OpenHands/OpenHands

Component	Sub-score	Weight	Contribution
`structure_score`	60.0	0.15	9.00
`security_score`	0.0	0.25	0.00
`testing_score`	100.0	0.20	20.00
`documentation_score`	96.0	0.15	14.40
`practices_score`	100.0	0.15	15.00
`code_quality`	49.6	0.10	4.96
Overall		1.00	63.4

critical Security checks cicd CI/CD security conf 0.98 Compose service mounts the Docker socket

The Docker socket gives the container control over the Docker host and is commonly equivalent to host root access.

docker-compose.yml:2 CI/CD securitycontainers

critical Security checks cicd CI/CD security conf 0.98 Compose service mounts the Docker socket

The Docker socket gives the container control over the Docker host and is commonly equivalent to host root access.

containers/dev/compose.yml:2 CI/CD securitycontainers

critical Security checks cicd CI/CD security conf 0.98 Compose service runs privileged

Privileged containers receive broad host kernel capabilities and can bypass container isolation.

containers/dev/compose.yml:2 CI/CD securitycontainers

critical Security checks security secrets conf 0.95 21 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

Gitleaks detected a committed secret or credential pattern.

12 files, 20 locations

enterprise/tests/unit/test_saas_user_auth.py:941, 1027, 1091, 1137 (4 hits)

enterprise/tests/unit/server/routes/test_api_keys.py:34, 61, 83 (3 hits)

tests/unit/app_server/utils/logger/test_logging.py:40, 49, 58 (3 hits)

enterprise/tests/unit/storage/test_api_key_store.py:191, 293 (2 hits)

enterprise/doc/design-doc/openhands-enterprise-telemetry-design.md:288

enterprise/server/routes/integration/slack.py:300

enterprise/tests/unit/routes/test_service.py:183

enterprise/tests/unit/test_saas_settings_store.py:299

high Security checks quality Quality conf 1.00 ✓ Repobility 8 occurrences Missing import: `email` used but not imported

The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes.

8 files, 8 locations

enterprise/server/auth/email_validation.py:27

enterprise/server/auth/recaptcha_service.py:56

enterprise/server/routes/auth.py:917

enterprise/server/services/org_invitation_service.py:63

enterprise/storage/org_invitation_store.py:72

enterprise/storage/resend_synced_user_store.py:31

enterprise/storage/user_store.py:734

enterprise/sync/resend_keycloak.py:355

critical Security checks software dependencies conf 0.88 vitest: GHSA-5xrq-8626-4rwp

When Vitest UI server is listening, arbitrary file can be read and executed

openhands-ui/bun.lock

low Security checks cicd CI/CD security conf 0.35 ✓ Repobility Workflow references repository secrets in a pull_request workflow

Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.

.github/workflows/pr-artifacts.yml:41 CI/CD securityworkflow secretsGitHub Actions

critical System graph security Secrets conf 1.00 Possible secret in frontend/src/i18n/declaration.ts

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

frontend/src/i18n/declaration.ts:493

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /{secret_id}.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /{secret_id}.

openhands/app_server/secrets/secrets_router.py:348

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/download.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/download.

openhands/app_server/app_conversation/app_conversation_router.py:1437

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/file.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/file.

openhands/app_server/app_conversation/app_conversation_router.py:965

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/git/changes.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/git/changes.

openhands/app_server/app_conversation/app_conversation_router.py:1133

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/git/diff.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/git/diff.

openhands/app_server/app_conversation/app_conversation_router.py:1167

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/hooks.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/hooks.

openhands/app_server/app_conversation/app_conversation_router.py:1293

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/skills.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/skills.

openhands/app_server/app_conversation/app_conversation_router.py:1194

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/{event_id}.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/{event_id}.

enterprise/server/sharing/shared_event_router.py:188

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{sandbox_id}/pause.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{sandbox_id}/pause.

openhands/app_server/sandbox/sandbox_router.py:84

high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{secret_id}.

A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{secret_id}.

openhands/app_server/secrets/secrets_router.py:294

low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.

Review and fix per the pattern semantics. See CWE-705 / for context.

.github/scripts/find_prs_between_commits.py:144

high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED020] Logging Credential Via Fstring: logger.error(f"failed for {api_key}") — secrets end up in log aggregators / sentry.

Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.

3 files, 3 locations

enterprise/integrations/bitbucket/bitbucket_service.py:21

enterprise/integrations/bitbucket_data_center/bitbucket_dc_service.py:21

enterprise/integrations/github/github_service.py:23

high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.generate_api_key` used but never assigned in __init__

Method `create_api_key` of class `ApiKeyStore` reads `self.generate_api_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

7 files, 25 locations

enterprise/storage/auth_token_store.py:79, 92, 143, 152, 182, 192, 259, 275 (8 hits)

enterprise/storage/api_key_store.py:75, 125, 182, 281, 326, 391 (6 hits)

enterprise/storage/saas_settings_store.py:139, 185, 249, 326, 354, 358 (6 hits)

enterprise/storage/org_app_settings_store.py:50, 65 (2 hits)

enterprise/storage/device_code.py:71

enterprise/storage/gitlab_webhook_store.py:172

enterprise/storage/proactive_conversation_store.py:47

high Security checks software dependencies conf 0.88 authlib: PYSEC-2026-188

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attac…

enterprise/poetry.lock

high Security checks software dependencies conf 0.88 authlib: PYSEC-2026-25

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

enterprise/poetry.lock

high Security checks quality Quality conf 1.00 ✓ Repobility 5 occurrences Blocking call `requests.post` inside async function `jira_callback`

`requests.post` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.

2 files, 5 locations

enterprise/server/routes/integration/jira.py:483, 493, 523 (3 hits)

enterprise/server/routes/integration/jira_dc.py:814, 828 (2 hits)

high Security checks cicd CI/CD security conf 0.95 Docker final stage runs as root

The final runtime stage explicitly uses root. A compromised app process would have root inside the container.

containers/app/Dockerfile:100 CI/CD securitycontainers

high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences Dockerfile FROM `node:25.9-trixie-slim` not pinned by digest

`FROM node:25.9-trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

2 files, 3 locations

containers/app/Dockerfile:2, 11 (2 hits)

containers/dev/Dockerfile:4

high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell

Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content.

enterprise/Dockerfile:11 CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell

Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content.

containers/dev/Dockerfile:65 CI/CD securitycontainers

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /users/{user_id}/orgs/{org_id}/api-keys/{key_name} has no auth

Handler `delete_user_api_key` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/service.py:215

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /accept_tos has no auth

Handler `accept_tos` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/auth.py:859

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /app has no auth

Handler `update_org_app_settings` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/orgs.py:440

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /app has no auth

Handler `update_user_app_settings` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/user_app_settings.py:73

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /authenticate has no auth

Handler `authenticate` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/auth.py:675

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /authorize has no auth

Handler `device_authorization` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/oauth_device.py:89

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /complete_onboarding has no auth

Handler `complete_onboarding` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/auth.py:1000

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /connections/{workspace_id}/events has no auth

Handler `jira_dc_connection_events` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/integration/jira_dc.py:364

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /events has no auth

Handler `jira_events` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/integration/jira.py:282

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /github-proxy/{subdomain}/login/oauth/access_token has no auth

Handler `access_token` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/github_proxy.py:83

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /github-proxy/{subdomain}/{path:path} has no auth

Handler `post_proxy` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/github_proxy.py:103

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /gitlab/events has no auth

Handler `gitlab_events` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/integration/gitlab.py:83

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /logout has no auth

Handler `logout` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/auth.py:1063

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /token has no auth

Handler `device_token` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/oauth_device.py:126

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /users/{user_id}/orgs/{org_id}/api-keys has no auth

Handler `get_or_create_api_key_for_user` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/service.py:112

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /workspaces has no auth

Handler `create_jira_workspace` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/integration/jira.py:338

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /workspaces has no auth

Handler `create_jira_dc_workspace` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/integration/jira_dc.py:466

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /workspaces/link has no auth

Handler `create_workspace_link` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/integration/jira.py:402

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /workspaces/link has no auth

Handler `create_workspace_link` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/integration/jira_dc.py:713

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /workspaces/status has no auth

Handler `update_jira_dc_workspace_status` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/integration/jira_dc.py:677

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /workspaces/unlink has no auth

Handler `unlink_workspace` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/integration/jira.py:662

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /workspaces/unlink has no auth

Handler `unlink_workspace` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/integration/jira_dc.py:1010

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PUT /resend has no auth

Handler `resend_email_verification` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

enterprise/server/routes/email.py:117

high Security checks software dependencies conf 0.88 glob: GHSA-5j98-mcp5-4vw2

glob CLI: Command injection via -c/--cmd executes matches with shell:true

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc

lodash vulnerable to Code Injection via `_.template` imports key names

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74

minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26

minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj

minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj

Picomatch has a ReDoS vulnerability via extglob quantifiers

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 playwright: GHSA-7mvr-c777-76hp

Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

openhands-ui/bun.lock

high Security checks software dependencies conf 0.90 ✓ Repobility 7 occurrences pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v5.0.0`

`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v5.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.

2 files, 7 locations

dev_config/python/.pre-commit-config.yaml:2, 21, 27, 45 (4 hits)

enterprise/dev_config/python/.pre-commit-config.yaml:2, 15, 37 (3 hits)

high Security checks software dependencies conf 0.88 3 occurrences py: PYSEC-2022-42969

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

3 files, 3 locations

enterprise/poetry.lock

poetry.lock

uv.lock

high Security checks software dependencies conf 0.88 3 occurrences pyjwt: PYSEC-2026-175

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no docu…

3 files, 3 locations

enterprise/poetry.lock

poetry.lock

uv.lock

high Security checks software dependencies conf 0.88 3 occurrences pyjwt: PYSEC-2026-177

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited out…

3 files, 3 locations

enterprise/poetry.lock

poetry.lock

uv.lock

high Security checks software dependencies conf 0.88 3 occurrences pyjwt: PYSEC-2026-178

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b…

3 files, 3 locations

enterprise/poetry.lock

poetry.lock

uv.lock

high Security checks software dependencies conf 0.88 3 occurrences pyjwt: PYSEC-2026-179

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secre…

3 files, 3 locations

enterprise/poetry.lock

poetry.lock

uv.lock

high Security checks software dependencies conf 0.88 react-router: GHSA-49rj-9fvp-4h2h

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

frontend/package-lock.json

high Security checks software dependencies conf 0.88 react-router: GHSA-8646-j5j9-6r62

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets

frontend/package-lock.json

high Security checks software dependencies conf 0.88 react-router: GHSA-8x6r-g9mw-2r78

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

frontend/package-lock.json

high Security checks software dependencies conf 0.88 react-router: GHSA-rxv8-25v2-qmq8

React Router vulnerable to Denial of Service via reflected user input in single-fetch

frontend/package-lock.json

high Security checks software dependencies conf 0.88 rollup: GHSA-mw96-cpmx-2vgc

Rollup 4 has Arbitrary File Write via Path Traversal

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 3 occurrences starlette: PYSEC-2026-161

BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks

3 files, 3 locations

enterprise/poetry.lock

poetry.lock

uv.lock

high Security checks software dependencies conf 0.88 storybook: GHSA-8452-54wp-rmv6

Storybook manager bundle may expose environment variables during build

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 storybook: GHSA-mjf5-7g4m-gx5w

Storybook Dev Server is Vulnerable to WebSocket Hijacking

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 tar: GHSA-34x7-hfp2-rc4v

node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 tar: GHSA-83g3-92jg-28cx

Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 tar: GHSA-8qq5-rm4j-mr97

node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 tar: GHSA-9ppj-qmqm-q256

node-tar Symlink Path Traversal via Drive-Relative Linkpath

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 tar: GHSA-qffp-2rhf-9h96

tar has Hardlink Path Traversal via Drive-Relative Linkpath

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 tar: GHSA-r6q2-hw4h-h46w

Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS

openhands-ui/bun.lock

high Security checks software dependencies conf 0.88 vite: GHSA-p9ff-h696-f583

Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

openhands-ui/bun.lock

high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences Workflow container/services image `ghcr.io/openhands/openhands` unpinned

`container/services image: ghcr.io/openhands/openhands` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

lines 30, 39

.github/workflows/ghcr-build.yml:30, 39 (2 hits)

high System graph quality Integrity conf 1.00 Blocking `requests.get(...)` inside `async def jira_callback` — enterprise/server/routes/integration/jira.py:493

Sync I/O inside an async function blocks the event loop. While `requests.get(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_th…

enterprise/server/routes/integration/jira.py:493 Sync io in asyncPerformance

high System graph quality Integrity conf 1.00 Blocking `requests.get(...)` inside `async def jira_callback` — enterprise/server/routes/integration/jira.py:523

Sync I/O inside an async function blocks the event loop. While `requests.get(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_th…

enterprise/server/routes/integration/jira.py:523 Sync io in asyncPerformance

high System graph quality Integrity conf 1.00 Blocking `requests.get(...)` inside `async def jira_dc_callback` — enterprise/server/routes/integration/jira_dc.py:828

Sync I/O inside an async function blocks the event loop. While `requests.get(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_th…

enterprise/server/routes/integration/jira_dc.py:828 Sync io in asyncPerformance

high System graph quality Integrity conf 1.00 Blocking `requests.post(...)` inside `async def jira_callback` — enterprise/server/routes/integration/jira.py:483

Sync I/O inside an async function blocks the event loop. While `requests.post(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_t…

enterprise/server/routes/integration/jira.py:483 Sync io in asyncPerformance

high System graph quality Integrity conf 1.00 Blocking `requests.post(...)` inside `async def jira_dc_callback` — enterprise/server/routes/integration/jira_dc.py:814

Sync I/O inside an async function blocks the event loop. While `requests.post(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_t…

enterprise/server/routes/integration/jira_dc.py:814 Sync io in asyncPerformance

high System graph api Wiring conf 1.00 Dangling fetch: POST /oauth/device/verify-authenticated (frontend/src/routes/device-verify.tsx:29)

`frontend/src/routes/device-verify.tsx:29` calls `POST /oauth/device/verify-authenticated` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/oauth/device/verify-authenticated` If this points at an external API, prefix …

Dangling fetchFetch

high System graph hardware Supply chain conf 1.00 Dockerfile pipes a remote installer into a shell

Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.

containers/dev/Dockerfile:65 containersRemote installer

high System graph security auth conf 1.00 FastAPI DELETE `delete_app_conversation` without auth dependency — openhands/app_server/app_conversation/app_conversation_router.py:779

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/app_conversation/app_conversation_router.py:779 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `delete_custom_secret` without auth dependency — openhands/app_server/secrets/secrets_router.py:348

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/secrets/secrets_router.py:348 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `delete_sandbox` without auth dependency — openhands/app_server/sandbox/sandbox_router.py:108

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/sandbox/sandbox_router.py:108 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI DELETE `unset_provider_tokens` without auth dependency — openhands/app_server/secrets/secrets_router.py:155

`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/secrets/secrets_router.py:155 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI PATCH `update_app_conversation` without auth dependency — openhands/app_server/app_conversation/app_conversation_router.py:409

`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/app_conversation/app_conversation_router.py:409 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `access_token` without auth dependency — enterprise/server/routes/github_proxy.py:82

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

enterprise/server/routes/github_proxy.py:82 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `create_custom_secret` without auth dependency — openhands/app_server/secrets/secrets_router.py:249

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/secrets/secrets_router.py:249 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `on_conversation_update` without auth dependency — openhands/app_server/event_callback/webhook_router.py:299

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/event_callback/webhook_router.py:299 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `on_event` without auth dependency — openhands/app_server/event_callback/webhook_router.py:408

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/event_callback/webhook_router.py:408 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `pause_sandbox` without auth dependency — openhands/app_server/sandbox/sandbox_router.py:84

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/sandbox/sandbox_router.py:84 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `post_proxy` without auth dependency — enterprise/server/routes/github_proxy.py:102

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

enterprise/server/routes/github_proxy.py:102 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `queue_pending_message` without auth dependency — openhands/app_server/pending_messages/pending_message_router.py:34

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/pending_messages/pending_message_router.py:34 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `resume_sandbox` without auth dependency — openhands/app_server/sandbox/sandbox_router.py:95

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/sandbox/sandbox_router.py:95 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `send_message_to_conversation` without auth dependency — openhands/app_server/app_conversation/app_conversation_router.py:425

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/app_conversation/app_conversation_router.py:425 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `start_app_conversation` without auth dependency — openhands/app_server/app_conversation/app_conversation_router.py:359

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/app_conversation/app_conversation_router.py:359 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `start_sandbox` without auth dependency — openhands/app_server/sandbox/sandbox_router.py:75

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/sandbox/sandbox_router.py:75 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `store_settings` without auth dependency — openhands/app_server/settings/settings_router.py:185

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/settings/settings_router.py:185 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI POST `stream_app_conversation_start` without auth dependency — openhands/app_server/app_conversation/app_conversation_router.py:868

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/app_conversation/app_conversation_router.py:868 securityAuth fastapi unauth mutation

high System graph security auth conf 1.00 FastAPI PUT `update_custom_secret` without auth dependency — openhands/app_server/secrets/secrets_router.py:294

`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

openhands/app_server/secrets/secrets_router.py:294 securityAuth fastapi unauth mutation

medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 31.8% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

Only 31.8% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

high Security checks security auth conf 0.66 2 occurrences [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{org_id}/settings.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{org_id}/settings.

lines 18, 258

enterprise/server/auth/authorization.py:18, 258 (2 hits)

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{sandbox_id}/settings/secrets.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{sandbox_id}/settings/secrets.

openhands/app_server/sandbox/sandbox_router.py:154

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{sandbox_id}/settings/secrets/{secret_name}.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{sandbox_id}/settings/secrets/{secret_name}.

openhands/app_server/sandbox/sandbox_router.py:185

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PATCH /{org_id}/settings.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PATCH /{org_id}/settings.

enterprise/server/auth/authorization.py:26

high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /endpoint.

An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /endpoint.

enterprise/server/email_validation.py:36

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{conversation_id}.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{conversation_id}.

openhands/app_server/app_conversation/app_conversation_router.py:779

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{id}.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{id}.

openhands/app_server/sandbox/sandbox_router.py:108

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{org_id}/profiles/{name}.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{org_id}/profiles/{name}.

enterprise/server/routes/org_profiles.py:233

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{secret_id}.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{secret_id}.

openhands/app_server/secrets/secrets_router.py:348

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /oauth2/userinfo.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /oauth2/userinfo.

enterprise/server/routes/bitbucket_dc_proxy.py:19

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /{conversation_id}/download.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /{conversation_id}/download.

openhands/app_server/app_conversation/app_conversation_router.py:1437

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /{org_id}/profiles.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /{org_id}/profiles.

enterprise/server/routes/org_profiles.py:164

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /{org_id}/profiles/{name}.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /{org_id}/profiles/{name}.

enterprise/server/routes/org_profiles.py:181

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /{org_id}/profiles/{name}.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /{org_id}/profiles/{name}.

enterprise/server/routes/org_profiles.py:202

high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /{org_id}/profiles/{name}/rename.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /{org_id}/profiles/{name}/rename.

enterprise/server/routes/org_profiles.py:344

medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.

FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.

low Security checks quality Error handling conf 1.00 3 occurrences [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.

Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.

3 files, 3 locations

enterprise/integrations/jira/jira_v1_callback_processor.py:189

enterprise/integrations/jira_dc/jira_dc_v1_callback_processor.py:199

enterprise/server/routes/email.py:128

medium Security checks software Open redirect conf 1.00 3 occurrences [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.

Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …

3 files, 3 locations

frontend/src/components/features/settings/git-settings/configure-azure-devops-anchor.tsx:22

frontend/src/hooks/mutation/stripe/use-create-stripe-checkout-session.ts:10

frontend/src/hooks/mutation/use-accept-tos.ts:39

low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.

Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.

openhands/app_server/user/skills_router.py:40

medium Security checks software dependencies conf 0.88 3 occurrences aiohttp: GHSA-hg6j-4rv6-33pg

AIOHTTP is vulnerable to cross-origin redirect with per-request cookies

3 files, 3 locations

enterprise/poetry.lock

poetry.lock

uv.lock

medium Security checks software dependencies conf 0.88 3 occurrences aiohttp: GHSA-jg22-mg44-37j8

AIOHTTP is Vulnerable to Deserialization of Untrusted Data

3 files, 3 locations

enterprise/poetry.lock

poetry.lock

uv.lock

medium Security checks software dependencies conf 0.88 2 occurrences ajv: GHSA-2g4f-4pwh-qvx6

ajv has ReDoS when using `$data` option

2 files, 2 locations

frontend/package-lock.json

openhands-ui/bun.lock

medium Security checks software dependencies conf 0.88 authlib: GHSA-r95x-qfjj-fjj2

Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect

uv.lock

medium Security checks software dependencies conf 0.88 2 occurrences brace-expansion: GHSA-f886-m6hf-6m8v

brace-expansion: Zero-step sequence causes process hang and memory exhaustion

2 files, 2 locations

frontend/package-lock.json

openhands-ui/bun.lock

low Security checks quality Error handling conf 0.55 ✓ Repobility 20 occurrences Broad exception handler needs review

This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.

12 files, 16 locations

enterprise/enterprise_local/convert_to_env.py:50, 71 (2 hits)

enterprise/integrations/github/data_collector.py:121, 181 (2 hits)

enterprise/server/routes/auth.py:151, 681 (2 hits)

openhands/app_server/app_conversation/skill_loader.py:77, 99 (2 hits)

enterprise/integrations/gitlab/gitlab_service.py:435

enterprise/integrations/utils.py:352

enterprise/run_maintenance_tasks.py:52

enterprise/server/routes/integration/jira_dc.py:1037

Error handlingquality

high Security checks security auth conf 0.82 2 occurrences Browser storage is used for session token material

localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise.

lines 44, 57

frontend/src/hooks/use-invitation.ts:44, 57 (2 hits)

medium Security checks cicd CI/CD security conf 0.94 Compose service `openhands` image uses the latest tag

The latest tag is mutable and can change without a code review, producing different images from the same source.

docker-compose.yml:2 CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER

Docker images run as root unless the image or Dockerfile switches to a non-root user.

containers/dev/Dockerfile:92 CI/CD securitycontainers

medium Security checks cicd CI/CD security conf 0.86 Dockerfile separates apt update from install

Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable.

containers/dev/Dockerfile:49 CI/CD securitycontainers

high Security checks quality Quality conf 0.74 14 occurrences Frontend API reference is not matched by discovered backend routes

A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.

7 files, 14 locations

frontend/src/api/api-keys.ts:24, 34, 45 (3 hits)

frontend/src/api/auth-service/auth-service.api.ts:20, 33, 47 (3 hits)

frontend/src/api/billing-service/billing-service.api.ts:14, 28, 39 (3 hits)

frontend/src/api/config-service/config-service.api.ts:27, 37 (2 hits)

frontend/src/api/analytics-service/analytics-events.api.ts:38

frontend/src/api/conversation-service/conversation-service.api.ts:40

frontend/src/api/conversation-service/v1-conversation-service.api.ts:26

medium Security checks software dependencies conf 0.88 i18next-http-backend: GHSA-q89c-q3h5-w34g

i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns

frontend/package-lock.json

medium Security checks software dependencies conf 0.88 3 occurrences idna: GHSA-65pc-fj4g-8rjx

Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix

3 files, 3 locations

enterprise/poetry.lock

poetry.lock

uv.lock

medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

openhands-ui/bun.lock

medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg

Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions

openhands-ui/bun.lock

medium Security checks software dependencies conf 0.90 npm package `@heroui/react` is 1 major version(s) behind (2.8.8 -> 3.1.0)

`@heroui/react` is pinned/resolved at 2.8.8 but the latest stable release on the npm registry is 3.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

frontend/package.json

medium Security checks software dependencies conf 0.90 npm package `@vitejs/plugin-react` is 2 major version(s) behind (^4.5.2 -> 6.0.2)

`@vitejs/plugin-react` is pinned/resolved at ^4.5.2 but the latest stable release on the npm registry is 6.0.2 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…

openhands-ui/package.json

medium Security checks software dependencies conf 0.90 npm package `@vitest/browser` is 1 major version(s) behind (^3.2.4 -> 4.1.8)

`@vitest/browser` is pinned/resolved at ^3.2.4 but the latest stable release on the npm registry is 4.1.8 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

openhands-ui/package.json

medium Security checks software dependencies conf 0.90 npm package `focus-trap-react` is 1 major version(s) behind (^11.0.4 -> 12.0.2)

`focus-trap-react` is pinned/resolved at ^11.0.4 but the latest stable release on the npm registry is 12.0.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

openhands-ui/package.json

medium Security checks software dependencies conf 0.90 npm package `i18next-http-backend` is 1 major version(s) behind (3.0.2 -> 4.0.0)

`i18next-http-backend` is pinned/resolved at 3.0.2 but the latest stable release on the npm registry is 4.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…

frontend/package.json

medium Security checks software dependencies conf 0.90 npm package `jsdom` is 2 major version(s) behind (27.4.0 -> 29.1.1)

`jsdom` is pinned/resolved at 27.4.0 but the latest stable release on the npm registry is 29.1.1 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

frontend/package.json

medium Security checks software dependencies conf 0.90 npm package `lint-staged` is 1 major version(s) behind (16.2.7 -> 17.0.7)

`lint-staged` is pinned/resolved at 16.2.7 but the latest stable release on the npm registry is 17.0.7 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

frontend/package.json

medium Security checks software dependencies conf 0.90 npm package `vite-plugin-dts` is 1 major version(s) behind (^4.5.4 -> 5.0.2)

`vite-plugin-dts` is pinned/resolved at ^4.5.4 but the latest stable release on the npm registry is 5.0.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

openhands-ui/package.json

medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p

Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching

openhands-ui/bun.lock

medium Security checks software dependencies conf 0.88 2 occurrences postcss: GHSA-qx2v-qp2m-jg93

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

2 files, 2 locations

frontend/package-lock.json

openhands-ui/bun.lock

medium Security checks software dependencies conf 0.88 protobufjs: GHSA-jggg-4jg4-v7c6

protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion

frontend/package-lock.json

medium Security checks quality Quality conf 0.78 Public web service has no security.txt

security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.

.well-known/security.txt

medium Security checks software dependencies conf 0.90 Python package `aiofiles` is 1 major version(s) behind (24.1.0 -> 25.1.0)

poetry.lock pins `aiofiles` at 24.1.0 but the latest stable release on PyPI is 25.1.0 (1 major version(s) behind).

poetry.lock

medium Security checks software dependencies conf 0.90 Python package `cachetools` is 2 major version(s) behind (5.5.2 -> 7.1.4)

poetry.lock pins `cachetools` at 5.5.2 but the latest stable release on PyPI is 7.1.4 (2 major version(s) behind).

poetry.lock

medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26

qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set

frontend/package-lock.json

medium Security checks software dependencies conf 0.88 react-router: GHSA-2j2x-hqr9-3h42

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

frontend/package-lock.json

medium Security checks software dependencies conf 0.88 react-router: GHSA-f22v-gfqf-p8f3

React Router has stored XSS via unescaped Location header in prerendered redirect HTML

frontend/package-lock.json

high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell

Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.

.devcontainer/setup.sh:11

medium Security checks software dependencies conf 0.88 vite: GHSA-4w7w-66w2-5vf9

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

openhands-ui/bun.lock

medium Security checks software dependencies conf 0.88 vite: GHSA-93m4-6634-74q7

vite allows server.fs.deny bypass via backslash on Windows

openhands-ui/bun.lock

medium Security checks software dependencies conf 0.88 2 occurrences ws: GHSA-58qx-3vcg-4xpx

ws: Uninitialized memory disclosure

2 files, 2 locations

frontend/package-lock.json

openhands-ui/bun.lock

medium Security checks software dependencies conf 0.88 2 occurrences yaml: GHSA-48c2-rrv3-qjmp

yaml is vulnerable to Stack Overflow via deeply nested YAML collections

2 files, 2 locations

frontend/package-lock.json

openhands-ui/bun.lock

medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — frontend/public/mockServiceWorker.js:238

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

runtime safetyRobustness

medium System graph hardware Security conf 1.00 Dockerfile runs as root: containers/app/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph hardware Security conf 1.00 Dockerfile runs as root: containers/dev/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph quality Integrity conf 1.00 Frontend route `/:conversationId` has no Link/navigate to it — frontend/__tests__/components/features/conversation/archived-conversation-view.test.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

Orphan pageWiring

medium System graph quality Integrity conf 1.00 Frontend route `/launch` has no Link/navigate to it — frontend/__tests__/routes/launch.test.tsx

The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.

Orphan pageWiring

medium System graph cicd CI/CD security conf 1.00 5 occurrences GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

5 files, 5 locations

.github/workflows/_build-image.yml

.github/workflows/lint-fix.yml

.github/workflows/pr-artifacts.yml

.github/workflows/py-tests.yml

.github/workflows/tag-image.yml

CI/CD securitySupply chainGithub actions

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — enterprise/server/config.py:112

`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — enterprise/server/routes/integration/jira.py:483

`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — enterprise/server/routes/integration/jira_dc.py:814

`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — openhands/app_server/utils/git.py:14

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph network Security conf 1.00 Privileged port 30 in use

Port 30 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

.github/workflows/stale.yml Ports

low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults

.dockerignore exists but does not cover common secret or VCS patterns.

.dockerignore CI/CD securitycontainers

low Security checks software Race condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.

Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.

openhands/app_server/file_store/local.py:62

high Security checks cicd CI/CD security conf 0.56 Compose service does not declare a runtime user

If the image does not define USER internally, this service may run as root.

docker-compose.yml:2 CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.56 Compose service does not declare a runtime user

If the image does not define USER internally, this service may run as root.

containers/dev/compose.yml:2 CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening

no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.

docker-compose.yml:2 CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening

no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.

containers/dev/compose.yml:2 CI/CD securitycontainers

low Security checks cicd CI/CD security conf 0.72 9 occurrences Dockerfile installs recommended OS packages

Installing recommended packages often pulls in unnecessary runtime surface area.

3 files, 9 locations

containers/dev/Dockerfile:7, 17, 33, 59, 65, 94 (6 hits)

containers/app/Dockerfile:25, 54 (2 hits)

enterprise/Dockerfile:11

CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.72 3 occurrences Dockerfile keeps pip download cache

Pip's package cache increases image size and can preserve unnecessary artifacts.

2 files, 3 locations

enterprise/Dockerfile:27, 32 (2 hits)

containers/app/Dockerfile:25

CI/CD securitycontainers

low Security checks cicd CI/CD security conf 0.74 3 occurrences Dockerfile leaves apt package indexes in the image layer

Package indexes increase image size and can expose stale metadata in the final image layer.

2 files, 3 locations

containers/dev/Dockerfile:7, 59 (2 hits)

containers/app/Dockerfile:25

CI/CD securitycontainers

low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files

Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.

12 files, 21 locations

enterprise/integrations/jira_dc/jira_dc_v1_callback_processor.py:16, 20, 90, 108 (4 hits)

enterprise/integrations/jira/jira_v1_callback_processor.py:6, 81, 99 (3 hits)

enterprise/integrations/slack/slack_v1_callback_processor.py:10, 106, 195 (3 hits)

enterprise/integrations/gitlab/gitlab_v1_callback_processor.py:6, 109 (2 hits)

enterprise/integrations/gitlab/gitlab_view.py:88, 89 (2 hits)

enterprise/integrations/bitbucket_data_center/bitbucket_dc_manager.py:316

enterprise/integrations/bitbucket_data_center/bitbucket_dc_v1_callback_processor.py:6

enterprise/integrations/bitbucket_data_center/bitbucket_dc_view.py:8

duplicationquality

low Security checks software dependencies conf 0.90 npm package `@microlink/react-json-view` is minor version(s) behind (1.27.1 -> 1.31.20)

`@microlink/react-json-view` is pinned/resolved at 1.27.1 but the latest stable release on the npm registry is 1.31.20 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update P…

frontend/package.json

low Security checks software dependencies conf 0.90 2 occurrences npm package `@react-router/serve` is minor version(s) behind (7.13.0 -> 7.17.0)

`@react-router/serve` is pinned/resolved at 7.13.0 but the latest stable release on the npm registry is 7.17.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

2 occurrences

frontend/package.json (2 hits)

low Security checks software dependencies conf 0.90 npm package `@tanstack/eslint-plugin-query` is minor version(s) behind (5.100.10 -> 5.101.0)

`@tanstack/eslint-plugin-query` is pinned/resolved at 5.100.10 but the latest stable release on the npm registry is 5.101.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-upd…

frontend/package.json

low Security checks software dependencies conf 0.90 npm package `@tanstack/react-query` is minor version(s) behind (5.90.20 -> 5.101.0)

`@tanstack/react-query` is pinned/resolved at 5.90.20 but the latest stable release on the npm registry is 5.101.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs r…

frontend/package.json

low Security checks software dependencies conf 0.90 npm package `axios` is minor version(s) behind (1.16.0 -> 1.17.0)

`axios` is pinned/resolved at 1.16.0 but the latest stable release on the npm registry is 1.17.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

frontend/package.json

low Security checks software dependencies conf 0.90 npm package `react-icons` is minor version(s) behind (5.5.0 -> 5.6.0)

`react-icons` is pinned/resolved at 5.5.0 but the latest stable release on the npm registry is 5.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

frontend/package.json

low Security checks software dependencies conf 0.90 2 occurrences npm package `tailwind-merge` is minor version(s) behind (3.4.0 -> 3.6.0)

`tailwind-merge` is pinned/resolved at 3.4.0 but the latest stable release on the npm registry is 3.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.

2 files, 2 locations

frontend/package.json

openhands-ui/package.json

low Security checks software dependencies conf 0.90 Python package `agent-client-protocol` is minor version(s) behind (0.9.0 -> 0.10.1)

poetry.lock pins `agent-client-protocol` at 0.9.0 but the latest stable release on PyPI is 0.10.1 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `aiofile` is minor version(s) behind (3.9.0 -> 3.11.1)

poetry.lock pins `aiofile` at 3.9.0 but the latest stable release on PyPI is 3.11.1 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `anthropic` is minor version(s) behind (0.88.0 -> 0.105.2)

poetry.lock pins `anthropic` at 0.88.0 but the latest stable release on PyPI is 0.105.2 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `anyio` is minor version(s) behind (4.9.0 -> 4.13.0)

poetry.lock pins `anyio` at 4.9.0 but the latest stable release on PyPI is 4.13.0 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `asyncpg` is minor version(s) behind (0.30.0 -> 0.31.0)

poetry.lock pins `asyncpg` at 0.30.0 but the latest stable release on PyPI is 0.31.0 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `authlib` is minor version(s) behind (1.6.12 -> 1.7.2)

poetry.lock pins `authlib` at 1.6.12 but the latest stable release on PyPI is 1.7.2 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `binaryornot` is minor version(s) behind (0.4.4 -> 0.6.0)

poetry.lock pins `binaryornot` at 0.4.4 but the latest stable release on PyPI is 0.6.0 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `browser-use-sdk` is minor version(s) behind (3.4.0 -> 3.8.1)

poetry.lock pins `browser-use-sdk` at 3.4.0 but the latest stable release on PyPI is 3.8.1 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `browser-use` is minor version(s) behind (0.11.13 -> 0.12.9)

poetry.lock pins `browser-use` at 0.11.13 but the latest stable release on PyPI is 0.12.9 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `browsergym-core` is minor version(s) behind (0.13.3 -> 0.14.3)

poetry.lock pins `browsergym-core` at 0.13.3 but the latest stable release on PyPI is 0.14.3 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `build` is minor version(s) behind (1.4.2 -> 1.5.0)

poetry.lock pins `build` at 1.4.2 but the latest stable release on PyPI is 1.5.0 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `certifi` is minor version(s) behind (2026.2.25 -> 2026.5.20)

poetry.lock pins `certifi` at 2026.2.25 but the latest stable release on PyPI is 2026.5.20 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `click` is minor version(s) behind (8.1.8 -> 8.4.1)

poetry.lock pins `click` at 8.1.8 but the latest stable release on PyPI is 8.4.1 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `clr-loader` is minor version(s) behind (0.2.10 -> 0.3.1)

poetry.lock pins `clr-loader` at 0.2.10 but the latest stable release on PyPI is 0.3.1 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `cyclopts` is minor version(s) behind (4.10.1 -> 4.16.1)

poetry.lock pins `cyclopts` at 4.10.1 but the latest stable release on PyPI is 4.16.1 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `decorator` is minor version(s) behind (5.2.1 -> 5.3.1)

poetry.lock pins `decorator` at 5.2.1 but the latest stable release on PyPI is 5.3.1 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `docstring-parser` is minor version(s) behind (0.17.0 -> 0.18.0)

poetry.lock pins `docstring-parser` at 0.17.0 but the latest stable release on PyPI is 0.18.0 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `docutils` is minor version(s) behind (0.22.4 -> 0.23)

poetry.lock pins `docutils` at 0.22.4 but the latest stable release on PyPI is 0.23 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.90 Python package `fakeredis` is minor version(s) behind (2.34.1 -> 2.36.0)

poetry.lock pins `fakeredis` at 2.34.1 but the latest stable release on PyPI is 2.36.0 (minor version(s) behind).

poetry.lock

low Security checks software dependencies conf 0.88 vite: GHSA-g4jq-h2w9-997c

Vite middleware may serve files starting with the same name with the public directory

openhands-ui/bun.lock

low Security checks software dependencies conf 0.88 vite: GHSA-jqfw-vq24-v9c3

Vite's `server.fs` settings were not applied to HTML files

openhands-ui/bun.lock

low System graph quality Maintenance conf 1.00 56 TODO/FIXME markers

High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:25.9-trixie-slim

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

containers/app/Dockerfile:2 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.13.7-slim-trixie

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

containers/app/Dockerfile:11 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:26.04

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

containers/dev/Dockerfile:4 containersPinned dependencies

low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/__tests__/api/profiles-service.test.ts