Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
63 of your 142 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 20.6s · analysis 23.78s · 77.5 MB · GitHub API rate-limit (preflight)

shadcn-ui/ui

https://github.com/shadcn-ui/ui · scanned 2026-06-05 05:19 UTC (3 hours, 43 minutes ago) · 10 languages

835 findings (133 legacy + 702 scanner) 11/13 scanners ran 7th percentile · Typescript · huge (>500K LoC) Scanner says 65 (higher by 8)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 hours, 43 minutes ago · v2 · 484 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
71.3
/100
Repobility
78
133 legacy
9-layer
65
100.0% cov · 351 gaps
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 40.0 0.20 8.00
documentation_score 55.0 0.15 8.25
practices_score 99.0 0.15 14.85
code_quality 80.0 0.10 8.00
Overall 1.00 73.1
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 81 Medium 122 Low 155 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 133 9-layer 351 Crowd 0 Layer: Quality 93 Security 68 Cicd 54 Software 94 Frontend 162 Hardware 13
Scan summary Repository scanned at 64.8/100 with 100.0% coverage. It contains 20887 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 351 findings — concentrated in frontend (162), security (56), software (50). Risk profile is high: 0 critical, 2 high, 109 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 312 of 484 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.RELEASE_GPG_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_GPG_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/release.yml:163 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/prerelease-comment.yml:63 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/prerelease-comment.yml:20 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `marocchino/sticky-pull-request-comment` pinned to mutable ref `@v2`: `uses: marocchino/sticky-pull-request-comment@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: marocchino/sticky-pull-request-comment@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/prerelease-comment.yml:50 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
templates/react-router-monorepo/apps/web/Dockerfile:16 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
templates/react-router-monorepo/apps/web/Dockerfile:10 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
templates/react-router-monorepo/apps/web/Dockerfile:5 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
templates/react-router-monorepo/apps/web/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
templates/react-router-app/Dockerfile:16 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
templates/react-router-app/Dockerfile:10 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
templates/react-router-app/Dockerfile:5 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
templates/react-router-app/Dockerfile:1 dependencylegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
apps/v4/examples/base/scroll-area-demo.tsx:6 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
apps/v4/app/(create)/init/md/build-instructions.ts:25 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
apps/v4/app/(app)/create/components/design-system-provider.tsx:44 xsslegacy
high Legacy cicd docker conf 0.92 Dockerfile copies the entire context without .dockerignore
Create .dockerignore before using broad context copies, or copy only the required files and directories.
templates/react-router-monorepo/apps/web/Dockerfile:12 dockerlegacy
high Legacy cicd docker conf 0.92 Dockerfile copies the entire context without .dockerignore
Create .dockerignore before using broad context copies, or copy only the required files and directories.
templates/react-router-monorepo/apps/web/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.92 Dockerfile copies the entire context without .dockerignore
Create .dockerignore before using broad context copies, or copy only the required files and directories.
templates/react-router-app/Dockerfile:12 dockerlegacy
high Legacy cicd docker conf 0.92 Dockerfile copies the entire context without .dockerignore
Create .dockerignore before using broad context copies, or copy only the required files and directories.
templates/react-router-app/Dockerfile:2 dockerlegacy
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
martinbeentjes/npm-get-version-action@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:94 supply-chaingithub-actionspinned-dependencies
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in .github/version-script-next.js:10
Found a known-risky pattern (exec_used). Review and replace if possible.
.github/version-script-next.js:10 owaspexec_used
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
high Legacy security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(app)/llm/::...slug.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
apps/v4/app/(app)/llm/[[...slug]]/route.ts:25 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(create)/init.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
apps/v4/app/(create)/init/route.ts:14 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(create)/init/md.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
apps/v4/app/(create)/init/md/route.ts:8 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(create)/init/v0.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
apps/v4/app/(create)/init/v0/route.ts:9 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /r/registries.json.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
apps/v4/app/r/registries.json/route.ts:7 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /rss.xml.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
apps/v4/app/rss.xml/route.ts:8 authlegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
apps/v4/app/layout.tsx:83 error_handlinglegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
apps/v4/components/open-in-v0-button.tsx:22 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
apps/v4/components/docs-copy-page.tsx:91 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
apps/v4/app/(app)/create/components/v0-button.tsx:47 securitylegacy
medium Legacy quality quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
apps/v4/registry/new-york-v4/blocks/sidebar-09/components/app-sidebar.tsx:195 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
apps/v4/registry/bases/radix/blocks/sidebar-09/components/app-sidebar.tsx:242 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
apps/v4/registry/bases/base/blocks/sidebar-09/components/app-sidebar.tsx:242 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
apps/v4/registry/bases/base/blocks/signup-03/components/signup-form.tsx:36 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
apps/v4/registry/bases/base/blocks/signup-02/components/signup-form.tsx:30 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
apps/v4/registry/bases/base/blocks/signup-01/components/signup-form.tsx:31 qualitylegacy
medium Legacy cicd docker conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
templates/react-router-monorepo/apps/web/Dockerfile:17 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
templates/react-router-app/Dockerfile:17 dockerlegacy
medium Legacy cicd docker conf 0.90 Dockerfile installs dependencies after copying the full source tree
Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree.
templates/react-router-monorepo/apps/web/Dockerfile:4 dockerlegacy
medium Legacy cicd docker conf 0.90 Dockerfile installs dependencies after copying the full source tree
Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree.
templates/react-router-app/Dockerfile:4 dockerlegacy
medium Legacy quality quality conf 0.70 Public web app has no Content Security Policy
Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors.
index.html qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt qualitylegacy
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/app/(app)/create/components/action-menu.tsx:67
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/app/(app)/create/components/base-picker.tsx:55
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/app/(app)/create/components/history-buttons.tsx:47
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/app/(app)/create/components/mode-switcher.tsx:58
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/app/(app)/create/components/open-preset.tsx:171
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/app/(app)/create/components/project-form.tsx:368
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/app/(app)/create/components/random-button.tsx:41
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/app/(create)/preview/[base]/[name]/page.tsx:29
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/app/layout.tsx:77
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/components/block-viewer.tsx:363
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/components/chart-code-viewer.tsx:72
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/components/component-source.tsx:111
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/components/directory-list.tsx:236
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/components/docs-base-switcher.tsx:32
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/components/mode-switcher.tsx:68
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/registry/bases/base/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/registry/bases/radix/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/registry/new-york-v4/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/base-luma/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/base-lyra/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/base-maia/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/base-mira/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/base-nova/ui-rtl/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/base-nova/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/base-rhea/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/base-sera/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/base-vega/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/radix-luma/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/radix-lyra/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/radix-maia/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/radix-mira/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/radix-nova/ui-rtl/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/radix-nova/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/radix-rhea/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/radix-sera/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/v4/styles/radix-vega/ui/chart.tsx:95
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/v4/app/(app)/create/lib/v0.ts:567
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/v4/components/github-link.tsx:23
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/shadcn/src/registry/fetcher.ts:62
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: packages/shadcn/test/fixtures/frameworks/remix-indie-stack/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: templates/react-router-app/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: templates/react-router-monorepo/apps/web/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
marocchino/sticky-pull-request-comment@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/prerelease-comment.yml:50 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
oven-sh/setup-bun@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/templates.yml:64 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:72 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:137 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
crazy-max/ghaction-import-gpg@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:161 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
changesets/action@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:170 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/app/(app)/create/components/action-menu.tsx:67
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/app/(app)/create/components/action-menu.tsx:67 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/app/(app)/create/components/base-picker.tsx:55
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/app/(app)/create/components/base-picker.tsx:55 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/app/(app)/create/components/history-buttons.tsx:47
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/app/(app)/create/components/history-buttons.tsx:47 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/app/(app)/create/components/mode-switcher.tsx:58
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/app/(app)/create/components/mode-switcher.tsx:58 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/app/(app)/create/components/open-preset.tsx:171
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/app/(app)/create/components/open-preset.tsx:171 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/app/(app)/create/components/project-form.tsx:368
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/app/(app)/create/components/project-form.tsx:368 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/app/(app)/create/components/random-button.tsx:41
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/app/(app)/create/components/random-button.tsx:41 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/app/(create)/preview/[base]/[name]/page.tsx:29
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/app/(create)/preview/[base]/[name]/page.tsx:29 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/app/layout.tsx:77
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/app/layout.tsx:77 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/components/block-viewer.tsx:363
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/components/block-viewer.tsx:363 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/components/chart-code-viewer.tsx:72
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/components/chart-code-viewer.tsx:72 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/components/component-source.tsx:111
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/components/component-source.tsx:111 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/components/directory-list.tsx:236
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/components/directory-list.tsx:236 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/components/docs-base-switcher.tsx:32
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/components/docs-base-switcher.tsx:32 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/components/mode-switcher.tsx:68
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/components/mode-switcher.tsx:68 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/base-luma/chart.json:13
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/base-luma/chart.json:13 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/base-lyra/chart.json:13
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/base-lyra/chart.json:13 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/base-maia/chart.json:13
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/base-maia/chart.json:13 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/base-mira/chart.json:13
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/base-mira/chart.json:13 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/base-nova/chart.json:13
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/base-nova/chart.json:13 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/base-rhea/chart.json:13
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/base-rhea/chart.json:13 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/base-sera/chart.json:13
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/base-sera/chart.json:13 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/base-vega/chart.json:13
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/base-vega/chart.json:13 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/default/chart.json:16
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/default/chart.json:16 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/new-york-v4/chart.json:14
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/new-york-v4/chart.json:14 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/new-york/chart.json:16
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/new-york/chart.json:16 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/radix-luma/chart.json:10
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/radix-luma/chart.json:10 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/radix-lyra/chart.json:10
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/radix-lyra/chart.json:10 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/radix-maia/chart.json:10
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/radix-maia/chart.json:10 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/radix-mira/chart.json:10
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/radix-mira/chart.json:10 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/radix-nova/chart.json:10
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/radix-nova/chart.json:10 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/radix-rhea/chart.json:10
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/radix-rhea/chart.json:10 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/radix-sera/chart.json:10
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/radix-sera/chart.json:10 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/public/r/styles/radix-vega/chart.json:10
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/public/r/styles/radix-vega/chart.json:10 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/registry/bases/base/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/registry/bases/base/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/registry/bases/radix/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/registry/bases/radix/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/registry/new-york-v4/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/registry/new-york-v4/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/base-luma/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/base-luma/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/base-lyra/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/base-lyra/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/base-maia/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/base-maia/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/base-mira/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/base-mira/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/base-nova/ui-rtl/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/base-nova/ui-rtl/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/base-nova/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/base-nova/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/base-rhea/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/base-rhea/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/base-sera/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/base-sera/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/base-vega/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/base-vega/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/radix-luma/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/radix-luma/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/radix-lyra/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/radix-lyra/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/radix-maia/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/radix-maia/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/radix-mira/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/radix-mira/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/radix-nova/ui-rtl/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/radix-nova/ui-rtl/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/radix-nova/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/radix-nova/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/radix-rhea/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/radix-rhea/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/radix-sera/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/radix-sera/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/v4/styles/radix-vega/ui/chart.tsx:95
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
apps/v4/styles/radix-vega/ui/chart.tsx:95 owaspdangerous_innerhtml
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
236 test file(s) for 3464 source file(s) (ratio 0.07). Consider adding integration or unit tests for critical paths.
testscoverage
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/registry/bases/base/blocks/preview-02/cards/dividend-income.tsx:4 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/registry/bases/base/blocks/preview-02/cards/claimable-balance.tsx:18 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/registry/bases/base/blocks/preview-02/cards/account-access.tsx:21 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/registry/bases/base/blocks/login-04/components/login-form.tsx:28 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/registry/bases/base/blocks/login-04/components/login-form.tsx:4 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/registry/bases/base/blocks/login-03/page.tsx:9 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/registry/bases/base/blocks/login-03/components/login-form.tsx:65 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/registry/bases/base/blocks/login-03/components/login-form.tsx:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/registry/bases/base/blocks/dashboard-01/components/nav-user.tsx:23 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/lib/rehype.ts:12 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/hooks/use-copy-to-clipboard.ts:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/components/theme-provider.tsx:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/components/mode-switcher.tsx:30 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/components/mobile-nav.tsx:16 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/components/docs-page-links.tsx:119 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/components/cards/team-members.tsx:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(view)/view/[style]/[name]/page.tsx:40 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(create)/init/md/build-instructions.ts:80 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/create/components/theme-picker.tsx:57 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/colors/layout.tsx:15 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/charts/layout.tsx:41 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/charts/layout.tsx:17 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/blocks/layout.tsx:16 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/(styles)/sera/media-library/components/preview-header.tsx:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/(styles)/sera/media-library/components/preview-header.tsx:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/(styles)/sera/media-library/components/asset-grid.tsx:17 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/(styles)/sera/media-library/components/asset-grid.tsx:9 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/(styles)/sera/media-library-table/components/preview-header.tsx:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/(root)/cards/transfer-funds.tsx:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
apps/v4/app/(app)/(root)/cards/skeleton/index.tsx:24 qualitylegacy
low Legacy quality quality conf 0.50 Public web app has no humans.txt
Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date.
humans.txt qualitylegacy
low Legacy quality quality conf 0.74 Public web app has no robots.txt
Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths.
robots.txt qualitylegacy
low Legacy quality quality conf 0.72 Public web app has no sitemap
Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt.
sitemap.xml qualitylegacy
low 9-layer quality integrity conf 1.00 16 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `API_KEY`, `API_TOKEN`, `API_URL`, `API_VERSION`, `AUTH_TOKEN`, `CLIENT_ID`, `DEV`, `EMPTY_TOKEN` + 8 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
integrityconfig-drift
low 9-layer quality maintenance conf 1.00 32 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
templates/react-router-monorepo/apps/web/Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
templates/react-router-monorepo/apps/web/Dockerfile:5 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
templates/react-router-monorepo/apps/web/Dockerfile:10 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
templates/react-router-monorepo/apps/web/Dockerfile:16 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
templates/react-router-app/Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
templates/react-router-app/Dockerfile:5 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
templates/react-router-app/Dockerfile:10 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
templates/react-router-app/Dockerfile:16 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(app)/(styles)/sera/media-library/data.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(app)/charts/charts.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(app)/create/lib/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(app)/create/lib/parse-preset-input.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(app)/create/lib/preset-query.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(app)/examples/tasks/components/columns.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(create)/components/icon-placeholder.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(create)/init/parse-config.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(create)/lib/fonts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(create)/lib/search-params.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/(create)/preview/fonts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/app/api/search/route.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/__index__.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/_legacy-base-colors.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/_legacy-colors.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/_legacy-themes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/base-colors.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/__index__.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/base/blocks/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/base/components/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/base/examples/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/base/hooks/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/base/internal/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/base/lib/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/base/registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/base/ui/direction.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/radix/blocks/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/radix/components/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/radix/examples/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/radix/hooks/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/radix/internal/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/radix/lib/_registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/bases/radix/registry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/config.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/icons/__hugeicons__.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/icons/__lucide__.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/icons/__phosphor__.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/icons/__remixicon__.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/icons/__tabler__.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/icons/icon-hugeicons.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/icons/icon-lucide.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/icons/icon-phosphor.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/icons/icon-remixicon.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/icons/icon-tabler.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/styles.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/registry/themes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/v4/source.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: vitest.workspace.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/prerelease-comment.yml:20 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/prerelease-comment.yml:63 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/code-check.yml:17 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/code-check.yml:53 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/code-check.yml:94 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/signed-commits.yml:21 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/templates.yml:52 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:29 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:66 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:77 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:116 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:132 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:142 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/validate-registries.yml:25 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `normalizedOld` in packages/shadcn/src/utils/dry-run-formatter.ts:498
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
apps/v4/package.json supply-chainnpminstall-scripts
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — .github/version-script-next.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — .github/version-script-prerelease.js:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/app/(app)/examples/rtl/components/notion-prompt-form.tsx:463
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/examples/base/input-group-block-start.tsx:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/examples/base/input-group-textarea-examples.tsx:133
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/examples/base/input-group-textarea.tsx:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/examples/base/sonner-demo.tsx:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/examples/radix/input-group-block-start.tsx:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/examples/radix/input-group-textarea-examples.tsx:133
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/examples/radix/input-group-textarea.tsx:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/examples/radix/sonner-demo.tsx:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/registry/bases/base/examples/input-group-example.tsx:869
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/registry/bases/radix/examples/input-group-example.tsx:845
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/registry/new-york-v4/examples/input-group-textarea.tsx:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/registry/new-york-v4/examples/sonner-demo.tsx:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — apps/v4/scripts/build-icons.ts:64
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/src/commands/docs.ts:78
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/src/commands/info.ts:44
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/src/commands/preset.ts:90
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/src/commands/search.ts:114
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/src/commands/view.ts:71
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/src/utils/logger.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/src/utils/transformers/transform-css-vars.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/test/fixtures/frameworks/remix-indie-stack/app/routes/healthcheck.tsx:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/test/fixtures/frameworks/remix-indie-stack/cypress.config.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/test/fixtures/frameworks/remix-indie-stack/cypress/support/create-user.ts:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/test/fixtures/frameworks/remix-indie-stack/cypress/support/delete-user.ts:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/test/fixtures/frameworks/remix-indie-stack/prisma/seed.ts:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/shadcn/test/fixtures/frameworks/remix-indie-stack/remix.init/index.js:219
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/tests/fixtures/vite-monorepo-imports/apps/web/src/main.tsx:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/tests/src/tests/add.test.ts:87
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/tests/src/tests/registries.test.ts:470
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/tests/src/utils/helpers.ts:92
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality complexity conf 1.00 Very large file: apps/v4/examples/__index__.tsx (11269 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: apps/v4/registry/_legacy-base-colors.ts (1789 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: apps/v4/registry/bases/__index__.tsx (9783 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: apps/v4/registry/bases/base/examples/item-example.tsx (2027 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: apps/v4/registry/bases/radix/examples/item-example.tsx (2009 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: apps/v4/registry/new-york-v4/examples/_registry.ts (2767 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity

Showing first 300 of 312. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/79e0d07d-ac62-4a8b-8420-9f7a9910ca4a/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/79e0d07d-ac62-4a8b-8420-9f7a9910ca4a/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.