Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
64 of your 548 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 4.16s · analysis 86.46s · 17.3 MB · GitHub API rate-limit (preflight)

socketio/socket.io

https://github.com/socketio/socket.io · scanned 2026-06-05 09:06 UTC (1 week, 1 day ago) · 10 languages

832 raw signals (382 security + 450 graph) 48th percentile · Javascript · medium (20-100K LoC) System graph score 48 (higher by 17)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 1 day ago · v2 · 400 actionable findings from 2 signal sources. 207 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
48.9
/100
Security checks
50
207 findings
System graph
48
100.0% cov · 193 findings
Critical
15
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 25.1 0.25 6.28
testing_score 92.0 0.20 18.40
documentation_score 86.6 0.15 12.99
practices_score 74.0 0.15 11.10
code_quality 71.0 0.10 7.10
Overall 1.00 64.9
Severity distribution — click a segment to filter
Active filters: severity: info × excluding tests × Reset all
Severity: Critical 15 High 84 Medium 93 Low 171 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 207 System graph 193 Crowd 0 Layer: Quality 40 Security 10 Software 219 Cicd 18 Frontend 94 Hardware 7 Api 12
Scan summary Quality grade C+ (65/100). Dimensions: security 25, maintainability 60. 382 findings (223 security). 54,740 lines analyzed.

Showing 37 of 400 actionable findings. 607 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

info Security checks software Ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
examples/create-react-app-example/src/serviceWorker.js:26
info Security checks quality Quality conf 1.00 3 occurrences [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected — attackers can call it directly.
Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip the…
3 files, 3 locations
examples/express-session-example/cjs/index.js:24
examples/express-session-example/esm/index.js:23
examples/express-session-example/ts/index.ts:30
info Security checks security Injection conf 1.00 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection).
For literal data structures: use ast.literal_eval(text) — only parses literals, raises on code. For formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists). For Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec'). If you genuinely need to execute admin-st…
examples/private-messaging/server/sessionStore.js:55
info Security checks security Injection conf 1.00 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection).
For literal data structures: use ast.literal_eval(text) — only parses literals, raises on code. For formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists). For Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec'). If you genuinely need to execute admin-st…
examples/private-messaging/server/messageStore.js:45
info Security checks quality Quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
examples/nextjs-pages-router/src/pages/api/hello.js:4
info Security checks quality Quality conf 0.45 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
This hit is in a test, sample, or example path. It is useful as polish/teaching-surface feedback, but should not dominate production risk scoring.
packages/engine.io/examples/latency/index.js:33 examplesquality
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
3 files, 3 locations
examples/cluster-nginx/nginx.conf:17
examples/nextjs-app-router/server.js:27
examples/nextjs-pages-router/server.js:27
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
Review and fix per the pattern semantics. See CWE-532 / for context.
3 files, 3 locations
examples/ReactNativeExample/server/index.js:6
examples/angular-todomvc/src/main.ts:12
examples/basic-crud-application/angular-client/src/main.ts:6
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
Review and fix per the pattern semantics. See CWE-704 / for context.
examples/passport-example/ts/index.ts:95
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
Review and fix per the pattern semantics. See CWE-704 / for context.
examples/basic-crud-application/angular-client/src/app/store.ts:14
info Security checks quality Quality conf 0.45 ✓ Repobility [MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions.
This hit is in a test, sample, or example path. It is useful as polish/teaching-surface feedback, but should not dominate production risk scoring.
packages/engine.io/examples/latency/public/index.js:43 examplesquality
info Security checks software dependencies conf 0.90 npm package `@types/debug` is patch version(s) behind (4.1.12 -> 4.1.13)
`@types/debug` is pinned/resolved at 4.1.12 but the latest stable release on the npm registry is 4.1.13 (patch version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
info Security checks software dependencies conf 0.90 npm package `@types/mocha` is patch version(s) behind (10.0.7 -> 10.0.10)
`@types/mocha` is pinned/resolved at 10.0.7 but the latest stable release on the npm registry is 10.0.10 (patch version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
info System graph quality Integrity conf 1.00 Commented-code block (10 lines) in docs/engine.io-protocol/v3-test-suite/test-suite.js:269
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in examples/chat/public/main.js:112
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in examples/cluster-haproxy/server/public/main.js:116
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in examples/cluster-httpd/server/public/main.js:116
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in examples/cluster-nginx/server/public/main.js:116
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in examples/cluster-traefik/server/public/main.js:116
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in examples/create-react-app-example/src/serviceWorker.js:4
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in packages/socket.io/lib/parent-namespace.ts:102
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in examples/nuxt-example/server/plugins/socket.io.ts:29
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — docs/engine.io-protocol/v3-test-suite/test-suite.js:306
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — examples/basic-websocket-client/src/index.js:80
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — examples/client-side-load-balancing-example/index.js:27
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/engine.io/lib/server.ts:177
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/engine.io/lib/socket.ts:100
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/engine.io/lib/userver.ts:30
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/engine.io/test/server.js:288
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/socket.io-redis-streams-emitter/lib/index.ts:20
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/socket.io/client-dist/socket.io.js:2628
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/socket.io/lib/index.ts:726
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/socket.io/lib/socket-types.ts:7
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/socket.io/lib/socket.ts:136
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/socket.io/test/namespaces.ts:173
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/socket.io/test/support/util.ts:97
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — packages/socket.io/test/utility-methods.ts:48
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/4d28810e-b8c1-47a9-b235-f60f50ca4517/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/4d28810e-b8c1-47a9-b235-f60f50ca4517/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.