Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
54 of your 124 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 107.71s for a 113.4 MB repo slow.
  • Repobility's analysis ran in 9.97s after the clone landed.

nilbuild/developer-roadmap

https://github.com/nilbuild/developer-roadmap · scanned 2026-06-05 04:27 UTC (4 hours, 36 minutes ago) · 10 languages

448 findings (106 legacy + 342 scanner) 11/13 scanners ran 44th percentile · Typescript · medium (20-100K LoC) Scanner says 67 (higher by 3)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 hours, 36 minutes ago · v2 · 277 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
76.0
/100
Repobility
85
106 legacy
9-layer
67
100.0% cov · 171 gaps
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 100.0 0.25 25.00
testing_score 25.0 0.20 5.00
documentation_score 60.0 0.15 9.00
practices_score 69.0 0.15 10.35
code_quality 80.0 0.10 8.00
Overall 1.00 70.1
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 56 Medium 87 Low 76 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 106 9-layer 171 Crowd 0 Layer: Software 59 Quality 97 Security 30 Api 1 Frontend 75 Cicd 15
Scan summary Repository scanned at 66.9/100 with 100.0% coverage. It contains 2037 nodes across 11 cross-layer flows, written primarily in mixed languages. Engine surfaced 171 findings — concentrated in frontend (75), quality (31), software (27). Risk profile is high: 0 critical, 1 high, 79 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 222 of 277 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.
Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context.
scripts/update-sponsors.cjs:37 qualitylegacy
critical Legacy quality quality conf 1.00 [SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3).
Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`.
scripts/update-sponsors.cjs:37 qualitylegacy
critical Legacy security deserialization conf 1.00 [SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dangerous.
Use `YAML.safe_load(input, permitted_classes: [Date])` — explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead.
scripts/update-sponsors.cjs:37 deserializationlegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/sync-content-to-repo.yml:15 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/sync-repo-to-database.yml:14 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/upgrade-dependencies.yml:12 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/deployment.yml:11 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/cleanup-orphaned-content.yml:14 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v3`: `uses: actions/github-script@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/close-feedback-pr.yml:11 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/label-issue.yml:12 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/sync-content-to-repo.yml:24 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/sync-repo-to-database.yml:23 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/upgrade-dependencies.yml:15 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/deployment.yml:14 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/cleanup-orphaned-content.yml:23 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `appleboy/ssh-action` pinned to mutable ref `@master`: `uses: appleboy/ssh-action@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: appleboy/ssh-action@<40-char-sha> # master` and let Dependabot bump it on a scheduled cadence.
.github/workflows/deployment.yml:55 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`: `uses: peter-evans/create-pull-request@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: peter-evans/create-pull-request@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/sync-content-to-repo.yml:47 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`: `uses: peter-evans/create-pull-request@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: peter-evans/create-pull-request@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/upgrade-dependencies.yml:31 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`: `uses: peter-evans/create-pull-request@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: peter-evans/create-pull-request@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/cleanup-orphaned-content.yml:61 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4.0.0`: `uses: pnpm/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v4.0.0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/deployment.yml:17 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/sync-content-to-repo.yml:18 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/sync-repo-to-database.yml:17 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/upgrade-dependencies.yml:20 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/cleanup-orphaned-content.yml:17 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `webfactory/ssh-agent` pinned to mutable ref `@v0.7.0`: `uses: webfactory/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: webfactory/ssh-agent@<40-char-sha> # v0.7.0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/deployment.yml:48 dependencylegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
src/components/FrameRenderer/renderer.ts:111 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
sitemap.mjs:34 xsslegacy
high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
src/components/AuthenticationFlow/ResetPasswordForm.tsx:62 authlegacy
high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
src/components/AuthenticationFlow/EmailSignupForm.tsx:104 authlegacy
high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
src/components/AuthenticationFlow/EmailLoginForm.tsx:91 authlegacy
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
appleboy/ssh-action@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deployment.yml:55 supply-chaingithub-actionspinned-dependencies
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `Project requirements come from observation as much as from conversation. You watch how teams actually work, not just how they describe their work, because those two things are often different. The goal is to surface the undocumented workflow, the data source people actually trust, and the edge cases that would break an agent in its first week of production. Written requirements are useful, but the real requirements live in the room with the people doing the work.` h
Replace `Project requirements come from observation as much as from conversation. You watch how teams actually work, not just how they describe their work, because those two things are often different. The goal is to surface the undocumented workflow, the data source people actually trust, and the …
src/data/roadmaps/forward-deployed-engineer/content/[email protected]:3 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `Visit the following resources to learn more:` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `Visit the following resources to learn more:` with `Visit the following resources to learn more:==<version>` and manage upgrades through PRs / Dependabot.
src/data/roadmaps/forward-deployed-engineer/content/[email protected]:5 dependencylegacy
low Legacy security deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
scripts/update-sponsors.cjs:37 deserializationlegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
src/components/AIRoadmap/AIRoadmapRegenerate.tsx:130 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
src/components/AIRoadmap/AIRoadmapContent.tsx:70 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
src/components/AIChat/AIChatCouse.tsx:40 securitylegacy
medium Legacy software open_redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
src/components/AuthenticationFlow/LinkedInButton.tsx:142 open_redirectlegacy
medium Legacy software open_redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
src/components/AuthenticationFlow/GoogleButton.tsx:137 open_redirectlegacy
medium Legacy software open_redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
src/components/AuthenticationFlow/GitHubButton.tsx:144 open_redirectlegacy
medium Legacy quality quality conf 0.70 Public web app has no Content Security Policy
Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors.
index.html qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt qualitylegacy
medium Legacy quality quality conf 0.72 Service worker is present without a web app manifest
Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors.
manifest.json qualitylegacy
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/AIChat/ChatHistory.tsx:110
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/AIGuide/AIGuideCard.tsx:23
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/AIQuiz/AIMCQQuestion.tsx:153
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/AIQuiz/AIQuizResults.tsx:200
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/AIRoadmap/AIRoadmapContent.tsx:97
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/ChatMessages/RoadmapChatMessage.tsx:63
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/FAQs/FAQs.tsx:44
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/GenerateCourse/AICourseLesson.tsx:396
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/GenerateCourse/AICourseLessonChat.tsx:438
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/GenerateGuide/AIGuideContent.tsx:26
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/GenerateRoadmap/RoadmapTopicDetail.tsx:205
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/Global/CodeBlock.tsx:123
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/Premium/FeatureCard.tsx:69
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/Projects/ProjectContent.tsx:18
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/RoadmapAIChat/RoadmapAIChatCard.tsx:40
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/RoadmapAIChat/TopicResourcesModal.tsx:38
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/RoadmapTitleQuestion.tsx:101
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/SQLCourse/ReviewsSection.tsx:162
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/SQLCourseVariant/ReviewCarousel.tsx:258
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/TeamMarketing/TeamDemo.tsx:111
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/TopicDetail/TopicDetail.tsx:563
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/UserProgress/UserProgressModal.tsx:228
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/lib/render-chat-message.tsx:177
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/editor-roadmap-content-json.ts:25
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/editor-roadmap-dirs.ts:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/migrate-content-repo-to-database.ts:35
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/official-roadmap-assets.ts:5
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/sync-content-to-repo.ts:32
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/sync-repo-to-database.ts:37
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/AIChat/AIChat.tsx:214
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/CreateTeam/UpdateTeamResourceModal.tsx:79
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/FrameRenderer/renderer.ts:81
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/GenerateCourse/AICourseLesson.tsx:151
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/GenerateCourse/AICourseLessonChat.tsx:147
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/GenerateCourse/TestMyKnowledgeAction.tsx:51
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/GenerateRoadmap/GenerateRoadmap.tsx:156
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/GenerateRoadmap/RoadmapTopicDetail.tsx:57
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/Projects/SubmitProjectModal.tsx:95
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/TeamProgress/MemberProgressModal.tsx:107
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/components/UserPublicProfile/UserProfileRoadmapRenderer.tsx:46
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/helper/generate-ai-course.ts:71
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/helper/generate-ai-guide.ts:69
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/hooks/use-personalized-roadmap.ts:40
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/lib/open-graph.ts:26
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/lib/query-http.ts:72
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/lib/road-card.ts:15
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/pages/og/user/[username].ts:23
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/queries/ai-quiz.ts:70
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/queries/ai-roadmap.ts:117
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/cleanup-orphaned-content.yml:17 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-pull-request@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/cleanup-orphaned-content.yml:61 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/upgrade-dependencies.yml:20 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-pull-request@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/upgrade-dependencies.yml:31 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/sync-repo-to-database.yml:17 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/sync-content-to-repo.yml:18 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-pull-request@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/sync-content-to-repo.yml:47 supply-chaingithub-actionspinned-dependencies
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/AIChat/ChatHistory.tsx:110
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/AIChat/ChatHistory.tsx:110 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/AIGuide/AIGuideCard.tsx:23
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/AIGuide/AIGuideCard.tsx:23 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/AIQuiz/AIMCQQuestion.tsx:153
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/AIQuiz/AIMCQQuestion.tsx:153 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/AIQuiz/AIQuizResults.tsx:200
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/AIQuiz/AIQuizResults.tsx:200 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/AIRoadmap/AIRoadmapContent.tsx:97
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/AIRoadmap/AIRoadmapContent.tsx:97 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/ChatMessages/RoadmapChatMessage.tsx:63
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/ChatMessages/RoadmapChatMessage.tsx:63 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/FAQs/FAQs.tsx:44
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/FAQs/FAQs.tsx:44 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/GenerateCourse/AICourseLesson.tsx:396
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/GenerateCourse/AICourseLesson.tsx:396 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/GenerateCourse/AICourseLessonChat.tsx:438
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/GenerateCourse/AICourseLessonChat.tsx:438 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/GenerateGuide/AIGuideContent.tsx:26
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/GenerateGuide/AIGuideContent.tsx:26 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/GenerateRoadmap/RoadmapTopicDetail.tsx:205
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/GenerateRoadmap/RoadmapTopicDetail.tsx:205 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/Global/CodeBlock.tsx:123
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/Global/CodeBlock.tsx:123 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/Premium/FeatureCard.tsx:69
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/Premium/FeatureCard.tsx:69 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/Projects/ProjectContent.tsx:18
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/Projects/ProjectContent.tsx:18 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/RoadmapAIChat/RoadmapAIChatCard.tsx:40
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/RoadmapAIChat/RoadmapAIChatCard.tsx:40 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/RoadmapAIChat/TopicResourcesModal.tsx:38
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/RoadmapAIChat/TopicResourcesModal.tsx:38 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/SQLCourse/ReviewsSection.tsx:162
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/SQLCourse/ReviewsSection.tsx:162 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/SQLCourseVariant/ReviewCarousel.tsx:258
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/SQLCourseVariant/ReviewCarousel.tsx:258 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/TeamMarketing/TeamDemo.tsx:111
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/TeamMarketing/TeamDemo.tsx:111 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/TopicDetail/TopicDetail.tsx:563
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/TopicDetail/TopicDetail.tsx:563 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/UserProgress/UserProgressModal.tsx:228
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/components/UserProgress/UserProgressModal.tsx:228 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/lib/render-chat-message.tsx:177
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/lib/render-chat-message.tsx:177 owaspdangerous_innerhtml
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
6 test file(s) for 615 source file(s) (ratio 0.01). Consider adding integration or unit tests for critical paths.
testscoverage
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/ExploreAIRoadmap/ExploreAISearch.tsx:13 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/ExploreAIRoadmap/ExploreAIRoadmap.tsx:50 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/EditorRoadmap/EditorRoadmapRenderer.tsx:68 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/Dashboard/DashboardProgressCard.tsx:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/CustomRoadmap/ShareRoadmapModal.tsx:131 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/CustomRoadmap/RoadmapActionButton.tsx:46 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/CreateTeam/Step3.tsx:145 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/ContentGenerator/ContentGenerator.tsx:93 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/ChatMessages/TopicChatMessage.tsx:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/AuthenticationFlow/LinkedInButton.tsx:66 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/AuthenticationFlow/LinkedInButton.tsx:59 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/AuthenticationFlow/GoogleButton.tsx:60 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/Activity/ResourceProgressActions.tsx:100 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/Activity/ResourceProgressActions.tsx:54 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/AITutor/AIFeaturedCoursesListing.tsx:80 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/AITutor/AIFeaturedCoursesListing.tsx:31 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/AIRoadmap/UserRoadmapsList.tsx:40 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/AIRoadmap/GenerateAIRoadmap.tsx:124 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/AIRoadmap/AIRoadmapActions.tsx:33 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/AIQuiz/AIQuizActions.tsx:33 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/components/AIQuiz/AIOpenEndedQuestion.tsx:108 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
scripts/sync-repo-to-database.ts:141 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
scripts/sync-repo-to-database.ts:19 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
scripts/sync-content-to-repo.ts:40 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
scripts/migrate-editor-roadmap.ts:17 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
scripts/migrate-editor-roadmap.ts:9 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
scripts/migrate-content-repo-to-database.ts:71 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
scripts/gemini-roadmap-content.ts:20 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
scripts/editor-roadmap-dirs.ts:38 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
scripts/editor-roadmap-dirs.ts:10 qualitylegacy
low Legacy quality quality conf 0.50 Public web app has no humans.txt
Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date.
humans.txt qualitylegacy
low Legacy quality quality conf 0.74 Public web app has no robots.txt
Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths.
robots.txt qualitylegacy
low Legacy quality quality conf 0.72 Public web app has no sitemap
Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt.
sitemap.xml qualitylegacy
low 9-layer quality integrity conf 1.00 9 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `CI`, `DEV`, `GEMINI_API_KEY`, `OPENAI_API_KEY`, `OPEN_AI_API_KEY`, `PUBLIC_APP_URL`, `SSR`, `VITE_API_URL` + 1 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
integrityconfig-drift
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: playwright.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/editor-roadmap-assets.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/migrate-editor-roadmap.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/refresh-assets.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/rename-content.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/components/AITutor/AITutorSidebarProps.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/components/Analytics/analytics.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/components/Popover.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/components/Premium/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/lib/config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/lib/file.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/pages/[roadmapId].json.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/pages/og/best-practice/[slug].ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/pages/og/guide/[slug].ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/pages/og/roadmap/[slug].ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/pages/og/user/[username].ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/stores/page.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/stores/query-client.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/stores/roadmap.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/stores/streak.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/stores/team.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/stores/toast.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/guides.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/index.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/roadmap.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/videos.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/label-issue.yml:12 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/cleanup-orphaned-content.yml:23 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deployment.yml:11 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/close-feedback-pr.yml:11 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/upgrade-dependencies.yml:15 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/sync-repo-to-database.yml:23 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/sync-content-to-repo.yml:24 supply-chaingithub-actionspinned-dependencies
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/cleanup-orphaned-content.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/compress-images.ts:123
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/editor-roadmap-assets.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/editor-roadmap-content-json.ts:71
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/editor-roadmap-content.ts:19
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/editor-roadmap-dirs.ts:96
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/gemini-roadmap-content.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/migrate-content-repo-to-database.ts:114
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/official-roadmap-assets.ts:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/refresh-assets.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/roadmap-tree-content.js:490
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/sync-content-to-repo.ts:25
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/sync-repo-to-database.ts:104
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/sync-roadmap-to-database.ts:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/components/Analytics/analytics.ts:64
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/components/GenerateGuide/UpdatePreferences.tsx:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/components/PersonalizedRoadmap/PersonalizedRoadmapModal.tsx:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/lib/github.ts:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — src/lib/guide-renderer.tsx:203
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
scripts/official-roadmap-assets.ts:39 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
src/components/AuthenticationFlow/GitHubButton.tsx:130 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
scripts/migrate-content-repo-to-database.ts:212 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
scripts/cleanup-orphaned-content.ts:214 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
scripts/gemini-roadmap-content.ts:20 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
scripts/editor-roadmap-content.ts:19 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
scripts/best-practice-content.cjs:161 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
scripts/sync-repo-to-database.ts:191 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
scripts/migrate-content-repo-to-database.ts:186 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
scripts/editor-roadmap-content-json.ts:162 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context.
src/components/AIQuiz/AIMCQQuestion.tsx:153 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context.
src/components/AIGuide/AIGuideCard.tsx:23 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context.
src/components/AIChat/ChatHistory.tsx:110 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/9ba273ee-4c26-48d7-9390-c57f3d9df5d6/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/9ba273ee-4c26-48d7-9390-c57f3d9df5d6/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.