Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
91 of your 214 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 6.2s · analysis 17.28s · 19.0 MB · GitHub API rate-limit (preflight)

mizchi/crater

https://github.com/mizchi/crater · scanned 2026-06-05 13:28 UTC (1 week, 2 days ago) · 10 languages

585 raw signals (207 security + 378 graph) 54th percentile · Typescript · medium (20-100K LoC) System graph score 58 (higher by 10)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 2 days ago · v2 · 228 actionable findings from 2 signal sources. 168 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
56.7
/100
Security checks
56
88 findings
System graph
58
77.8% cov · 140 findings
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 40.0 0.25 10.00
testing_score 100.0 0.20 20.00
documentation_score 86.6 0.15 12.99
practices_score 74.0 0.15 11.10
code_quality 40.9 0.10 4.09
Overall 1.00 67.2
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 4 High 59 Medium 24 Low 123 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 88 System graph 140 Crowd 0 Layer: Software 117 Quality 59 Security 6 Cicd 2 Api 1 Frontend 43
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Strongest dependencies (90), testing (85); weakest practices (46), documentation (63).

Showing 194 of 228 actionable findings. 396 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
scripts/capture-real-world-snapshot.ts:124
critical Security checks software dependencies conf 0.88 basic-ftp: GHSA-5rq4-664w-9x2c
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
browser/pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 2 occurrences fast-xml-parser: GHSA-m7jm-9gc2-mpf2
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 2 occurrences vitest: GHSA-5xrq-8626-4rwp
When Vitest UI server is listening, arbitrary file can be read and executed
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self._receive_messages` used but never assigned in __init__
Method `start` of class `CraterBidiSession` reads `self._receive_messages`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
2 files, 25 locations
scripts/crater_bidi_adapter.py:119, 143, 170, 174, 185, 188, 191, 198, +16 more (24 hits)
scripts/crater_bidi_modules.py:42
high Security checks software dependencies conf 0.88 2 occurrences basic-ftp: GHSA-6v7q-wjvx-w8wg
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences basic-ftp: GHSA-rp42-5vxx-qpwr
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences basic-ftp: GHSA-rpmf-866q-6p89
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences fast-xml-parser: GHSA-37qj-frw5-hhjh
fast-xml-parser has RangeError DoS Numeric Entities Bug
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences fast-xml-parser: GHSA-8gc5-j5rx-235r
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_alt_origin
Test function `test_alt_origin` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
scripts/crater_bidi_adapter.py:1441
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_origin
Test function `test_origin` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
scripts/crater_bidi_adapter.py:1436
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_page
Test function `test_page` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
scripts/crater_bidi_adapter.py:935
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_page2
Test function `test_page2` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
scripts/crater_bidi_adapter.py:1446
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_page_cross_origin
Test function `test_page_cross_origin` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
scripts/crater_bidi_adapter.py:1451
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_page_cross_origin_frame
Test function `test_page_cross_origin_frame` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
scripts/crater_bidi_adapter.py:1466
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_page_multiple_frames
Test function `test_page_multiple_frames` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
scripts/crater_bidi_adapter.py:1456
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_page_nested_frames
Test function `test_page_nested_frames` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
scripts/crater_bidi_adapter.py:1461
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_page_same_origin_frame
Test function `test_page_same_origin_frame` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
scripts/crater_bidi_adapter.py:1471
high Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-34x7-hfp2-rc4v
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-83g3-92jg-28cx
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-8qq5-rm4j-mr97
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-9ppj-qmqm-q256
node-tar Symlink Path Traversal via Drive-Relative Linkpath
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-qffp-2rhf-9h96
tar has Hardlink Path Traversal via Drive-Relative Linkpath
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-r6q2-hw4h-h46w
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences undici: GHSA-f269-vfmq-vjvj
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences undici: GHSA-v9p9-hfj2-hcw8
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences undici: GHSA-vrm6-8vpv-qv8q
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-p9ff-h696-f583
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-v2wj-q39q-566r
Vite: `server.fs.deny` bypassed with queries
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high System graph security security conf 1.00 Insecure pattern 'eval_used' in browser/native/js_v8/mock_dom.js:531
Found a known-risky pattern (eval_used). Review and replace if possible.
browser/native/js_v8/mock_dom.js:531 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in scripts/capture-real-world-snapshot.ts:124
Found a known-risky pattern (eval_used). Review and replace if possible.
scripts/capture-real-world-snapshot.ts:124 Eval used
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
scripts/crater-bidi-server.ts:186
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
scripts/capture-real-world-snapshot.ts:118
medium Security checks software dependencies conf 0.88 2 occurrences brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
low Security checks quality Error handling conf 0.55 ✓ Repobility 4 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
2 files, 4 locations
scripts/crater_bidi_adapter.py:182, 190, 984 (3 hits)
scripts/test-bidi-manual.py:522
Error handlingquality
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 2 occurrences fast-xml-parser: GHSA-gh4j-gqv2-49f6
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 2 occurrences fast-xml-parser: GHSA-jp2q-39xq-3w4g
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 2 occurrences ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.90 npm package `puppeteer-core` is 1 major version(s) behind (^24.8.0 -> 25.1.0)
`puppeteer-core` is pinned/resolved at ^24.8.0 but the latest stable release on the npm registry is 25.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
browser/package.json
medium Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 2 occurrences postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.70 6 occurrences Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
6 files, 6 locations
.github/actions/setup-crater/action.yml:67
.github/workflows/browser.yml:54
.github/workflows/copilot-setup-steps.yml:34
.github/workflows/flaker-daily.yml:110
.github/workflows/release-moon.yml:45
scripts/wpt-webdriver-runner.ts:870
medium Security checks software dependencies conf 0.88 2 occurrences undici: GHSA-2mjp-6q6p-2qxm
Undici has an HTTP Request/Response Smuggling issue
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 2 occurrences undici: GHSA-4992-7rv2-5pvq
Undici has CRLF Injection in undici via `upgrade` option
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 2 occurrences ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — testing/e2e/native_v8/preact_bundle.js:1
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — browser/native/js_v8/mock_dom.js:221
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — browser/tools/cdp-server.ts:30
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — js/wasm.js:13
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/capture-real-world-snapshot.ts:93
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/webmcp-openrouter-demo.ts:167
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — webdriver/playwright/adapter.ts:7313
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — webdriver/playwright/supported-apis.ts:481
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 10 occurrences GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
3 files, 10 locations
.github/workflows/flaker-daily.yml:38, 104, 119, 122, 209 (5 hits)
.github/workflows/ci.yml:42, 438 (4 hits)
.github/workflows/browser.yml:78
CI/CD securitySupply chainGitHub Actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/crater_bidi_adapter.py:957
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
low Security checks quality Quality conf 0.60 24 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 24 locations
scripts/wpt-vrt-summary.ts:3, 4, 5, 224 (4 hits)
scripts/flaker-quarantine.ts:16, 129, 138 (3 hits)
scripts/playwright-report-summary.ts:1, 3, 123 (3 hits)
scripts/vrt-report-summary.ts:5, 6, 205 (3 hits)
scripts/flaker-task-summary.ts:145, 153 (2 hits)
scripts/flaker-upstream-inventory.ts:448, 452 (2 hits)
scripts/playwright-report-diff.ts:3, 110 (2 hits)
scripts/flaker-batch-summary.ts:111
duplicationquality
low Security checks software dependencies conf 0.88 2 occurrences fast-xml-parser: GHSA-fj3w-jwp8-x2g3
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
2 files, 2 locations
browser/pnpm-lock.yaml
pnpm-lock.yaml
high Security checks software dependencies conf 0.90 npm package `@bytecodealliance/jco` is minor version(s) behind (^1.17.6 -> 1.20.0)
`@bytecodealliance/jco` is pinned/resolved at ^1.17.6 but the latest stable release on the npm registry is 1.20.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs ra…
package.json
high Security checks software dependencies conf 0.90 2 occurrences npm package `pixelmatch` is minor version(s) behind (^7.1.0 -> 7.2.0)
`pixelmatch` is pinned/resolved at ^7.1.0 but the latest stable release on the npm registry is 7.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
browser/package.json
package.json
high Security checks software dependencies conf 0.90 npm package `quickjs-emscripten` is minor version(s) behind (^0.31.0 -> 0.32.0)
`quickjs-emscripten` is pinned/resolved at ^0.31.0 but the latest stable release on the npm registry is 0.32.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
browser/package.json
high Security checks software dependencies conf 0.90 npm package `tsx` is minor version(s) behind (^4.19.0 -> 4.22.4)
`tsx` is pinned/resolved at ^4.19.0 but the latest stable release on the npm registry is 4.22.4 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
browser/package.json
high Security checks software dependencies conf 0.90 npm package `tsx` is minor version(s) behind (^4.21.0 -> 4.22.4)
`tsx` is pinned/resolved at ^4.21.0 but the latest stable release on the npm registry is 4.22.4 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
high Security checks software dependencies conf 0.90 npm package `webdriver` is minor version(s) behind (^9.23.0 -> 9.27.2)
`webdriver` is pinned/resolved at ^9.23.0 but the latest stable release on the npm registry is 9.27.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
browser/package.json
high Security checks software dependencies conf 0.90 npm package `ws` is minor version(s) behind (^8.18.0 -> 8.21.0)
`ws` is pinned/resolved at ^8.18.0 but the latest stable release on the npm registry is 8.21.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
browser/package.json
high Security checks software dependencies conf 0.90 npm package `ws` is minor version(s) behind (^8.20.0 -> 8.21.0)
`ws` is pinned/resolved at ^8.20.0 but the latest stable release on the npm registry is 8.21.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly.
pnpm-lock.yaml
low System graph software Dead code candidate conf 1.00 File has no detected symbols: js/playground/utels.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: js/playground/vite.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playwright.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/crater-playwright-smoke.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/flaker-batch-summary-loader.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/flaker-batch-summary.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/flaker-config-parser.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/flaker-config-parser.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/flaker-config-report.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/flaker-quarantine-match.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/flaker-quarantine-summary-core.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/flaker-task-runtime.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/flaker-task-summary-core.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/font-family-defaults.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-browser-shell-interaction-state.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-browser-shell-interaction.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-browser-shell.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-browser-tui-render-output.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-browser-tui-render.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-core.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-package.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-painter-raster-assets.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-painter.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-renderer-core-contract.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-renderer-core-layout-output.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-renderer-core-layout.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-renderer-core-media.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-renderer-core-style.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-renderer-regression-api.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-renderer-regression-elements.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-renderer-regression-layout-formatting.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-renderer-regression-layout.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-renderer-table-core.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-webdriver-protocol-routing.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-webdriver-protocol-state.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-webdriver-runtime-context.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/moon-module-boundary-webdriver-runtime-document.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/playwright-report-contract.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/playwright-report-diff-cli.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/playwright-report-summary-core.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/script-boundary.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/script-cli.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/vrt-report-contract.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/wpt-font-measure.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/wpt-vrt-summary-cli.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/helpers/crater-bidi-page.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/helpers/crater-vrt.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/helpers/wpt-vrt-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/playwright-adapter.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 58 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
5 files, 58 locations
.github/workflows/ci.yml:31, 55, 92, 161, 177, 212, 282, 315, +13 more (39 hits)
.github/workflows/flaker-daily.yml:28, 33, 80, 99, 114, 140, 182, 201, +3 more (11 hits)
.github/workflows/copilot-setup-steps.yml:30, 38 (4 hits)
.github/workflows/browser.yml:48, 67 (2 hits)
.github/workflows/release-moon.yml:34, 49 (2 hits)
CI/CD securitySupply chainGitHub Actions
low System graph quality Integrity conf 1.00 7 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/crater_bidi_adapter.py:start, scripts/crater_bidi_adapter.py:start This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
7 occurrences
repo-level (7 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: scripts/crater_bidi_adapter.py:on_event, scripts/crater_bidi_adapter.py:on_event, scripts/crater_bidi_adapter.py:on_event This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate o…
duplicatesduplication
low System graph quality Integrity conf 1.00 3 occurrences Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: scripts/crater_bidi_adapter.py:add_event_listener, scripts/crater_bidi_adapter.py:add, scripts/crater_bidi_adapter.py:add, scripts/crater_bidi_adapter.py:add This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://j…
3 occurrences
repo-level (3 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `nameToLegacy` in scripts/wpt-dom-runner.ts:606
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: add_intercept
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:351
low System graph software Dead code conf 1.00 Possibly dead Python function: call_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:233
low System graph software Dead code conf 1.00 Possibly dead Python function: capture_screenshot
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:112
low System graph software Dead code conf 1.00 Possibly dead Python function: collect_events
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_adapter.py:272
low System graph software Dead code conf 1.00 Possibly dead Python function: handle_user_prompt
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:88
low System graph software Dead code conf 1.00 Possibly dead Python function: has_user_context
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_adapter.py:348
low System graph software Dead code conf 1.00 Possibly dead Python function: is_known_context
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_adapter.py:338
low System graph software Dead code conf 1.00 Possibly dead Python function: latest_navigation_id_for_context
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_adapter.py:379
low System graph software Dead code conf 1.00 Possibly dead Python function: locate_nodes
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:120
low System graph software Dead code conf 1.00 Possibly dead Python function: prepare_beforeunload_page_url_for_test
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:287
low System graph software Dead code conf 1.00 Possibly dead Python function: pytest_configure
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_adapter.py:622
low System graph software Dead code conf 1.00 Possibly dead Python function: reload
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:99
low System graph software Dead code conf 1.00 Possibly dead Python function: remember_document_cookie
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_adapter.py:358
low System graph software Dead code conf 1.00 Possibly dead Python function: remove_all
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_adapter.py:265
low System graph software Dead code conf 1.00 Possibly dead Python function: remove_preload_script
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:330
low System graph software Dead code conf 1.00 Possibly dead Python function: reset_for_test
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:205
low System graph software Dead code conf 1.00 Possibly dead Python function: set_viewport
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:140
low System graph software Dead code conf 1.00 Possibly dead Python function: traverse_history
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/crater_bidi_modules.py:158
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — benchmarks/nav-extraction/scripts/analyze-fp.ts:114
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — benchmarks/nav-extraction/scripts/capture-screenshots.ts:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — benchmarks/nav-extraction/scripts/debug-sample.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — benchmarks/nav-extraction/scripts/evaluate-v2.ts:178
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — benchmarks/nav-extraction/scripts/evaluate-v3.ts:185
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — benchmarks/nav-extraction/scripts/evaluate.ts:252
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — benchmarks/nav-extraction/scripts/init-labels.ts:248
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — benchmarks/nav-extraction/scripts/select-samples.ts:96
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — browser/tests/cdp-e2e-test-navigate.ts:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — browser/tests/cdp-e2e-test.ts:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — browser/tests/run-js-test.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — browser/tests/webdriver-e2e-test.ts:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — browser/tools/cdp-server.ts:60
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — browser/tools/webdriver-server.ts:425
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — js/playground/main.js:107
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/capture-real-world-snapshot.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/ci-timing-summary.ts:98
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/component-vrt.ts:1399
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/crater-playwright-smoke.ts:146
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/gen-html5lib-tests.ts:447
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/gen-taffy-tests.ts:622
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/layout-diff.ts:461
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/luna-vrt-reference.ts:333
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/real-world-paint-bench.ts:97
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/system-font-resolver.ts:212
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/update-wpt-readme.ts:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/vrt-bench.ts:107
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/vrt-url.ts:513
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/webidl-coverage.ts:766
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/webmcp-openrouter-demo.ts:113
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/wpt-ci-summary.ts:75
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/wpt-dom-runner.ts:1496
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/wpt-runner.ts:2280
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/wpt-webdriver-runner.ts:121
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/crater-playwright-adapter.test.ts:2220
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/paint-vrt-levels.test.ts:57
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/paint-vrt-responsive.test.ts:72
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/playwright-benchmark.test.ts:161
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/scroll-issue.test.ts:97
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/website-loading.test.ts:508
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/wpt-vrt.test.ts:141
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: browser/native/js_v8/mock_dom.js (7865 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: scripts/wpt-dom-runner.ts (1672 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: scripts/wpt-runner.ts (2842 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/crater-playwright-adapter.test.ts (2916 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: webdriver/playwright/adapter.ts (8607 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
high Security checks software dependencies conf 0.90 npm package `preact` is patch version(s) behind (^10.29.1 -> 10.29.2)
`preact` is pinned/resolved at ^10.29.1 but the latest stable release on the npm registry is 10.29.2 (patch version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/5464bee6-34a6-4fb3-85e2-7cd7e392ef87/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/5464bee6-34a6-4fb3-85e2-7cd7e392ef87/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.