Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
38 of your 71 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 4.15s · analysis 8.59s · 6.9 MB · GitHub API rate-limit (preflight)

sveltejs/svelte

https://github.com/sveltejs/svelte · scanned 2026-06-05 07:08 UTC (1 week, 1 day ago) · 10 languages

1192 raw signals (62 security + 1130 graph) 11/13 scanners ran 76th percentile · Javascript · large (100-500K LoC) System graph score 75 (higher by 10)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 1 day ago · v2 · 567 actionable findings from 2 signal sources. 60 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
78.4
/100
Security checks
82
18 findings
System graph
75
77.8% cov · 549 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 85.0 0.20 17.00
documentation_score 88.0 0.15 13.20
practices_score 87.0 0.15 13.05
code_quality 80.0 0.10 8.00
Overall 1.00 85.2
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: high × excluding tests × Reset all
Severity: Critical 1 High 6 Medium 8 Low 414 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 18 System graph 549 Crowd 0 Layer: Quality 59 Security 2 Cicd 5 Software 54 Frontend 442 Api 5
Scan summary Quality grade A- (85/100). Dimensions: security 100, maintainability 60. 62 findings (29 security). 397,297 lines analyzed.

Showing 6 of 567 actionable findings. 627 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
3 files, 3 locations
packages/svelte/src/compiler/phases/2-analyze/css/css-analyze.js:55
packages/svelte/src/compiler/phases/2-analyze/visitors/ExportNamedDeclaration.js:57
packages/svelte/src/compiler/phases/2-analyze/visitors/ExportSpecifier.js:19
high System graph api Wiring conf 1.00 Dangling fetch: GET /api (packages/svelte/src/compiler/phases/3-transform/shared/transform-async.js:11)
`packages/svelte/src/compiler/phases/3-transform/shared/transform-async.js:11` calls `GET /api` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api (packages/svelte/src/compiler/phases/3-transform/shared/transform-async.js:19)
`packages/svelte/src/compiler/phases/3-transform/shared/transform-async.js:19` calls `GET /api` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /items/${id} (packages/svelte/src/index-client.js:58)
`packages/svelte/src/index-client.js:58` calls `GET /items/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/items/<p>` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://svelte.dev/playground/api/${id}.json (playgrounds/sandbox/scripts/download.js:734)
`playgrounds/sandbox/scripts/download.js:734` calls `GET https://svelte.dev/playground/api/${id}.json` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/svelte.dev/playground/api/<p>.json` If this points at an e…
Dangling fetchFetch
high System graph cicd CI/CD security conf 1.00 pull_request_target workflow appears to check out untrusted PR code
pull_request_target runs with base-repo privileges. Checking out PR head code in that context can expose repository tokens or secrets to attacker-controlled code.
.github/workflows/pkg.pr.new.yml CI/CD securitySupply chainGithub actions
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/39da5584-b756-4d91-a62c-f67af07c51a5/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/39da5584-b756-4d91-a62c-f67af07c51a5/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.