Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
46 of your 199 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.91s · analysis 99.57s · 8.8 MB · GitHub API rate-limit (preflight)

graphql/graphiql

https://github.com/graphql/graphiql · scanned 2026-06-05 19:14 UTC (4 days, 16 hours ago) · 10 languages

469 raw signals (189 security + 280 graph) 62nd percentile · Typescript · medium (20-100K LoC) System graph score 70 (higher by 5)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 16 hours ago · v2 · 271 actionable findings from 2 signal sources. 58 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
66.2
/100
Security checks
63
136 findings
System graph
70
77.8% cov · 135 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 53.9 0.25 13.47
testing_score 85.0 0.20 17.00
documentation_score 98.6 0.15 14.79
practices_score 84.0 0.15 12.60
code_quality 74.2 0.10 7.42
Overall 1.00 74.3
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 40 Medium 65 Low 99 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 136 System graph 135 Crowd 0 Layer: Quality 39 Security 4 Software 169 Cicd 6 Frontend 53
Scan summary Quality grade B (74/100). Dimensions: security 54, maintainability 60. 189 findings (124 security). 43,747 lines analyzed.

Showing 207 of 271 actionable findings. 329 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 ejs: GHSA-phwq-j96m-2c2q
ejs template injection vulnerability
yarn.lock
critical Security checks software dependencies conf 0.88 form-data: GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary
yarn.lock
critical Security checks software dependencies conf 0.88 set-getter: GHSA-jv35-xqg7-f92r
set-getter Prototype Pollution Vulnerability
yarn.lock
high Security checks software dependencies conf 0.88 ansi-regex: GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex
yarn.lock
high Security checks software dependencies conf 0.88 axios: GHSA-3g43-6gmg-66jw
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
yarn.lock
high Security checks software dependencies conf 0.88 axios: GHSA-43fc-jf86-j433
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
yarn.lock
high Security checks software dependencies conf 0.88 axios: GHSA-6chq-wfr3-2hj9
Axios: Header Injection via Prototype Pollution
yarn.lock
high Security checks software dependencies conf 0.88 axios: GHSA-hfxv-24rg-xrqf
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
yarn.lock
high Security checks software dependencies conf 0.88 axios: GHSA-j5f8-grm9-p9fc
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
yarn.lock
high Security checks software dependencies conf 0.88 axios: GHSA-jr5f-v2jv-69x6
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
yarn.lock
high Security checks software dependencies conf 0.88 axios: GHSA-p92q-9vqr-4j8v
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
yarn.lock
high Security checks software dependencies conf 0.88 axios: GHSA-pf86-5x62-jrwf
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
yarn.lock
high Security checks software dependencies conf 0.88 axios: GHSA-pjwm-pj3p-43mv
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
yarn.lock
high Security checks software dependencies conf 0.88 braces: GHSA-grv7-fg5c-xmjg
Uncontrolled resource consumption in braces
yarn.lock
high Security checks software dependencies conf 0.88 cross-spawn: GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn
yarn.lock
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
yarn.lock
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
yarn.lock
high Security checks software dependencies conf 0.88 glob: GHSA-5j98-mcp5-4vw2
glob CLI: Command injection via -c/--cmd executes matches with shell:true
yarn.lock
high Security checks software dependencies conf 0.88 jws: GHSA-869p-cjfg-cm3x
auth0/node-jws Improperly Verifies HMAC Signature
yarn.lock
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
yarn.lock
high Security checks software dependencies conf 0.88 merge: GHSA-7wpw-2hjm-89gp
Prototype Pollution in merge
yarn.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
yarn.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
yarn.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
yarn.lock
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
yarn.lock
high Security checks software dependencies conf 0.88 react-router: GHSA-8x6r-g9mw-2r78
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
yarn.lock
high Security checks software dependencies conf 0.88 rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
yarn.lock
high Security checks software dependencies conf 0.88 semver: GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service
yarn.lock
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
yarn.lock
high Security checks software dependencies conf 0.88 tar-fs: GHSA-vj76-c3g6-qr5v
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
yarn.lock
high Security checks software dependencies conf 0.88 tar: GHSA-34x7-hfp2-rc4v
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
yarn.lock
high Security checks software dependencies conf 0.88 tar: GHSA-83g3-92jg-28cx
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
yarn.lock
high Security checks software dependencies conf 0.88 tar: GHSA-8qq5-rm4j-mr97
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
yarn.lock
high Security checks software dependencies conf 0.88 tar: GHSA-9ppj-qmqm-q256
node-tar Symlink Path Traversal via Drive-Relative Linkpath
yarn.lock
high Security checks software dependencies conf 0.88 tar: GHSA-qffp-2rhf-9h96
tar has Hardlink Path Traversal via Drive-Relative Linkpath
yarn.lock
high Security checks software dependencies conf 0.88 tar: GHSA-r6q2-hw4h-h46w
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
yarn.lock
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
yarn.lock
high Security checks software dependencies conf 0.88 trim-newlines: GHSA-7p7h-4mm5-852v
Uncontrolled Resource Consumption in trim-newlines
yarn.lock
high Security checks software dependencies conf 0.88 underscore: GHSA-qpx9-hpmf-5gmw
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
yarn.lock
high Security checks software dependencies conf 0.88 undici: GHSA-v9p9-hfj2-hcw8
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
yarn.lock
high Security checks software dependencies conf 0.88 undici: GHSA-vrm6-8vpv-qv8q
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
yarn.lock
high Security checks software dependencies conf 0.88 vite: GHSA-p9ff-h696-f583
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
yarn.lock
high Security checks software dependencies conf 0.88 ws: GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers
yarn.lock
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
yarn.lock
medium Security checks software dependencies conf 0.88 axios: GHSA-5c9x-8gcm-mpgx
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
yarn.lock
medium Security checks software dependencies conf 0.88 axios: GHSA-62hf-57xw-28j9
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
yarn.lock
medium Security checks software dependencies conf 0.88 axios: GHSA-898c-q2cr-xwhg
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
yarn.lock
medium Security checks software dependencies conf 0.88 axios: GHSA-fvcv-3m26-pcqx
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
yarn.lock
medium Security checks software dependencies conf 0.88 axios: GHSA-m7pr-hjqh-92cm
Axios: no_proxy bypass via IP alias allows SSRF
yarn.lock
medium Security checks software dependencies conf 0.88 axios: GHSA-vf2m-468p-8v99
Axios: HTTP adapter streamed responses bypass maxContentLength
yarn.lock
medium Security checks software dependencies conf 0.88 axios: GHSA-w9j2-pvgh-6h63
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
yarn.lock
medium Security checks software dependencies conf 0.88 axios: GHSA-wf5p-g6vw-rhxx
Axios Cross-Site Request Forgery Vulnerability
yarn.lock
medium Security checks software dependencies conf 0.88 axios: GHSA-xx6v-rp6x-q39c
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
yarn.lock
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
yarn.lock
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
yarn.lock
medium Security checks software dependencies conf 0.88 ejs: GHSA-ghr5-ch3p-vcr6
ejs lacks certain pollution protection
yarn.lock
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
yarn.lock
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
yarn.lock
medium Security checks software dependencies conf 0.88 hosted-git-info: GHSA-43f8-2h32-f4cj
Regular Expression Denial of Service in hosted-git-info
yarn.lock
medium Security checks software dependencies conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
yarn.lock
medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
yarn.lock
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
yarn.lock
medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
yarn.lock
medium Security checks software dependencies conf 0.88 markdown-it: GHSA-38c4-r59v-3vqw
markdown-it is has a Regular Expression Denial of Service (ReDoS)
yarn.lock
medium Security checks software dependencies conf 0.88 micromatch: GHSA-952p-6rrq-rcjv
Regular Expression Denial of Service (ReDoS) in micromatch
yarn.lock
medium Security checks software dependencies conf 0.88 nanoid: GHSA-mwcw-c2x4-8c55
Predictable results in nanoid generation when given non-integer values
yarn.lock
medium Security checks software dependencies conf 0.90 npm package `@types/codemirror` is 5 major version(s) behind (^0.0.90 -> 5.60.17)
`@types/codemirror` is pinned/resolved at ^0.0.90 but the latest stable release on the npm registry is 5.60.17 (5 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…
package.json
medium Security checks software dependencies conf 0.90 npm package `@types/express` is 1 major version(s) behind (^4.17.11 -> 5.0.6)
`@types/express` is pinned/resolved at ^4.17.11 but the latest stable release on the npm registry is 5.0.6 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `@types/rimraf` is 1 major version(s) behind (^3.0.2 -> 4.0.5)
`@types/rimraf` is pinned/resolved at ^3.0.2 but the latest stable release on the npm registry is 4.0.5 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `concurrently` is 3 major version(s) behind (^7.0.0 -> 10.0.3)
`concurrently` is pinned/resolved at ^7.0.0 but the latest stable release on the npm registry is 10.0.3 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `cspell` is 5 major version(s) behind (^5.15.2 -> 10.0.1)
`cspell` is pinned/resolved at ^5.15.2 but the latest stable release on the npm registry is 10.0.1 (5 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `execa` is 2 major version(s) behind (^7.1.1 -> 9.6.1)
`execa` is pinned/resolved at ^7.1.1 but the latest stable release on the npm registry is 9.6.1 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `mkdirp` is 2 major version(s) behind (^1.0.4 -> 3.0.1)
`mkdirp` is pinned/resolved at ^1.0.4 but the latest stable release on the npm registry is 3.0.1 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `patch-package` is 1 major version(s) behind (^7.0.2 -> 8.0.1)
`patch-package` is pinned/resolved at ^7.0.2 but the latest stable release on the npm registry is 8.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `rimraf` is 3 major version(s) behind (^3.0.2 -> 6.1.3)
`rimraf` is pinned/resolved at ^3.0.2 but the latest stable release on the npm registry is 6.1.3 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
yarn.lock
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
yarn.lock
medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
yarn.lock
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
yarn.lock
medium Security checks quality Quality conf 0.86 robots.txt blocks the full public site
`User-agent: *` with `Disallow: /` prevents normal indexing and can also hide public docs from AI agents unless there is a clear exception.
examples/graphiql-vite-react-router/public/robots.txt
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-76p7-773f-r4q5
Cross-site Scripting (XSS) in serialize-javascript
yarn.lock
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
yarn.lock
medium Security checks software dependencies conf 0.88 svelte: GHSA-crpf-4hrx-3jrp
Svelte SSR attribute spreading includes inherited properties from prototype chain
yarn.lock
medium Security checks software dependencies conf 0.88 svelte: GHSA-f7gr-6p89-r883
Svelte affected by cross-site scripting via spread attributes in Svelte SSR
yarn.lock
medium Security checks software dependencies conf 0.88 svelte: GHSA-m56q-vw4c-c2cp
Svelte SSR does not validate dynamic element tag names in `<svelte:element>`
yarn.lock
medium Security checks software dependencies conf 0.88 svelte: GHSA-phwv-c562-gvmh
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
yarn.lock
medium Security checks software dependencies conf 0.88 svelte: GHSA-pr6f-5x2q-rwfp
Svelte SSR vulnerable to cross-site scripting via spread attributes
yarn.lock
medium Security checks software dependencies conf 0.88 svelte: GHSA-rcqx-6q8c-2c42
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
yarn.lock
medium Security checks software dependencies conf 0.88 undici: GHSA-2mjp-6q6p-2qxm
Undici has an HTTP Request/Response Smuggling issue
yarn.lock
medium Security checks software dependencies conf 0.88 undici: GHSA-4992-7rv2-5pvq
Undici has CRLF Injection in undici via `upgrade` option
yarn.lock
medium Security checks software dependencies conf 0.88 undici: GHSA-g9mf-h72j-4rw9
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
yarn.lock
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
yarn.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-93m4-6634-74q7
vite allows server.fs.deny bypass via backslash on Windows
yarn.lock
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
yarn.lock
medium Security checks software dependencies conf 0.88 ws: GHSA-6fc8-4gx4-v693
ReDoS in Sec-Websocket-Protocol header
yarn.lock
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
yarn.lock
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/graphiql-react/src/components/markdown-content/index.tsx:24
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/graphiql-nextjs/src/app/graphiql.tsx:9
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/graphiql-vite-react-router/app/routes/_index/create-fetcher.ts:5
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/graphiql-vite/src/App.jsx:5
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/monaco-graphql-webpack/src/index.ts:158
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/graphql-language-service-server/src/__tests__/findGraphQLTags.test.ts:384
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Action is tag-pinned rather than SHA-pinned
cypress-io/github-action@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
3 files, 4 locations
.github/workflows/update-cdn-example.yml:43 (2 hits)
.github/workflows/pr.yml:136
.github/workflows/release.yml:53
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/update-cdn-example.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/graphiql-react/src/components/markdown-content/index.tsx:24
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/graphiql-react/src/components/markdown-content/index.tsx:24 Dangerous innerhtml
low Security checks software dependencies conf 0.88 axios: GHSA-xhjh-pmcv-23jw
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
yarn.lock
low Security checks software dependencies conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
yarn.lock
low Security checks software dependencies conf 0.88 diff: GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
yarn.lock
low Security checks quality Quality conf 0.60 9 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
9 files, 9 locations
packages/graphiql-plugin-doc-explorer/src/schema-reference.ts:36
packages/graphiql-react/src/components/variables-editor.tsx:36
packages/graphiql-react/src/types.ts:4
packages/graphql-language-service-server/src/GraphQLLanguageService.ts:104
packages/graphql-language-service/src/interface/autocompleteUtils.ts:74
packages/graphql-language-service/src/interface/getDiagnostics.ts:64
packages/graphql-language-service/src/parser/Rules.ts:122
packages/vscode-graphql-execution/src/helpers/source.ts:205
duplicationquality
low Security checks software dependencies conf 0.88 min-document: GHSA-rx8g-88g5-qh64
min-document vulnerable to prototype pollution
yarn.lock
low Security checks software dependencies conf 0.90 npm package `@babel/plugin-transform-private-methods` is minor version(s) behind (^7.24.7 -> 7.29.7)
`@babel/plugin-transform-private-methods` is pinned/resolved at ^7.24.7 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot ver…
package.json
low Security checks software dependencies conf 0.90 npm package `@babel/preset-env` is minor version(s) behind (^7.20.2 -> 7.29.7)
`@babel/preset-env` is pinned/resolved at ^7.20.2 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@babel/preset-react` is minor version(s) behind (^7.18.6 -> 7.29.7)
`@babel/preset-react` is pinned/resolved at ^7.18.6 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
package.json
low Security checks software dependencies conf 0.90 4 occurrences npm package `@babel/register` is minor version(s) behind (^7.21.0 -> 7.29.7)
`@babel/register` is pinned/resolved at ^7.21.0 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
4 occurrences
package.json (4 hits)
low Security checks software dependencies conf 0.90 npm package `@changesets/changelog-github` is minor version(s) behind (0.5.0 -> 0.7.0)
`@changesets/changelog-github` is pinned/resolved at 0.5.0 but the latest stable release on the npm registry is 0.7.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
package.json
low Security checks software dependencies conf 0.90 npm package `@changesets/cli` is minor version(s) behind (2.27.7 -> 2.31.0)
`@changesets/cli` is pinned/resolved at 2.27.7 but the latest stable release on the npm registry is 2.31.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@types/ws` is minor version(s) behind (8.2.2 -> 8.18.1)
`@types/ws` is pinned/resolved at 8.2.2 but the latest stable release on the npm registry is 8.18.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `babel-plugin-transform-import-meta` is minor version(s) behind (^2.2.1 -> 2.3.3)
`babel-plugin-transform-import-meta` is pinned/resolved at ^2.2.1 but the latest stable release on the npm registry is 2.3.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-up…
package.json
low Security checks software dependencies conf 0.90 npm package `oxfmt` is minor version(s) behind (^0.45.0 -> 0.53.0)
`oxfmt` is pinned/resolved at ^0.45.0 but the latest stable release on the npm registry is 0.53.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `oxlint-plugin-eslint` is minor version(s) behind (^1 -> 1.68.0)
`oxlint-plugin-eslint` is pinned/resolved at ^1 but the latest stable release on the npm registry is 1.68.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 occurrences
package.json (2 hits)
low Security checks software dependencies conf 0.90 npm package `wgutils` is minor version(s) behind (^1.2.5 -> 1.3.0)
`wgutils` is pinned/resolved at ^1.2.5 but the latest stable release on the npm registry is 1.3.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.88 qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
yarn.lock
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly.
examples/graphiql-vite-react-router/public/robots.txt
low Security checks software dependencies conf 0.88 tmp: GHSA-52f5-9888-hmc6
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
yarn.lock
low Security checks software dependencies conf 0.88 tsup: GHSA-3mv9-4h5g-vhg3
tsup DOM Clobbering vulnerability
yarn.lock
low Security checks software dependencies conf 0.88 vite: GHSA-g4jq-h2w9-997c
Vite middleware may serve files starting with the same name with the public directory
yarn.lock
low Security checks software dependencies conf 0.88 vite: GHSA-jqfw-vq24-v9c3
Vite's `server.fs` settings were not applied to HTML files
yarn.lock
low System graph quality Maintenance conf 1.00 91 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: babel.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cm6-graphql/__tests__/test.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cm6-graphql/src/completions.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cm6-graphql/src/interfaces.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cm6-graphql/src/lint.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/babel.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/setup-files.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/src/__tests__/mode.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/src/__tests__/testSchema.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/src/cm6-legacy/mode.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/src/hint.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/src/index.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/src/lint.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/src/mode.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/src/results/__tests__/mode.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/src/results/mode.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/codemirror-graphql/src/variables/__tests__/mode.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-plugin-history/setup-files.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-plugin-history/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/setup-files.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/button-group/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/button/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/dialog/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/dropdown-menu/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/execute-button/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/markdown-content/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/request-headers-editor.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/response-editor.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/spinner/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/tabs/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/toolbar-button/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/toolbar-menu/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/tooltip/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/components/variables-editor.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/setup-workers/esm.sh.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/setup-workers/vite.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/setup-workers/webpack.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/stores/storage.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/types.test-d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/utility/markdown.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/utility/monaco-ssr.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/utility/tabs.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/utility/whitespace.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/graphiql-react/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/vscode-graphql-execution/esbuild.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/vscode-graphql-execution/src/helpers/extensions.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: resources/babel.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wg.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 28 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
4 files, 28 locations
.github/workflows/pr.yml:15, 16, 22, 31, 32, 43, 44, 56, +14 more (22 hits)
.github/workflows/pr-graphql-compat-check.yml:34, 41 (2 hits)
.github/workflows/release.yml:40, 79 (2 hits)
.github/workflows/update-cdn-example.yml:21, 22 (2 hits)
CI/CD securitySupply chainGitHub Actions
low System graph quality Tests conf 1.00 Low test-to-source ratio
71 tests / 291 src (ratio 0.24).
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `alsoDeprecated` in packages/graphiql/test/schema.js:321
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isDeprecated` in packages/cm6-graphql/src/completions.ts:54
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isDeprecated` in packages/codemirror-graphql/src/__tests__/hint.test.ts:79
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isDeprecated` in packages/codemirror-graphql/src/hint.ts:29
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isDeprecated` in packages/codemirror-graphql/src/utils/hintList.ts:40
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isDeprecated` in packages/graphql-language-service/src/interface/autocompleteUtils.ts:52
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isDeprecated` in packages/graphql-language-service/src/interface/getAutocompleteSuggestions.ts:529
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `isDeprecated` in packages/graphql-language-service/src/types.ts:170
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `nDeprecated` in packages/graphql-language-service/src/interface/__tests__/getHoverInformation.test.ts:99
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `showDeprecated` in packages/graphiql-plugin-doc-explorer/src/components/field-documentation.tsx:39
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `showDeprecated` in packages/graphiql-plugin-doc-explorer/src/components/type-documentation.tsx:60
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json CI/CD securitySupply chainNpm
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
packages/cm6-graphql/package.json CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/graphiql-webpack/src/index.jsx:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/graphiql-webpack/src/snippets.js:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/monaco-graphql-webpack/src/index.ts:60
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/graphiql/test/e2e-server.js:75
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/graphql-language-service-server/src/__tests__/MessageProcessor.spec.ts:624
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/graphql-language-service-server/src/GraphQLCache.ts:716
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/graphql-language-service-server/src/Logger.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/graphql-language-service/benchmark/index.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/graphql-language-service/src/utils/getOperationFacts.ts:35
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/vscode-graphql-execution/src/extension.ts:31
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/vscode-graphql/src/extension.ts:31
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a584bcf6-918b-4edb-a5d7-ebcb192249d3/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a584bcf6-918b-4edb-a5d7-ebcb192249d3/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.