Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
3 of your 278 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.59s · analysis 15.97s · 1.6 MB · GitHub API rate-limit (preflight)

Azim-Ahmed/Automation-workflow

https://github.com/Azim-Ahmed/Automation-workflow · scanned 2026-06-05 16:56 UTC (4 days, 23 hours ago) · 10 languages

312 raw signals (278 security + 34 graph) 29th percentile · Javascript · tiny (<2K LoC) System graph score 80 (lower by 27)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 23 hours ago · v2 · 129 actionable findings from 2 signal sources. 166 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
74.4
/100
Security checks
68
112 findings
System graph
80
66.7% cov · 17 findings
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 52.0 0.25 13.00
testing_score 23.0 0.20 4.60
documentation_score 38.7 0.15 5.81
practices_score 46.0 0.15 6.90
code_quality 78.7 0.10 7.87
Overall 1.00 53.2
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 4 High 34 Medium 49 Low 35 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 112 System graph 17 Crowd 0 Layer: Quality 14 Software 107 Api 1 Frontend 5 Security 1 Cicd 1
Scan summary Quality grade C- (53/100). Dimensions: security 52, maintainability 100. 278 findings (224 security). 1,487 lines analyzed.

Showing 122 of 129 actionable findings. 295 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 3 occurrences @babel/traverse: GHSA-67hx-6x53-jw92
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
critical Security checks software dependencies conf 0.88 3 occurrences form-data: GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
critical Security checks software dependencies conf 0.88 2 occurrences loader-utils: GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils
2 files, 2 locations
package-lock.json
yarn.lock
critical Security checks software dependencies conf 0.88 3 occurrences webpack: GHSA-hc6q-2mpp-qw7j
Cross-realm object access in Webpack 5
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences body-parser: GHSA-qwcr-r2fm-qrc7
body-parser vulnerable to denial of service when url encoding is enabled
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences braces: GHSA-grv7-fg5c-xmjg
Uncontrolled resource consumption in braces
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences cross-spawn: GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences http-proxy-middleware: GHSA-c7qv-q95q-8v27
Denial of service in http-proxy-middleware
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences immutable: GHSA-wf6x-7x77-mvgw
Immutable is vulnerable to Prototype Pollution
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences json5: GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences loader-utils: GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
2 files, 2 locations
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences loader-utils: GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
2 files, 2 locations
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-f8q6-p94x-37v3
minimatch ReDoS vulnerability
2 files, 2 locations
package-lock.json
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences node-forge: GHSA-2328-f5f3-gj25
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences node-forge: GHSA-554w-wpv2-vw27
node-forge has ASN.1 Unbounded Recursion
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences node-forge: GHSA-5gfm-wpxj-wjgq
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences node-forge: GHSA-5m6q-g25r-mvwx
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences node-forge: GHSA-ppp5-5v6c-4jwp
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences node-forge: GHSA-q67f-28xg-22rw
Forge has signature forgery in Ed25519 due to missing S > L check
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences nth-check: GHSA-rp65-9cf3-cjxr
Inefficient Regular Expression Complexity in nth-check
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences path-to-regexp: GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences path-to-regexp: GHSA-rhx6-c78j-4q9w
path-to-regexp contains a ReDoS
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences rollup: GHSA-gcx4-mw62-g8wm
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences semver: GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences svgo: GHSA-xpqw-6gx7-v673
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6
Path traversal in webpack-dev-middleware
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
high Security checks software dependencies conf 0.88 3 occurrences ws: GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences @adobe/css-tools: GHSA-hpx4-r86g-5jrg
@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences @adobe/css-tools: GHSA-prr3-c3m5-p7q2
@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences @babel/helpers: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences @babel/runtime-corejs3: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences @babel/runtime: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences ejs: GHSA-ghr5-ch3p-vcr6
ejs lacks certain pollution protection
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences express: GHSA-rv95-896h-c2vc
Express.js Open Redirect in malformed URLs
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences follow-redirects: GHSA-cxjh-pqwp-8mfp
follow-redirects' Proxy-Authorization header kept across hosts
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences follow-redirects: GHSA-jchw-25xp-jwwc
Follow Redirects improperly handles URLs in the url.parse() function
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences http-proxy-middleware: GHSA-4www-5p9h-95mh
http-proxy-middleware can call writeBody twice because "else if" is not used
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences http-proxy-middleware: GHSA-9gqv-wp59-fq42
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences micromatch: GHSA-952p-6rrq-rcjv
Regular Expression Denial of Service (ReDoS) in micromatch
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences moment-timezone: GHSA-v78c-4p63-2j6c
Cleartext Transmission of Sensitive Information in moment-timezone
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences nanoid: GHSA-mwcw-c2x4-8c55
Predictable results in nanoid generation when given non-integer values
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences node-forge: GHSA-65ch-62r8-g69g
node-forge is vulnerable to ASN.1 OID Integer Truncation
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.90 npm package `@ant-design/icons` is 2 major version(s) behind (4.7.0 -> 6.2.5)
`@ant-design/icons` is pinned/resolved at 4.7.0 but the latest stable release on the npm registry is 6.2.5 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `@testing-library/jest-dom` is 1 major version(s) behind (5.16.5 -> 6.9.1)
`@testing-library/jest-dom` is pinned/resolved at 5.16.5 but the latest stable release on the npm registry is 6.9.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
package.json
medium Security checks software dependencies conf 0.90 npm package `@testing-library/react` is 3 major version(s) behind (13.3.0 -> 16.3.2)
`@testing-library/react` is pinned/resolved at 13.3.0 but the latest stable release on the npm registry is 16.3.2 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs …
package.json
medium Security checks software dependencies conf 0.90 npm package `@testing-library/user-event` is 1 major version(s) behind (13.5.0 -> 14.6.1)
`@testing-library/user-event` is pinned/resolved at 13.5.0 but the latest stable release on the npm registry is 14.6.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update…
package.json
medium Security checks software dependencies conf 0.90 npm package `@tisoap/react-flow-smart-edge` is 2 major version(s) behind (2.0.0 -> 4.3.0)
`@tisoap/react-flow-smart-edge` is pinned/resolved at 2.0.0 but the latest stable release on the npm registry is 4.3.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update…
package.json
medium Security checks software dependencies conf 0.90 npm package `web-vitals` is 3 major version(s) behind (2.1.4 -> 5.3.0)
`web-vitals` is pinned/resolved at 2.1.4 but the latest stable release on the npm registry is 5.3.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.88 3 occurrences picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences postcss: GHSA-7fh5-64p2-3v2j
PostCSS line return parsing error
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 3 occurrences qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences serialize-javascript: GHSA-76p7-773f-r4q5
Cross-site Scripting (XSS) in serialize-javascript
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences tough-cookie: GHSA-72xf-g2v4-qvf3
tough-cookie Prototype Pollution vulnerability
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences webpack-dev-server: GHSA-4v9v-hfq4-rm2v
webpack-dev-server users' source code may be stolen when they access a malicious web site
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences webpack-dev-server: GHSA-79cf-xcqc-c78w
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences webpack-dev-server: GHSA-9jgg-88mc-972h
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences webpack: GHSA-4vvj-4cpr-p986
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences word-wrap: GHSA-j8xg-fqg3-53r7
word-wrap vulnerable to Regular Expression Denial of Service
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium Security checks software dependencies conf 0.88 3 occurrences yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
medium System graph frontend Frontend quality conf 1.00 Custom React Flow node registered without explicit width/height — src/Data/Elements.jsx:2
When you register a custom node type via `nodeTypes`, the RFNode object you build must include `width` and `height` props. Without them, MiniMap renders ZERO mini-nodes for that type and `fitView` underestimates the bounds (cuts off lane labels, etc.). Add `width: …, height: …` to the node object. …
Fq rfnode no dims
medium System graph frontend Frontend quality conf 1.00 Custom React Flow node registered without explicit width/height — src/Data/Elements1.jsx:4
When you register a custom node type via `nodeTypes`, the RFNode object you build must include `width` and `height` props. Without them, MiniMap renders ZERO mini-nodes for that type and `fitView` underestimates the bounds (cuts off lane labels, etc.). Add `width: …, height: …` to the node object. …
Fq rfnode no dims
medium System graph frontend Frontend quality conf 1.00 Custom React Flow node registered without explicit width/height — src/Data/Elements2.jsx:4
When you register a custom node type via `nodeTypes`, the RFNode object you build must include `width` and `height` props. Without them, MiniMap renders ZERO mini-nodes for that type and `fitView` underestimates the bounds (cuts off lane labels, etc.). Add `width: …, height: …` to the node object. …
Fq rfnode no dims
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph cicd CI/CD security conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
CI/CD securityCoverage
low Security checks software dependencies conf 0.88 3 occurrences @tootallnate/once: GHSA-vpq2-c234-7xj6
@tootallnate/once vulnerable to Incorrect Control Flow Scoping
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low Security checks software dependencies conf 0.88 3 occurrences brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low Security checks software dependencies conf 0.88 3 occurrences cookie: GHSA-pxg6-pf52-xh8x
cookie accepts cookie name, path, and domain with out of bounds characters
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
src/Data/Elements2.jsx:23 duplicationquality
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
src/Data/Elements1.jsx:103 duplicationquality
low Security checks software dependencies conf 0.88 3 occurrences express: GHSA-qw6h-vgh9-j6wx
express vulnerable to XSS via response.redirect()
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low Security checks software dependencies conf 0.88 3 occurrences moment-timezone: GHSA-56x4-j7p9-fcf9
Command Injection in moment-timezone
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low Security checks quality Documentation No LICENSE file
Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).
low Security checks software dependencies conf 0.90 npm package `@contactlab/ds-tokens` is minor version(s) behind (3.3.0 -> 3.6.0)
`@contactlab/ds-tokens` is pinned/resolved at 3.3.0 but the latest stable release on the npm registry is 3.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@emotion/css` is minor version(s) behind (11.7.1 -> 11.13.5)
`@emotion/css` is pinned/resolved at 11.7.1 but the latest stable release on the npm registry is 11.13.5 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@xyflow/react` is minor version(s) behind (12.1.1 -> 12.11.0)
`@xyflow/react` is pinned/resolved at 12.1.1 but the latest stable release on the npm registry is 12.11.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `fp-ts` is minor version(s) behind (2.11.7 -> 2.16.11)
`fp-ts` is pinned/resolved at 2.11.7 but the latest stable release on the npm registry is 2.16.11 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `moment-timezone` is minor version(s) behind (0.5.34 -> 0.6.2)
`moment-timezone` is pinned/resolved at 0.5.34 but the latest stable release on the npm registry is 0.6.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `sass` is minor version(s) behind (1.54.3 -> 1.100.0)
`sass` is pinned/resolved at 1.54.3 but the latest stable release on the npm registry is 1.100.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.88 3 occurrences on-headers: GHSA-76c9-3jph-rj3q
on-headers is vulnerable to http response header manipulation
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low Security checks software dependencies conf 0.88 3 occurrences qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly.
public/robots.txt
low Security checks software dependencies conf 0.88 3 occurrences send: GHSA-m6fv-jmcg-4jfg
send vulnerable to template injection that can lead to XSS
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low Security checks software dependencies conf 0.88 3 occurrences serve-static: GHSA-cm22-4g7w-348p
serve-static vulnerable to template injection that can lead to XSS
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low Security checks software dependencies conf 0.88 3 occurrences webpack: GHSA-38r7-794h-5758
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low Security checks software dependencies conf 0.88 3 occurrences webpack: GHSA-8fgc-7cc6-rx7x
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
3 files, 3 locations
package-lock.json
pnpm-lock.yaml
yarn.lock
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/App.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/Data/Elements.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/Data/Elements1.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/Data/Elements2.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/Edges/index.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/Nodes/index.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/reportWebVitals.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/setupTests.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Tests conf 1.00 Low test-to-source ratio
2 tests / 17 src (ratio 0.12).
low System graph frontend Frontend quality conf 1.00 React Flow <Controls> without dark theming — src/Automation.jsx:43
`<Controls>` ships with white buttons. Override `.react-flow__controls` and `.react-flow__controls-button` in your stylesheet or pass a styled wrapper. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.controls.no-bg
Fq controls no bg
low System graph frontend Frontend quality conf 1.00 React Flow <MiniMap> without dark background — src/Automation.jsx:44
A bare <MiniMap> renders with the vendor's white default in dark themes. Wrap the canvas in a class that overrides `.react-flow__minimap` background, or pass an explicit `style`/`maskColor`/`bgColor`. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.minimap.no-bg
Fq minimap no bg
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a26233f4-6f06-4682-bf0d-658632a042ab/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a26233f4-6f06-4682-bf0d-658632a042ab/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.