEC087 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; … packages/hoppscotch-cli/src/utils/auth/…:66
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. packages/hoppscotch-common/src/services…:133
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. packages/hoppscotch-common/src/kernel/l…:139
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. packages/hoppscotch-cli/src/index.ts:107
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… packages/hoppscotch-desktop/src-tauri/s…:50
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… packages/hoppscotch-backend/src/publish…:162
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED DKR017 Dockerfile installs dependencies after copying the full source tree packages/hoppscotch-sh-admin/Dockerfile:9
MED DKR017 Dockerfile installs dependencies after copying the full source tree packages/hoppscotch-selfhost-web/Docker…:9
MED DEPCUR-NPM npm package `vue-tsc` is 1 major version(s) behind (2.2.0 -> 3.3.3) packages/hoppscotch-desktop/package.json
MED DEPCUR-NPM npm package `unplugin-vue-components` is 2 major version(s) behind (30.0.0 -> 32.1.0) packages/hoppscotch-desktop/package.json
MED DEPCUR-NPM npm package `unplugin-icons` is 1 major version(s) behind (22.5.0 -> 23.0.1) packages/hoppscotch-desktop/package.json
MED DEPCUR-NPM npm package `globals` is 1 major version(s) behind (16.5.0 -> 17.6.0) packages/hoppscotch-desktop/package.json
MED DEPCUR-NPM npm package `@eslint/js` is 1 major version(s) behind (9.39.2 -> 10.0.1) packages/hoppscotch-desktop/package.json
MED DEPCUR-NPM npm package `vue-router` is 1 major version(s) behind (4.6.4 -> 5.1.0) packages/hoppscotch-desktop/package.json
MED DEPCUR-NPM npm package `lint-staged` is 1 major version(s) behind (16.4.0 -> 17.0.7) package.json
MED DEPCUR-NPM npm package `@commitlint/config-conventional` is 1 major version(s) behind (20.5.0 -> 21.… package.json
MED DEPCUR-NPM npm package `@commitlint/cli` is 1 major version(s) behind (20.5.2 -> 21.0.2) package.json
MED GHSA-58qx-3vcg-4xpx ws: GHSA-58qx-3vcg-4xpx pnpm-lock.yaml
MED GHSA-g3ch-rx76-35fx vue-template-compiler: GHSA-g3ch-rx76-35fx pnpm-lock.yaml
MED GHSA-xcj6-pq6g-qj4x vite: GHSA-xcj6-pq6g-qj4x pnpm-lock.yaml
MED GHSA-x574-m823-4x7w vite: GHSA-x574-m823-4x7w pnpm-lock.yaml
MED GHSA-vg6x-rcgg-rjx6 vite: GHSA-vg6x-rcgg-rjx6 pnpm-lock.yaml
MED GHSA-93m4-6634-74q7 vite: GHSA-93m4-6634-74q7 pnpm-lock.yaml
MED GHSA-859w-5945-r5v3 vite: GHSA-859w-5945-r5v3 pnpm-lock.yaml
MED GHSA-4w7w-66w2-5vf9 vite: GHSA-4w7w-66w2-5vf9 pnpm-lock.yaml
MED GHSA-4r4m-qw57-chr8 vite: GHSA-4r4m-qw57-chr8 pnpm-lock.yaml
MED GHSA-356w-63v5-8wf4 vite: GHSA-356w-63v5-8wf4 pnpm-lock.yaml
MED GHSA-w5hq-g745-h8pq uuid: GHSA-w5hq-g745-h8pq pnpm-lock.yaml
MED GHSA-95h2-gj7x-gx9w unhead: GHSA-95h2-gj7x-gx9w pnpm-lock.yaml
MED GHSA-rcqx-6q8c-2c42 svelte: GHSA-rcqx-6q8c-2c42 pnpm-lock.yaml
MED GHSA-pr6f-5x2q-rwfp svelte: GHSA-pr6f-5x2q-rwfp pnpm-lock.yaml
MED GHSA-phwv-c562-gvmh svelte: GHSA-phwv-c562-gvmh pnpm-lock.yaml
MED GHSA-m56q-vw4c-c2cp svelte: GHSA-m56q-vw4c-c2cp pnpm-lock.yaml
MED GHSA-f7gr-6p89-r883 svelte: GHSA-f7gr-6p89-r883 pnpm-lock.yaml
MED GHSA-crpf-4hrx-3jrp svelte: GHSA-crpf-4hrx-3jrp pnpm-lock.yaml
MED GHSA-8266-84wp-wv5c svelte: GHSA-8266-84wp-wv5c pnpm-lock.yaml
MED GHSA-cqmj-92xf-r6r9 socket.io-parser: GHSA-cqmj-92xf-r6r9 pnpm-lock.yaml
MED GHSA-qj8w-gfj5-8c6v serialize-javascript: GHSA-qj8w-gfj5-8c6v pnpm-lock.yaml
MED GHSA-q8mj-m7cp-5q26 qs: GHSA-q8mj-m7cp-5q26 pnpm-lock.yaml
MED GHSA-6fx8-h7jm-663j parseuri: GHSA-6fx8-h7jm-663j pnpm-lock.yaml
MED GHSA-vvjj-xcjg-gr5g nodemailer: GHSA-vvjj-xcjg-gr5g pnpm-lock.yaml
MED GHSA-9x9p-qf8f-mvjg liquidjs: GHSA-9x9p-qf8f-mvjg pnpm-lock.yaml
MED GHSA-8xx9-69p8-7jp3 liquidjs: GHSA-8xx9-69p8-7jp3 pnpm-lock.yaml
MED GHSA-2qv6-9wx5-cwv4 liquidjs: GHSA-2qv6-9wx5-cwv4 pnpm-lock.yaml
MED GHSA-xrhx-7g5j-rcj5 hono: GHSA-xrhx-7g5j-rcj5 pnpm-lock.yaml
MED GHSA-qp7p-654g-cw7p hono: GHSA-qp7p-654g-cw7p pnpm-lock.yaml
MED GHSA-p77w-8qqv-26rm hono: GHSA-p77w-8qqv-26rm pnpm-lock.yaml
MED GHSA-f577-qrjj-4474 hono: GHSA-f577-qrjj-4474 pnpm-lock.yaml
MED GHSA-9vqf-7f2p-gf9v hono: GHSA-9vqf-7f2p-gf9v pnpm-lock.yaml
MED GHSA-69xw-7hcm-h432 hono: GHSA-69xw-7hcm-h432 pnpm-lock.yaml
MED GHSA-3hrh-pfw6-9m5x hono: GHSA-3hrh-pfw6-9m5x pnpm-lock.yaml
MED GHSA-2gcr-mfcq-wcc3 hono: GHSA-2gcr-mfcq-wcc3 pnpm-lock.yaml
MED GHSA-67mh-4wv8-2f99 esbuild: GHSA-67mh-4wv8-2f99 pnpm-lock.yaml
MED GHSA-v9jr-rg53-9pgp dompurify: GHSA-v9jr-rg53-9pgp pnpm-lock.yaml
MED GHSA-v2wj-7wpq-c8vv dompurify: GHSA-v2wj-7wpq-c8vv pnpm-lock.yaml
MED GHSA-h8r8-wccr-v5f2 dompurify: GHSA-h8r8-wccr-v5f2 pnpm-lock.yaml
MED GHSA-h7mw-gpvr-xq4m dompurify: GHSA-h7mw-gpvr-xq4m pnpm-lock.yaml
MED GHSA-crv5-9vww-q3g8 dompurify: GHSA-crv5-9vww-q3g8 pnpm-lock.yaml
MED GHSA-cjmm-f4jc-qw8r dompurify: GHSA-cjmm-f4jc-qw8r pnpm-lock.yaml
MED GHSA-cj63-jhhr-wcxv dompurify: GHSA-cj63-jhhr-wcxv pnpm-lock.yaml
MED GHSA-39q2-94rc-95cp dompurify: GHSA-39q2-94rc-95cp pnpm-lock.yaml
MED GHSA-jxxr-4gwj-5jf2 brace-expansion: GHSA-jxxr-4gwj-5jf2 pnpm-lock.yaml
MED GHSA-f886-m6hf-6m8v brace-expansion: GHSA-f886-m6hf-6m8v pnpm-lock.yaml
MED GHSA-898c-q2cr-xwhg axios: GHSA-898c-q2cr-xwhg pnpm-lock.yaml
MED GHSA-q6x5-8v7m-xcrf @protobufjs/utf8: GHSA-q6x5-8v7m-xcrf pnpm-lock.yaml
MED GHSA-92pp-h63x-v22m @hono/node-server: GHSA-92pp-h63x-v22m pnpm-lock.yaml
MED GHSA-3v7f-55p6-f55p picomatch: GHSA-3v7f-55p6-f55p packages/hoppscotch-desktop/plugin-work…
MED GHSA-7gmj-67g7-phm9 tauri: GHSA-7gmj-67g7-phm9 packages/hoppscotch-agent/src-tauri/Car…
MED GHSA-3pv8-6f4r-ffg2 tar: GHSA-3pv8-6f4r-ffg2 packages/hoppscotch-agent/src-tauri/Car…
MED GHSA-xv59-967r-8726 openssl: GHSA-xv59-967r-8726 packages/hoppscotch-agent/src-tauri/Car…
MED GHSA-phqj-4mhp-q6mq openssl: GHSA-phqj-4mhp-q6mq packages/hoppscotch-agent/src-tauri/Car…
MED DKR001 Docker final stage has no non-root USER packages/hoppscotch-sh-admin/Dockerfile:16
MED DKR001 Docker final stage has no non-root USER packages/hoppscotch-selfhost-web/Docker…:16
MED DKR001 Docker final stage has no non-root USER packages/hoppscotch-backend/Dockerfile:31
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore packages/hoppscotch-sh-admin/Dockerfile:8
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore packages/hoppscotch-selfhost-web/Docker…:8
MED AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 10.5% of discovered …
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … packages/hoppscotch-backend/src/auth/au…:113
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … packages/hoppscotch-backend/src/auth/au…:105
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … packages/hoppscotch-backend/src/auth/au…:87
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … packages/hoppscotch-backend/src/auth/au…:76
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … packages/hoppscotch-backend/src/auth/au…:42
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … packages/hoppscotch-backend/src/mock-se…:52
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … packages/hoppscotch-backend/src/infra-t…:212
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … packages/hoppscotch-backend/src/infra-t…:117
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … packages/hoppscotch-backend/src/publish…:22
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … packages/hoppscotch-backend/src/infra-c…:101
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… packages/hoppscotch-sh-admin/src/helper…:3
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… packages/hoppscotch-selfhost-web/src/ap…:2
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… packages/hoppscotch-backend/src/auth/au…:201
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… packages/hoppscotch-backend/src/auth/au…:193
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… packages/hoppscotch-backend/src/infra-t…:241
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… packages/hoppscotch-backend/src/infra-t…:67
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… packages/hoppscotch-backend/src/infra-c…:31
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… packages/hoppscotch-backend/src/infra-c…:16
LOW DEPCUR-NPM npm package `sass` is minor version(s) behind (1.99.0 -> 1.100.0) packages/hoppscotch-desktop/package.json
LOW DEPCUR-NPM npm package `@vue/eslint-config-typescript` is minor version(s) behind (14.7.0 -> 14.8.0) packages/hoppscotch-desktop/package.json
LOW DEPCUR-NPM npm package `@tauri-apps/cli` is minor version(s) behind (2.9.3 -> 2.11.2) packages/hoppscotch-desktop/package.json
LOW DEPCUR-NPM npm package `@tauri-apps/plugin-updater` is minor version(s) behind (2.9.0 -> 2.10.1) packages/hoppscotch-desktop/package.json
LOW DEPCUR-NPM npm package `@tauri-apps/plugin-process` is minor version(s) behind (2.2.0 -> 2.3.1) packages/hoppscotch-desktop/package.json
LOW DEPCUR-NPM npm package `@tauri-apps/plugin-fs` is minor version(s) behind (2.0.2 -> 2.5.1) packages/hoppscotch-desktop/package.json
LOW DEPCUR-NPM npm package `@tauri-apps/api` is minor version(s) behind (2.1.1 -> 2.11.0) packages/hoppscotch-desktop/package.json
LOW GHSA-jqfw-vq24-v9c3 vite: GHSA-jqfw-vq24-v9c3 pnpm-lock.yaml
LOW GHSA-g4jq-h2w9-997c vite: GHSA-g4jq-h2w9-997c pnpm-lock.yaml
LOW GHSA-c7w3-x93f-qmm8 nodemailer: GHSA-c7w3-x93f-qmm8 pnpm-lock.yaml
LOW GHSA-hm8q-7f3q-5f36 hono: GHSA-hm8q-7f3q-5f36 pnpm-lock.yaml
LOW GHSA-73rr-hh4g-fpgx diff: GHSA-73rr-hh4g-fpgx pnpm-lock.yaml
LOW GHSA-654m-c8p4-x5fp axios: GHSA-654m-c8p4-x5fp pnpm-lock.yaml
LOW GHSA-xmgf-hq76-4vx2 openssl: GHSA-xmgf-hq76-4vx2 packages/hoppscotch-agent/src-tauri/Car…
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:21
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:286
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:15
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:33
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:79
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:20
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:82
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:60
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:43
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:49
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:27
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:58
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:25
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:24
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:25
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:24
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:44
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:24
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:37
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:10
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:37
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:1
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-common/src/componen…:1
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-backend/src/user-re…:339
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-backend/src/user-co…:8
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-backend/src/publish…:130
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-backend/src/orchest…:27
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-backend/src/auth/st…:36
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-backend/src/auth/st…:41
LOW AIC003 Duplicated implementation block across source files packages/hoppscotch-backend/src/auth/gu…:19
LOW DKC012 Compose service performs heavy setup work on every startup docker-compose.yml:168
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:220
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:207
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:183
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:168
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:116
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:95
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:79
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:60
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:31
LOW AIC002 Source file name looks like an AI patch artifact packages/hoppscotch-common/src/composab…:1
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:220
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:207
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:183
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:168
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:116
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:95
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:79
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:60
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:31
INFO MINED060 [MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks g… packages/hoppscotch-selfhost-web/webapp…:91
INFO MINED068 [MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled i… packages/hoppscotch-desktop/plugin-work…:69
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … packages/hoppscotch-common/src/composab…:143
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … packages/hoppscotch-cli/src/utils/gette…:305
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … packages/hoppscotch-backend/src/team-re…:49
INFO MINED074 [MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.exa… packages/hoppscotch-backend/src/publish…:62
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… packages/hoppscotch-desktop/plugin-work…:64
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… packages/hoppscotch-common/src/helpers/…:26
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… packages/hoppscotch-backend/src/publish…:188
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. packages/hoppscotch-common/src/composab…:60
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. packages/hoppscotch-cli/src/utils/funct…:36
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. packages/hoppscotch-backend/src/utils.ts:130
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. packages/hoppscotch-cli/src/utils/hopp-…:62
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. packages/hoppscotch-cli/src/types/error…:10
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. packages/hoppscotch-backend/src/auth/st…:91
INFO MINED053 [MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin… packages/hoppscotch-backend/src/infra-t…:15
INFO MINED053 [MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin… packages/hoppscotch-backend/src/gql-sch…:23
INFO MINED053 [MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin… packages/hoppscotch-backend/src/app.mod…:20
INFO MINED059 [MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message. packages/hoppscotch-agent/src-tauri/src…:70
INFO MINED059 [MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message. packages/hoppscotch-agent/src-tauri/src…:88
INFO MINED059 [MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message. packages/hoppscotch-agent/src-tauri/src…:244
INFO MINED066 [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable error… packages/hoppscotch-desktop/src-tauri/s…:15
INFO MINED066 [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable error… packages/hoppscotch-desktop/plugin-work…:12
INFO MINED066 [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable error… packages/hoppscotch-agent/src-tauri/src…:15
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … packages/hoppscotch-backend/src/auth/st…:63
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … packages/hoppscotch-backend/prod_run.mjs:13
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … aio_run.mjs:14
INFO DEPCUR-NPM npm package `postcss` is patch version(s) behind (8.5.10 -> 8.5.15) packages/hoppscotch-desktop/package.json
INFO DEPCUR-NPM npm package `eslint-plugin-vue` is patch version(s) behind (10.9.0 -> 10.9.2) packages/hoppscotch-desktop/package.json
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `hoppscotch/hoppscotch`

**Score: 42/100 (C)**  ·  452 findings  ·  scanned 2026-06-05 07:29 UTC  ·  302,266 LOC

| Severity | Count |
|---|---|
| CRITICAL | 11 |
| HIGH | 219 |
| MEDIUM | 106 |
| LOW | 65 |

📊 [Full filterable report](https://repobility.com/scan/2f5b6a81-33de-421f-b4cd-3055059aa55a/)  ·  ![scorecard](https://repobility.com/scan/2f5b6a81-33de-421f-b4cd-3055059aa55a/report.png?v=1780644554-s2)

### Top findings

1. **MEDIUM** `SEC091` — Go: net/http server without timeouts
   `packages/hoppscotch-selfhost-web/webapp-server/main.go:68`
2. **MEDIUM** `SEC015` — Insecure Randomness for Security
   `packages/hoppscotch-common/src/platform/std/kernel-interceptors/agent/store.ts:216` · A02:2021 Cryptographic Failures
3. **MEDIUM** `SEC041` — Tabnabbing — target="_blank" without rel="noopener noreferrer"
   `packages/hoppscotch-kernel/src/io/impl/web/v/1.ts:53` · A05:2021 Security Misconfiguration
4. **MEDIUM** `SEC041` — Tabnabbing — target="_blank" without rel="noopener noreferrer"
   `packages/hoppscotch-common/src/platform/std/io.ts:40` · A05:2021 Security Misconfiguration
5. **MEDIUM** `SEC007` — Unsafe Deserialization
   `packages/hoppscotch-common/src/helpers/functional/yaml.ts:6` · A08:2021 Software & Data Integrity Failures

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/2f5b6a81-33de-421f-b4cd-3055059aa55a/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 22 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'hoppscotch/hoppscotch' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
I read the warnings â override Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.