← Back to scan
File as GitHub Issue repo: numtide/llm-agents.nix

Push this scan report to numtide/llm-agents.nix

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

LDAP injection — non-constant search filter

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT GHSA-5xrq-8626-4rwp vitest: GHSA-5xrq-8626-4rwp packages/iflow-cli/package-lock.json
CRIT GHSA-fjxv-7rqg-78g4 form-data: GHSA-fjxv-7rqg-78g4 packages/iflow-cli/package-lock.json
CRIT GHSA-xq3m-2v4x-88gg protobufjs: GHSA-xq3m-2v4x-88gg packages/aionui/bun.lock
HIGH SEC080 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='da… packages/codex-acp/update.py:57
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… packages/codex-acp/update.py:61
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… packages/claudebox/update.py:36
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… packages/backlog-md/update.py:51
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… packages/aionui/update.py:107
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… .github/ci/update.py:7
HIGH MINED115 Action `Mic92/auto-merge` pinned to mutable ref `@main` .github/workflows/auto-merge.yml:14
HIGH MINED115 Action `cachix/install-nix-action` pinned to mutable ref `@v31` .github/workflows/check-readme.yml:18
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/check-readme.yml:16
HIGH MINED115 Action `cachix/install-nix-action` pinned to mutable ref `@v31` .github/workflows/update-flake.yml:150
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/update-flake.yml:145
HIGH MINED115 Action `actions/create-github-app-token` pinned to mutable ref `@v3` .github/workflows/update-flake.yml:140
HIGH MINED115 Action `cachix/install-nix-action` pinned to mutable ref `@v31` .github/workflows/update-flake.yml:76
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/update-flake.yml:70
HIGH MINED115 Action `actions/create-github-app-token` pinned to mutable ref `@v3` .github/workflows/update-flake.yml:65
HIGH MINED115 Action `cachix/install-nix-action` pinned to mutable ref `@v31` .github/workflows/update-flake.yml:41
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/update-flake.yml:39
HIGH MINED115 Action `cachix/install-nix-action` pinned to mutable ref `@v31` .github/workflows/check-maintainers.yml:21
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/check-maintainers.yml:16
HIGH GHSA-p9ff-h696-f583 vite: GHSA-p9ff-h696-f583 packages/aionui/bun.lock
HIGH GHSA-ph9p-34f9-6g65 tmp: GHSA-ph9p-34f9-6g65 packages/aionui/bun.lock
HIGH GHSA-hvx9-hwr7-wjj9 systeminformation: GHSA-hvx9-hwr7-wjj9 packages/aionui/bun.lock
HIGH GHSA-hffm-xvc3-vprc simple-git: GHSA-hffm-xvc3-vprc packages/aionui/bun.lock
HIGH GHSA-rxv8-25v2-qmq8 react-router: GHSA-rxv8-25v2-qmq8 packages/aionui/bun.lock
HIGH GHSA-8x6r-g9mw-2r78 react-router: GHSA-8x6r-g9mw-2r78 packages/aionui/bun.lock
HIGH GHSA-8646-j5j9-6r62 react-router: GHSA-8646-j5j9-6r62 packages/aionui/bun.lock
HIGH GHSA-49rj-9fvp-4h2h react-router: GHSA-49rj-9fvp-4h2h packages/aionui/bun.lock
HIGH GHSA-jvwf-75h9-cwgg protobufjs: GHSA-jvwf-75h9-cwgg packages/aionui/bun.lock
HIGH GHSA-75px-5xx7-5xc7 protobufjs: GHSA-75px-5xx7-5xc7 packages/aionui/bun.lock
HIGH GHSA-685m-2w69-288q protobufjs: GHSA-685m-2w69-288q packages/aionui/bun.lock
HIGH GHSA-66ff-xgx4-vchm protobufjs: GHSA-66ff-xgx4-vchm packages/aionui/bun.lock
HIGH GHSA-c2c7-rcm5-vvqj picomatch: GHSA-c2c7-rcm5-vvqj packages/aionui/bun.lock
HIGH GHSA-j3q9-mxjg-w52f path-to-regexp: GHSA-j3q9-mxjg-w52f packages/aionui/bun.lock
HIGH GHSA-7r86-cg39-jmmj minimatch: GHSA-7r86-cg39-jmmj packages/aionui/bun.lock
HIGH GHSA-3ppc-4f35-3m26 minimatch: GHSA-3ppc-4f35-3m26 packages/aionui/bun.lock
HIGH GHSA-23c5-xmqv-rm74 minimatch: GHSA-23c5-xmqv-rm74 packages/aionui/bun.lock
HIGH GHSA-r5fr-rjxr-66jc lodash-es: GHSA-r5fr-rjxr-66jc packages/aionui/bun.lock
HIGH GHSA-r5fr-rjxr-66jc lodash: GHSA-r5fr-rjxr-66jc packages/aionui/bun.lock
HIGH GHSA-8gc5-j5rx-235r fast-xml-parser: GHSA-8gc5-j5rx-235r packages/aionui/bun.lock
HIGH GHSA-5wm8-gmm8-39j9 fast-xml-builder: GHSA-5wm8-gmm8-39j9 packages/aionui/bun.lock
HIGH GHSA-v39h-62p7-jpjc fast-uri: GHSA-v39h-62p7-jpjc packages/aionui/bun.lock
HIGH GHSA-q3j6-qgpj-74h6 fast-uri: GHSA-q3j6-qgpj-74h6 packages/aionui/bun.lock
HIGH GHSA-jjp3-mq3x-295m electron: GHSA-jjp3-mq3x-295m packages/aionui/bun.lock
HIGH GHSA-9wfr-w7mm-pc7f electron: GHSA-9wfr-w7mm-pc7f packages/aionui/bun.lock
HIGH GHSA-8337-3p73-46f4 electron: GHSA-8337-3p73-46f4 packages/aionui/bun.lock
HIGH GHSA-532v-xpq5-8h95 electron: GHSA-532v-xpq5-8h95 packages/aionui/bun.lock
HIGH GHSA-737v-mqg7-c878 defu: GHSA-737v-mqg7-c878 packages/aionui/bun.lock
HIGH GHSA-q8qp-cvcw-x6jj axios: GHSA-q8qp-cvcw-x6jj packages/aionui/bun.lock
HIGH GHSA-pf86-5x62-jrwf axios: GHSA-pf86-5x62-jrwf packages/aionui/bun.lock
HIGH GHSA-p92q-9vqr-4j8v axios: GHSA-p92q-9vqr-4j8v packages/aionui/bun.lock
HIGH GHSA-j5f8-grm9-p9fc axios: GHSA-j5f8-grm9-p9fc packages/aionui/bun.lock
HIGH GHSA-hfxv-24rg-xrqf axios: GHSA-hfxv-24rg-xrqf packages/aionui/bun.lock
HIGH GHSA-777c-7fjr-54vf axios: GHSA-777c-7fjr-54vf packages/aionui/bun.lock
HIGH GHSA-6chq-wfr3-2hj9 axios: GHSA-6chq-wfr3-2hj9 packages/aionui/bun.lock
HIGH GHSA-pjwm-pj3p-43mv axios: GHSA-pjwm-pj3p-43mv packages/aionui/bun.lock
HIGH GHSA-3g43-6gmg-66jw axios: GHSA-3g43-6gmg-66jw packages/aionui/bun.lock
HIGH GHSA-35jp-ww65-95wh axios: GHSA-35jp-ww65-95wh packages/aionui/bun.lock
HIGH GHSA-x6wf-f3px-wcqx @xmldom/xmldom: GHSA-x6wf-f3px-wcqx packages/aionui/bun.lock
HIGH GHSA-wh4c-j3r5-mjhp @xmldom/xmldom: GHSA-wh4c-j3r5-mjhp packages/aionui/bun.lock
HIGH GHSA-j759-j44w-7fr8 @xmldom/xmldom: GHSA-j759-j44w-7fr8 packages/aionui/bun.lock
HIGH GHSA-f6ww-3ggp-fr8h @xmldom/xmldom: GHSA-f6ww-3ggp-fr8h packages/aionui/bun.lock
HIGH GHSA-2v35-w6hq-6mfw @xmldom/xmldom: GHSA-2v35-w6hq-6mfw packages/aionui/bun.lock
HIGH GHSA-q7rr-3cgh-j5r3 @opentelemetry/sdk-node: GHSA-q7rr-3cgh-j5r3 packages/aionui/bun.lock
HIGH GHSA-q7rr-3cgh-j5r3 @opentelemetry/exporter-prometheus: GHSA-q7rr-3cgh-j5r3 packages/aionui/bun.lock
HIGH SEC004 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection. .github/ci/create_pr.py:62
HIGH CORE_NO_TESTS No test files found
MED SEC012 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation all… scripts/updater/npm.py:69
MED GHSA-58qx-3vcg-4xpx ws: GHSA-58qx-3vcg-4xpx packages/iflow-cli/package-lock.json
MED GHSA-w5hq-g745-h8pq uuid: GHSA-w5hq-g745-h8pq packages/iflow-cli/package-lock.json
MED GHSA-72xf-g2v4-qvf3 tough-cookie: GHSA-72xf-g2v4-qvf3 packages/iflow-cli/package-lock.json
MED GHSA-p8p7-x288-28g6 request: GHSA-p8p7-x288-28g6 packages/iflow-cli/package-lock.json
MED GHSA-6rw7-vpxm-498p qs: GHSA-6rw7-vpxm-498p packages/iflow-cli/package-lock.json
MED GHSA-5v7r-6r5c-r473 file-type: GHSA-5v7r-6r5c-r473 packages/iflow-cli/package-lock.json
MED GHSA-jxxr-4gwj-5jf2 brace-expansion: GHSA-jxxr-4gwj-5jf2 packages/iflow-cli/package-lock.json
MED GHSA-48c2-rrv3-qjmp yaml: GHSA-48c2-rrv3-qjmp packages/aionui/bun.lock
MED GHSA-58qx-3vcg-4xpx ws: GHSA-58qx-3vcg-4xpx packages/aionui/bun.lock
MED GHSA-4w7w-66w2-5vf9 vite: GHSA-4w7w-66w2-5vf9 packages/aionui/bun.lock
MED GHSA-w5hq-g745-h8pq uuid: GHSA-w5hq-g745-h8pq packages/aionui/bun.lock
MED GHSA-f22v-gfqf-p8f3 react-router: GHSA-f22v-gfqf-p8f3 packages/aionui/bun.lock
MED GHSA-2j2x-hqr9-3h42 react-router: GHSA-2j2x-hqr9-3h42 packages/aionui/bun.lock
MED GHSA-q8mj-m7cp-5q26 qs: GHSA-q8mj-m7cp-5q26 packages/aionui/bun.lock
MED GHSA-q6x5-8v7m-xcrf protobufjs: GHSA-q6x5-8v7m-xcrf packages/aionui/bun.lock
MED GHSA-jggg-4jg4-v7c6 protobufjs: GHSA-jggg-4jg4-v7c6 packages/aionui/bun.lock
MED GHSA-fx83-v9x8-x52w protobufjs: GHSA-fx83-v9x8-x52w packages/aionui/bun.lock
MED GHSA-2pr8-phx7-x9h3 protobufjs: GHSA-2pr8-phx7-x9h3 packages/aionui/bun.lock
MED GHSA-qx2v-qp2m-jg93 postcss: GHSA-qx2v-qp2m-jg93 packages/aionui/bun.lock
MED GHSA-3v7f-55p6-f55p picomatch: GHSA-3v7f-55p6-f55p packages/aionui/bun.lock
MED GHSA-27v5-c462-wpq7 path-to-regexp: GHSA-27v5-c462-wpq7 packages/aionui/bun.lock
MED GHSA-xcj9-5m2h-648r mermaid: GHSA-xcj9-5m2h-648r packages/aionui/bun.lock
MED GHSA-ghcm-xqfw-q4vr mermaid: GHSA-ghcm-xqfw-q4vr packages/aionui/bun.lock
MED GHSA-87f9-hvmw-gh4p mermaid: GHSA-87f9-hvmw-gh4p packages/aionui/bun.lock
MED GHSA-6m6c-36f7-fhxh mermaid: GHSA-6m6c-36f7-fhxh packages/aionui/bun.lock
MED GHSA-f23m-r3pf-42rh lodash-es: GHSA-f23m-r3pf-42rh packages/aionui/bun.lock
MED GHSA-f23m-r3pf-42rh lodash: GHSA-f23m-r3pf-42rh packages/aionui/bun.lock
MED GHSA-v2v4-37r5-5v8g ip-address: GHSA-v2v4-37r5-5v8g packages/aionui/bun.lock
MED GHSA-xrhx-7g5j-rcj5 hono: GHSA-xrhx-7g5j-rcj5 packages/aionui/bun.lock
MED GHSA-xpcf-pg52-r92g hono: GHSA-xpcf-pg52-r92g packages/aionui/bun.lock
MED GHSA-xf4j-xp2r-rqqx hono: GHSA-xf4j-xp2r-rqqx packages/aionui/bun.lock
MED GHSA-wmmm-f939-6g9c hono: GHSA-wmmm-f939-6g9c packages/aionui/bun.lock
MED GHSA-r5rp-j6wh-rvv4 hono: GHSA-r5rp-j6wh-rvv4 packages/aionui/bun.lock
MED GHSA-qp7p-654g-cw7p hono: GHSA-qp7p-654g-cw7p packages/aionui/bun.lock
MED GHSA-p77w-8qqv-26rm hono: GHSA-p77w-8qqv-26rm packages/aionui/bun.lock
MED GHSA-f577-qrjj-4474 hono: GHSA-f577-qrjj-4474 packages/aionui/bun.lock
MED GHSA-9vqf-7f2p-gf9v hono: GHSA-9vqf-7f2p-gf9v packages/aionui/bun.lock
MED GHSA-69xw-7hcm-h432 hono: GHSA-69xw-7hcm-h432 packages/aionui/bun.lock
MED GHSA-458j-xx4x-4375 hono: GHSA-458j-xx4x-4375 packages/aionui/bun.lock
MED GHSA-3hrh-pfw6-9m5x hono: GHSA-3hrh-pfw6-9m5x packages/aionui/bun.lock
MED GHSA-2gcr-mfcq-wcc3 hono: GHSA-2gcr-mfcq-wcc3 packages/aionui/bun.lock
MED GHSA-26pp-8wgv-hjvm hono: GHSA-26pp-8wgv-hjvm packages/aionui/bun.lock
MED GHSA-r4q5-vmmm-2653 follow-redirects: GHSA-r4q5-vmmm-2653 packages/aionui/bun.lock
MED GHSA-5v7r-6r5c-r473 file-type: GHSA-5v7r-6r5c-r473 packages/aionui/bun.lock
MED GHSA-jp2q-39xq-3w4g fast-xml-parser: GHSA-jp2q-39xq-3w4g packages/aionui/bun.lock
MED GHSA-gh4j-gqv2-49f6 fast-xml-parser: GHSA-gh4j-gqv2-49f6 packages/aionui/bun.lock
MED GHSA-xwr5-m59h-vwqr electron: GHSA-xwr5-m59h-vwqr packages/aionui/bun.lock
MED GHSA-xj5x-m3f3-5x3h electron: GHSA-xj5x-m3f3-5x3h packages/aionui/bun.lock
MED GHSA-r5p7-gp4j-qhrx electron: GHSA-r5p7-gp4j-qhrx packages/aionui/bun.lock
MED GHSA-mwmh-mq4g-g6gr electron: GHSA-mwmh-mq4g-g6gr packages/aionui/bun.lock
MED GHSA-f3pv-wv63-48x8 electron: GHSA-f3pv-wv63-48x8 packages/aionui/bun.lock
MED GHSA-9w97-2464-8783 electron: GHSA-9w97-2464-8783 packages/aionui/bun.lock
MED GHSA-5rqw-r77c-jp79 electron: GHSA-5rqw-r77c-jp79 packages/aionui/bun.lock
MED GHSA-4p4r-m79c-wq3v electron: GHSA-4p4r-m79c-wq3v packages/aionui/bun.lock
MED GHSA-3c8v-cfp5-9885 electron: GHSA-3c8v-cfp5-9885 packages/aionui/bun.lock
MED GHSA-v9jr-rg53-9pgp dompurify: GHSA-v9jr-rg53-9pgp packages/aionui/bun.lock
MED GHSA-v2wj-7wpq-c8vv dompurify: GHSA-v2wj-7wpq-c8vv packages/aionui/bun.lock
MED GHSA-h8r8-wccr-v5f2 dompurify: GHSA-h8r8-wccr-v5f2 packages/aionui/bun.lock
MED GHSA-h7mw-gpvr-xq4m dompurify: GHSA-h7mw-gpvr-xq4m packages/aionui/bun.lock
MED GHSA-crv5-9vww-q3g8 dompurify: GHSA-crv5-9vww-q3g8 packages/aionui/bun.lock
MED GHSA-cjmm-f4jc-qw8r dompurify: GHSA-cjmm-f4jc-qw8r packages/aionui/bun.lock
MED GHSA-cj63-jhhr-wcxv dompurify: GHSA-cj63-jhhr-wcxv packages/aionui/bun.lock
MED GHSA-39q2-94rc-95cp dompurify: GHSA-39q2-94rc-95cp packages/aionui/bun.lock
MED GHSA-jxxr-4gwj-5jf2 brace-expansion: GHSA-jxxr-4gwj-5jf2 packages/aionui/bun.lock
MED GHSA-f886-m6hf-6m8v brace-expansion: GHSA-f886-m6hf-6m8v packages/aionui/bun.lock
MED GHSA-xx6v-rp6x-q39c axios: GHSA-xx6v-rp6x-q39c packages/aionui/bun.lock
MED GHSA-w9j2-pvgh-6h63 axios: GHSA-w9j2-pvgh-6h63 packages/aionui/bun.lock
MED GHSA-vf2m-468p-8v99 axios: GHSA-vf2m-468p-8v99 packages/aionui/bun.lock
MED GHSA-m7pr-hjqh-92cm axios: GHSA-m7pr-hjqh-92cm packages/aionui/bun.lock
MED GHSA-fvcv-3m26-pcqx axios: GHSA-fvcv-3m26-pcqx packages/aionui/bun.lock
MED GHSA-898c-q2cr-xwhg axios: GHSA-898c-q2cr-xwhg packages/aionui/bun.lock
MED GHSA-62hf-57xw-28j9 axios: GHSA-62hf-57xw-28j9 packages/aionui/bun.lock
MED GHSA-5c9x-8gcm-mpgx axios: GHSA-5c9x-8gcm-mpgx packages/aionui/bun.lock
MED GHSA-445q-vr5w-6q77 axios: GHSA-445q-vr5w-6q77 packages/aionui/bun.lock
MED GHSA-3w6x-2g7m-8v23 axios: GHSA-3w6x-2g7m-8v23 packages/aionui/bun.lock
MED GHSA-q6x5-8v7m-xcrf @protobufjs/utf8: GHSA-q6x5-8v7m-xcrf packages/aionui/bun.lock
MED GHSA-92pp-h63x-v22m @hono/node-server: GHSA-92pp-h63x-v22m packages/aionui/bun.lock
LOW COMP001 [COMP001] High cognitive complexity: Function `discover_flake_inputs` has cognitive compl… .github/ci/discovery.py:95
LOW COMP001 [COMP001] High cognitive complexity: Function `write_matrix` has cognitive complexity 9 (… .github/ci/discovery.py:123
LOW COMP001 [COMP001] High cognitive complexity: Function `discover_packages` has cognitive complexit… .github/ci/discovery.py:57
LOW DEPCUR-GHA GitHub Action `cachix/install-nix-action@v31` is minor version(s) behind (latest v31.10.6) .github/workflows/check-readme.yml:18
LOW DEPCUR-GHA GitHub Action `actions/create-github-app-token@v3` is minor version(s) behind (latest v3.… .github/workflows/update-flake.yml:65
LOW DEPCUR-GHA GitHub Action `cachix/install-nix-action@v31` is minor version(s) behind (latest v31.10.6) .github/workflows/update-flake.yml:41
LOW DEPCUR-GHA GitHub Action `cachix/install-nix-action@v31` is minor version(s) behind (latest v31.10.6) .github/workflows/check-maintainers.yml:21
LOW GHSA-hm8q-7f3q-5f36 hono: GHSA-hm8q-7f3q-5f36 packages/aionui/bun.lock
LOW GHSA-jfqx-fxh3-c62j electron: GHSA-jfqx-fxh3-c62j packages/aionui/bun.lock
LOW GHSA-f37v-82c4-4x64 electron: GHSA-f37v-82c4-4x64 packages/aionui/bun.lock
LOW GHSA-9899-m83m-qhpj electron: GHSA-9899-m83m-qhpj packages/aionui/bun.lock
LOW GHSA-8x5q-pvf5-64mp electron: GHSA-8x5q-pvf5-64mp packages/aionui/bun.lock
LOW GHSA-xhjh-pmcv-23jw axios: GHSA-xhjh-pmcv-23jw packages/aionui/bun.lock
LOW GHSA-vpq2-c234-7xj6 @tootallnate/once: GHSA-vpq2-c234-7xj6 packages/aionui/bun.lock
LOW AIC003 Duplicated implementation block across source files packages/sandbox-runtime/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/ralph-tui/update.py:3
LOW AIC003 Duplicated implementation block across source files packages/qmd/update.py:3
LOW AIC003 Duplicated implementation block across source files packages/pi/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/openspecui/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/openspec/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/opencode/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/oh-my-codex/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/letta-code/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/iflow-cli/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/go-bin/update.py:5
LOW AIC003 Duplicated implementation block across source files packages/gno/update.py:3
LOW AIC003 Duplicated implementation block across source files packages/forgecode/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/droid/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/crush/update.py:2
LOW AIC003 Duplicated implementation block across source files packages/cli-proxy-api/update.py:2
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. .github/ci/discovery.py:40
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. .github/ci/create_pr.py:22
INFO DEPCUR-GHA GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3) .github/workflows/check-readme.yml:16
INFO DEPCUR-GHA GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3) .github/workflows/update-flake.yml:39
INFO DEPCUR-GHA GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3) .github/workflows/check-maintainers.yml:16
Reset to top 5 182 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `numtide/llm-agents.nix`

**Score: 71/100 (C-)**  ·  182 findings  ·  scanned 2026-06-05 19:38 UTC  ·  5,676 LOC

| Severity | Count |
|---|---|
| CRITICAL | 3 |
| HIGH | 66 |
| MEDIUM | 78 |
| LOW | 30 |

📊 [Full filterable report](https://repobility.com/scan/8582a95d-e4bd-4239-bbd9-99545eaf9f4b/)  ·  ![scorecard](https://repobility.com/scan/8582a95d-e4bd-4239-bbd9-99545eaf9f4b/report.png?v=1780688280-s2)

### Top findings

1. **CRITICAL** `GHSA-5xrq-8626-4rwp` — vitest: GHSA-5xrq-8626-4rwp
   `packages/iflow-cli/package-lock.json`
2. **CRITICAL** `GHSA-fjxv-7rqg-78g4` — form-data: GHSA-fjxv-7rqg-78g4
   `packages/iflow-cli/package-lock.json`
3. **CRITICAL** `GHSA-xq3m-2v4x-88gg` — protobufjs: GHSA-xq3m-2v4x-88gg
   `packages/aionui/bun.lock`
4. **HIGH** `SEC080` — Python: tarfile.extractall without filter
   `packages/codex-acp/update.py:57` · A05:2021 Security Misconfiguration
5. **HIGH** `SEC103` — LDAP injection — non-constant search filter
   `packages/codex-acp/update.py:61` · A03:2021 Injection

---

**Security note**: this issue is public. If any flagged finding is a real, exploitable vulnerability, please redirect to your `SECURITY.md` policy or open a [private security advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) instead. We're happy to close this and re-submit privately.

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/8582a95d-e4bd-4239-bbd9-99545eaf9f4b/_
Megaproject â high spam risk
Could not determine 'numtide/llm-agents.nix' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.