Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
19 of your 129 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.66s · analysis 13.98s · 2.4 MB · GitHub API rate-limit (preflight)

Meeting-BaaS/meet-teams-bot

https://github.com/Meeting-BaaS/meet-teams-bot · scanned 2026-06-05 13:25 UTC (5 days, 6 hours ago) · 10 languages

307 raw signals (123 security + 184 graph) 34th percentile · Typescript · small (2-20K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 6 hours ago · v2 · 203 actionable findings from 2 signal sources. 12 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
64.2
/100
Security checks
68
111 findings
System graph
61
100.0% cov · 92 findings
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 42.8 0.25 10.70
testing_score 27.0 0.20 5.40
documentation_score 90.0 0.15 13.50
practices_score 62.0 0.15 9.30
code_quality 69.4 0.10 6.94
Overall 1.00 60.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 4 High 41 Medium 41 Low 86 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 111 System graph 92 Crowd 0 Layer: Quality 34 Security 5 Software 93 Cicd 7 Frontend 52 Hardware 4 Api 8
Scan summary Quality grade C+ (61/100). Dimensions: security 43, maintainability 100. 123 findings (67 security). 16,690 lines analyzed.

Showing 172 of 203 actionable findings. 215 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED035] Js New Function: new Function(...) compiles strings to functions.
Review and fix per the pattern semantics. See CWE-95 / for context.
src/browser/browser.ts:102
critical Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-m7jm-9gc2-mpf2
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
package-lock.json
critical Security checks software dependencies conf 0.88 simple-git: GHSA-r275-fr43-pm7q
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
package-lock.json
critical System graph security Secrets conf 1.00 Possible secret in src/main.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
src/main.ts:223
high Security checks software dependencies conf 0.88 axios: GHSA-35jp-ww65-95wh
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-3g43-6gmg-66jw
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-43fc-jf86-j433
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-6chq-wfr3-2hj9
Axios: Header Injection via Prototype Pollution
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-777c-7fjr-54vf
Allocation of Resources Without Limits or Throttling in Axios
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-hfxv-24rg-xrqf
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-j5f8-grm9-p9fc
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-p92q-9vqr-4j8v
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-pf86-5x62-jrwf
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-pjwm-pj3p-43mv
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-q8qp-cvcw-x6jj
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
package-lock.json
high Security checks software dependencies conf 0.88 body-parser: GHSA-qwcr-r2fm-qrc7
body-parser vulnerable to denial of service when url encoding is enabled
package-lock.json
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `ubuntu:24.04` not pinned by digest
`FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Dockerfile:2
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content.
Dockerfile:6 CI/CD securitycontainers
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /play has no auth
Express route POST /play declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
src/server.ts:233
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /stop_record has no auth
Express route POST /stop_record declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
src/server.ts:73
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /upload has no auth
Express route POST /upload declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
src/server.ts:154
high Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-37qj-frw5-hhjh
fast-xml-parser has RangeError DoS Numeric Entities Bug
package-lock.json
high Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-8gc5-j5rx-235r
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
package-lock.json
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
package-lock.json
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
package-lock.json
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
package-lock.json
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
package-lock.json
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions
package-lock.json
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-rhx6-c78j-4q9w
path-to-regexp contains a ReDoS
package-lock.json
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
package-lock.json
high Security checks software dependencies conf 0.88 playwright: GHSA-7mvr-c777-76hp
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
package-lock.json
high Security checks software dependencies conf 0.88 qs: GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution
package-lock.json
high Security checks software dependencies conf 0.88 simple-git: GHSA-hffm-xvc3-vprc
simple-git is vulnerable to Remote Code Execution
package-lock.json
high Security checks software dependencies conf 0.88 simple-git: GHSA-jcxm-m3jx-f287
simple-git Affected by Command Execution via Option-Parsing Bypass
package-lock.json
high System graph api Wiring conf 1.00 Dangling fetch: GET /bots/check_stop_request (src/api/methods.ts:159)
`src/api/methods.ts:159` calls `GET /bots/check_stop_request` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios-obj Normalized path used for matching: `/bots/check_stop_request` If this points at an external API, prefix it with `https://` so the matcher s…
Dangling fetchAxios obj
high System graph api Wiring conf 1.00 Dangling fetch: PATCH /bots/transcripts/${GLOBAL.get().bot_uuid}/diarization (src/api/methods.ts:112)
`src/api/methods.ts:112` calls `PATCH /bots/transcripts/${GLOBAL.get().bot_uuid}/diarization` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios-obj Normalized path used for matching: `/bots/transcripts/<p>/diarization` If this points at an external API, p…
Dangling fetchAxios obj
high System graph api Wiring conf 1.00 Dangling fetch: POST /bots/end_meeting_trampoline (src/api/methods.ts:79)
`src/api/methods.ts:79` calls `POST /bots/end_meeting_trampoline` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios-obj Normalized path used for matching: `/bots/end_meeting_trampoline` If this points at an external API, prefix it with `https://` so the m…
Dangling fetchAxios obj
high System graph api Wiring conf 1.00 Dangling fetch: POST /bots/start_record_failed (src/api/methods.ts:133)
`src/api/methods.ts:133` calls `POST /bots/start_record_failed` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios-obj Normalized path used for matching: `/bots/start_record_failed` If this points at an external API, prefix it with `https://` so the matche…
Dangling fetchAxios obj
high System graph api Wiring conf 1.00 Dangling fetch: POST /bots/transcripts/${GLOBAL.get().bot_uuid}/diarization (src/api/methods.ts:99)
`src/api/methods.ts:99` calls `POST /bots/transcripts/${GLOBAL.get().bot_uuid}/diarization` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios-obj Normalized path used for matching: `/bots/transcripts/<p>/diarization` If this points at an external API, pre…
Dangling fetchAxios obj
high System graph hardware Supply chain conf 1.00 Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
Dockerfile:6 containersRemote installer
medium Security checks software dependencies conf 0.88 @babel/helpers: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
package-lock.json
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 25.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 25.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
src/proxy/toggle-proxy.ts:194
src/state-machine/states/cleanup-state.ts:102
src/utils/sound-level-monitor.ts:159
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-3w6x-2g7m-8v23
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-445q-vr5w-6q77
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-5c9x-8gcm-mpgx
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-62hf-57xw-28j9
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-898c-q2cr-xwhg
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-fvcv-3m26-pcqx
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-m7pr-hjqh-92cm
Axios: no_proxy bypass via IP alias allows SSRF
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-vf2m-468p-8v99
Axios: HTTP adapter streamed responses bypass maxContentLength
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-w9j2-pvgh-6h63
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-xx6v-rp6x-q39c
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
package-lock.json
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
package-lock.json
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
Dockerfile:2 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
Dockerfile:46 CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 express: GHSA-rv95-896h-c2vc
Express.js Open Redirect in malformed URLs
package-lock.json
medium Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-gh4j-gqv2-49f6
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
package-lock.json
medium Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-jp2q-39xq-3w4g
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
package-lock.json
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
package-lock.json
medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
package-lock.json
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
package-lock.json
medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
package-lock.json
medium Security checks software dependencies conf 0.90 npm package `@types/express` is 1 major version(s) behind (4.17.13 -> 5.0.6)
`@types/express` is pinned/resolved at 4.17.13 but the latest stable release on the npm registry is 5.0.6 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `@types/jest` is 1 major version(s) behind (29.5.14 -> 30.0.0)
`@types/jest` is pinned/resolved at 29.5.14 but the latest stable release on the npm registry is 30.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `express` is 1 major version(s) behind (4.17.1 -> 5.2.1)
`express` is pinned/resolved at 4.17.1 but the latest stable release on the npm registry is 5.2.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `protobufjs` is 1 major version(s) behind (7.6.1 -> 8.6.0)
`protobufjs` is pinned/resolved at 7.6.1 but the latest stable release on the npm registry is 8.6.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `proxy-chain` is 1 major version(s) behind (2.7.1 -> 3.0.0)
`proxy-chain` is pinned/resolved at 2.7.1 but the latest stable release on the npm registry is 3.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `retry-axios` is 2 major version(s) behind (2.6.0 -> 4.0.3)
`retry-axios` is pinned/resolved at 2.6.0 but the latest stable release on the npm registry is 4.0.3 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `rimraf` is 3 major version(s) behind (3.0.2 -> 6.1.3)
`rimraf` is pinned/resolved at 3.0.2 but the latest stable release on the npm registry is 6.1.3 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
package-lock.json
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
package-lock.json
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
package-lock.json
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
package-lock.json
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
package-lock.json
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
package-lock.json
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/meeting/meet/bot-detection.ts:31
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
CI/CD securityCoverage
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
3 test file(s) for 65 source file(s) (ratio 0.05). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
low Security checks software dependencies conf 0.88 @smithy/config-resolver: GHSA-6475-r3vj-m8vf
AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value
package-lock.json
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
low Security checks software dependencies conf 0.88 axios: GHSA-xhjh-pmcv-23jw
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
package-lock.json
low Security checks software dependencies conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
package-lock.json
low Security checks software dependencies conf 0.88 cookie: GHSA-pxg6-pf52-xh8x
cookie accepts cookie name, path, and domain with out of bounds characters
package-lock.json
low Security checks software dependencies conf 0.88 diff: GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
package-lock.json
low Security checks cicd CI/CD security conf 0.72 3 occurrences Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
lines 5, 7, 10
Dockerfile:5, 7, 10 (3 hits)
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.74 Dockerfile leaves apt package indexes in the image layer
Package indexes increase image size and can expose stale metadata in the final image layer.
Dockerfile:5 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
src/meeting/teams/speakersObserver.ts:14 duplicationquality
low Security checks software dependencies conf 0.88 express: GHSA-qw6h-vgh9-j6wx
express vulnerable to XSS via response.redirect()
package-lock.json
low Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-fj3w-jwp8-x2g3
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
package-lock.json
low Security checks software dependencies conf 0.90 npm package `@types/ws` is minor version(s) behind (8.5.12 -> 8.18.1)
`@types/ws` is pinned/resolved at 8.5.12 but the latest stable release on the npm registry is 8.18.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `axios` is minor version(s) behind (1.13.2 -> 1.17.0)
`axios` is pinned/resolved at 1.13.2 but the latest stable release on the npm registry is 1.17.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `prettier` is minor version(s) behind (3.3.3 -> 3.8.3)
`prettier` is pinned/resolved at 3.3.3 but the latest stable release on the npm registry is 3.8.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `ts-jest` is minor version(s) behind (29.2.5 -> 29.4.11)
`ts-jest` is pinned/resolved at 29.2.5 but the latest stable release on the npm registry is 29.4.11 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `winston` is minor version(s) behind (3.17.0 -> 3.19.0)
`winston` is pinned/resolved at 3.17.0 but the latest stable release on the npm registry is 3.19.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `ws` is minor version(s) behind (8.18.0 -> 8.21.0)
`ws` is pinned/resolved at 8.18.0 but the latest stable release on the npm registry is 8.21.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.88 qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
package-lock.json
low Security checks software dependencies conf 0.88 send: GHSA-m6fv-jmcg-4jfg
send vulnerable to template injection that can lead to XSS
package-lock.json
low Security checks software dependencies conf 0.88 serve-static: GHSA-cm22-4g7w-348p
serve-static vulnerable to template injection that can lead to XSS
package-lock.json
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:24.04
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:2 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: jest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: jest.setup.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/api/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/meeting/meet-state-config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/meeting/teams-state-config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/services/dialog-observer/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/state-machine/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/urlParser/meetUrlParser.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/urlParser/teamsUrlParser.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `diarization_v2` in src/api/methods.ts:86
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — sandbox/SystemDiagnostic.ts:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/api/methods.ts:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/branding.ts:29
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/browser/browser.ts:98
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/browser/page-logger.ts:67
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/events.ts:88
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/main.ts:45
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/media_context.ts:44
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/htmlCleaner.ts:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/meet.ts:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/meet/bot-detection.ts:65
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/meet/closeMeeting.ts:4
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/meet/htmlCleaner.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/meet/speakersObserver.ts:35
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/shared/audio-capture.ts:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/speakersObserver.ts:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/teams.ts:56
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/teams/htmlCleaner.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/meeting/teams/speakersObserver.ts:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/proxy/toggle-proxy.ts:89
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/recording/ScreenRecorder.ts:213
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/server.ts:75
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/services/html-snapshot-service.ts:95
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/singleton.ts:83
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/state-machine/machine.ts:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/state-machine/states/cleanup-state.ts:141
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/state-machine/states/error-state.ts:78
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/state-machine/states/in-call-state.ts:89
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/state-machine/states/initialization-state.ts:112
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/state-machine/states/paused-state.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/state-machine/states/recording-state.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/state-machine/states/resuming-state.ts:51
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/state-machine/states/waiting-room-state.ts:189
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/streaming.ts:85
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/uploadTranscripts.ts:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/urlParser/teamsUrlParser.ts:54
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/utils/CalculVideoOffset.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/utils/dehumanize.ts:52
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/utils/Logger.ts:203
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/utils/meeting-state-detector.ts:132
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/utils/PathManager.ts:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/utils/retry-handler.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/utils/S3Uploader.ts:35
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/utils/sound-level-monitor.ts:57
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/utils/SyncSignal.ts:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/utils/timing-control.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — test_new.ts:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: POST /play
`src/server.ts` declares `POST /play` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /stop_record
`src/server.ts` declares `POST /stop_record` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /upload
`src/server.ts` declares `POST /upload` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: src/meeting/meet.ts (1407 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/recording/ScreenRecorder.ts (1799 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/93651174-a399-4865-826f-fab6ccfec7c5/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/93651174-a399-4865-826f-fab6ccfec7c5/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.