Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
3 of your 119 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.07s · analysis 16.5s · 0.6 MB · GitHub API rate-limit (preflight)

Azim-Ahmed/Node-flow-diagram

https://github.com/Azim-Ahmed/Node-flow-diagram · scanned 2026-06-05 16:56 UTC (4 days, 18 hours ago) · 10 languages

155 raw signals (119 security + 36 graph) 26th percentile · Javascript · small (2-20K LoC) System graph score 89 (lower by 40)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 18 hours ago · v2 · 136 actionable findings from 2 signal sources. 1 repeated signal grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
77.2
/100
Security checks
65
118 findings
System graph
89
66.7% cov · 18 findings
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 45.5 0.25 11.38
testing_score 17.0 0.20 3.40
documentation_score 38.7 0.15 5.81
practices_score 42.0 0.15 6.30
code_quality 79.4 0.10 7.94
Overall 1.00 49.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 4 High 36 Medium 52 Low 35 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 118 System graph 18 Crowd 0 Layer: Quality 15 Security 2 Software 112 Api 1 Frontend 5 Cicd 1
Scan summary Quality grade D+ (50/100). Dimensions: security 46, maintainability 100. 119 findings (88 security). 2,068 lines analyzed.

Showing 127 of 136 actionable findings. 137 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 @babel/traverse: GHSA-67hx-6x53-jw92
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
yarn.lock
critical Security checks software dependencies conf 0.88 form-data: GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary
yarn.lock
critical Security checks software dependencies conf 0.88 loader-utils: GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils
yarn.lock
critical Security checks software dependencies conf 0.88 webpack: GHSA-hc6q-2mpp-qw7j
Cross-realm object access in Webpack 5
yarn.lock
high Security checks software dependencies conf 0.88 @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
yarn.lock
high Security checks software dependencies conf 0.88 body-parser: GHSA-qwcr-r2fm-qrc7
body-parser vulnerable to denial of service when url encoding is enabled
yarn.lock
high Security checks software dependencies conf 0.88 braces: GHSA-grv7-fg5c-xmjg
Uncontrolled resource consumption in braces
yarn.lock
high Security checks software dependencies conf 0.88 cross-spawn: GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn
yarn.lock
high Security checks software dependencies conf 0.88 decode-uri-component: GHSA-w573-4hg7-7wgq
decode-uri-component vulnerable to Denial of Service (DoS)
yarn.lock
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
yarn.lock
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
yarn.lock
high Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-c7qv-q95q-8v27
Denial of service in http-proxy-middleware
yarn.lock
high Security checks software dependencies conf 0.88 json5: GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method
yarn.lock
high Security checks software dependencies conf 0.88 loader-utils: GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
yarn.lock
high Security checks software dependencies conf 0.88 loader-utils: GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
yarn.lock
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
yarn.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
yarn.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
yarn.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
yarn.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-f8q6-p94x-37v3
minimatch ReDoS vulnerability
yarn.lock
high Security checks software dependencies conf 0.88 node-forge: GHSA-2328-f5f3-gj25
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
yarn.lock
high Security checks software dependencies conf 0.88 node-forge: GHSA-554w-wpv2-vw27
node-forge has ASN.1 Unbounded Recursion
yarn.lock
high Security checks software dependencies conf 0.88 node-forge: GHSA-5gfm-wpxj-wjgq
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
yarn.lock
high Security checks software dependencies conf 0.88 node-forge: GHSA-5m6q-g25r-mvwx
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
yarn.lock
high Security checks software dependencies conf 0.88 node-forge: GHSA-ppp5-5v6c-4jwp
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
yarn.lock
high Security checks software dependencies conf 0.88 node-forge: GHSA-q67f-28xg-22rw
Forge has signature forgery in Ed25519 due to missing S > L check
yarn.lock
high Security checks software dependencies conf 0.88 nth-check: GHSA-rp65-9cf3-cjxr
Inefficient Regular Expression Complexity in nth-check
yarn.lock
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
yarn.lock
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions
yarn.lock
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-rhx6-c78j-4q9w
path-to-regexp contains a ReDoS
yarn.lock
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
yarn.lock
high Security checks software dependencies conf 0.88 rollup: GHSA-gcx4-mw62-g8wm
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
yarn.lock
high Security checks software dependencies conf 0.88 rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
yarn.lock
high Security checks software dependencies conf 0.88 semver: GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service
yarn.lock
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
yarn.lock
high Security checks software dependencies conf 0.88 svgo: GHSA-xpqw-6gx7-v673
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
yarn.lock
high Security checks software dependencies conf 0.88 terser: GHSA-4wf5-vphf-c2xc
Terser insecure use of regular expressions leads to ReDoS
yarn.lock
high Security checks software dependencies conf 0.88 webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6
Path traversal in webpack-dev-middleware
yarn.lock
high Security checks software dependencies conf 0.88 ws: GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers
yarn.lock
medium Security checks software dependencies conf 0.88 @babel/helpers: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
yarn.lock
medium Security checks software dependencies conf 0.88 @babel/runtime-corejs3: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
yarn.lock
medium Security checks software dependencies conf 0.88 @babel/runtime: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
yarn.lock
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
yarn.lock
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
yarn.lock
high Security checks security auth conf 0.82 2 occurrences Browser storage is used for session token material
localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise.
lines 15, 37
src/redux/actions/auth.actions.js:15, 37 (2 hits)
medium Security checks software dependencies conf 0.88 ejs: GHSA-ghr5-ch3p-vcr6
ejs lacks certain pollution protection
yarn.lock
medium Security checks software dependencies conf 0.88 express: GHSA-rv95-896h-c2vc
Express.js Open Redirect in malformed URLs
yarn.lock
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-cxjh-pqwp-8mfp
follow-redirects' Proxy-Authorization header kept across hosts
yarn.lock
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-jchw-25xp-jwwc
Follow Redirects improperly handles URLs in the url.parse() function
yarn.lock
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
yarn.lock
medium Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-4www-5p9h-95mh
http-proxy-middleware can call writeBody twice because "else if" is not used
yarn.lock
medium Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-9gqv-wp59-fq42
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
yarn.lock
medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
yarn.lock
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
yarn.lock
medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
yarn.lock
medium Security checks software dependencies conf 0.88 micromatch: GHSA-952p-6rrq-rcjv
Regular Expression Denial of Service (ReDoS) in micromatch
yarn.lock
medium Security checks software dependencies conf 0.88 nanoid: GHSA-mwcw-c2x4-8c55
Predictable results in nanoid generation when given non-integer values
yarn.lock
medium Security checks software dependencies conf 0.88 node-forge: GHSA-65ch-62r8-g69g
node-forge is vulnerable to ASN.1 OID Integer Truncation
yarn.lock
medium Security checks software dependencies conf 0.90 npm package `@mui/material` is 4 major version(s) behind (^5.7.0 -> 9.0.1)
`@mui/material` is pinned/resolved at ^5.7.0 but the latest stable release on the npm registry is 9.0.1 (4 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `@testing-library/jest-dom` is 1 major version(s) behind (^5.16.4 -> 6.9.1)
`@testing-library/jest-dom` is pinned/resolved at ^5.16.4 but the latest stable release on the npm registry is 6.9.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update P…
package.json
medium Security checks software dependencies conf 0.90 npm package `@testing-library/react` is 3 major version(s) behind (^13.2.0 -> 16.3.2)
`@testing-library/react` is pinned/resolved at ^13.2.0 but the latest stable release on the npm registry is 16.3.2 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs…
package.json
medium Security checks software dependencies conf 0.90 npm package `@testing-library/user-event` is 1 major version(s) behind (^13.5.0 -> 14.6.1)
`@testing-library/user-event` is pinned/resolved at ^13.5.0 but the latest stable release on the npm registry is 14.6.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-updat…
package.json
medium Security checks software dependencies conf 0.90 npm package `final-form` is 1 major version(s) behind (^4.20.7 -> 5.0.1)
`final-form` is pinned/resolved at ^4.20.7 but the latest stable release on the npm registry is 5.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `react-final-form` is 1 major version(s) behind (^6.5.9 -> 7.0.1)
`react-final-form` is pinned/resolved at ^6.5.9 but the latest stable release on the npm registry is 7.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `react-icons` is 1 major version(s) behind (^4.3.1 -> 5.6.0)
`react-icons` is pinned/resolved at ^4.3.1 but the latest stable release on the npm registry is 5.6.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `react-redux` is 1 major version(s) behind (^8.0.2 -> 9.3.0)
`react-redux` is pinned/resolved at ^8.0.2 but the latest stable release on the npm registry is 9.3.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `react-resizable` is 1 major version(s) behind (^3.0.4 -> 4.0.1)
`react-resizable` is pinned/resolved at ^3.0.4 but the latest stable release on the npm registry is 4.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `redux-thunk` is 1 major version(s) behind (^2.4.1 -> 3.1.0)
`redux-thunk` is pinned/resolved at ^2.4.1 but the latest stable release on the npm registry is 3.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `redux` is 1 major version(s) behind (^4.2.0 -> 5.0.1)
`redux` is pinned/resolved at ^4.2.0 but the latest stable release on the npm registry is 5.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `uuid` is 6 major version(s) behind (^8.3.2 -> 14.0.0)
`uuid` is pinned/resolved at ^8.3.2 but the latest stable release on the npm registry is 14.0.0 (6 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `web-vitals` is 3 major version(s) behind (^2.1.4 -> 5.3.0)
`web-vitals` is pinned/resolved at ^2.1.4 but the latest stable release on the npm registry is 5.3.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
yarn.lock
medium Security checks software dependencies conf 0.88 postcss: GHSA-7fh5-64p2-3v2j
PostCSS line return parsing error
yarn.lock
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
yarn.lock
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
yarn.lock
medium Security checks software dependencies conf 0.88 react-router: GHSA-9jcx-v3wj-wh4m
React Router has unexpected external redirect via untrusted paths
yarn.lock
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-76p7-773f-r4q5
Cross-site Scripting (XSS) in serialize-javascript
yarn.lock
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
yarn.lock
medium Security checks software dependencies conf 0.88 tough-cookie: GHSA-72xf-g2v4-qvf3
tough-cookie Prototype Pollution vulnerability
yarn.lock
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
yarn.lock
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-4v9v-hfq4-rm2v
webpack-dev-server users' source code may be stolen when they access a malicious web site
yarn.lock
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-79cf-xcqc-c78w
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
yarn.lock
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-9jgg-88mc-972h
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
yarn.lock
medium Security checks software dependencies conf 0.88 webpack: GHSA-4vvj-4cpr-p986
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
yarn.lock
medium Security checks software dependencies conf 0.88 word-wrap: GHSA-j8xg-fqg3-53r7
word-wrap vulnerable to Regular Expression Denial of Service
yarn.lock
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
yarn.lock
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
yarn.lock
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph cicd CI/CD security conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
CI/CD securityCoverage
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
1 test file(s) for 37 source file(s) (ratio 0.03). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks software dependencies conf 0.88 @tootallnate/once: GHSA-vpq2-c234-7xj6
@tootallnate/once vulnerable to Incorrect Control Flow Scoping
yarn.lock
low Security checks software dependencies conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
yarn.lock
low Security checks software dependencies conf 0.88 cookie: GHSA-pxg6-pf52-xh8x
cookie accepts cookie name, path, and domain with out of bounds characters
yarn.lock
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
src/components/FlowComponents/Nodes/DecisionNode.jsx:17 duplicationquality
low Security checks software dependencies conf 0.88 express: GHSA-qw6h-vgh9-j6wx
express vulnerable to XSS via response.redirect()
yarn.lock
low Security checks quality Documentation No LICENSE file
Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).
low Security checks software dependencies conf 0.90 npm package `@emotion/react` is minor version(s) behind (^11.9.0 -> 11.14.0)
`@emotion/react` is pinned/resolved at ^11.9.0 but the latest stable release on the npm registry is 11.14.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@emotion/styled` is minor version(s) behind (^11.8.1 -> 11.14.1)
`@emotion/styled` is pinned/resolved at ^11.8.1 but the latest stable release on the npm registry is 11.14.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@xyflow/react` is minor version(s) behind (^12.1.1 -> 12.11.0)
`@xyflow/react` is pinned/resolved at ^12.1.1 but the latest stable release on the npm registry is 12.11.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `autoprefixer` is minor version(s) behind (^10.4.7 -> 10.5.0)
`autoprefixer` is pinned/resolved at ^10.4.7 but the latest stable release on the npm registry is 10.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `html-to-image` is minor version(s) behind (^1.9.0 -> 1.11.13)
`html-to-image` is pinned/resolved at ^1.9.0 but the latest stable release on the npm registry is 1.11.13 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `postcss` is minor version(s) behind (^8.4.13 -> 8.5.15)
`postcss` is pinned/resolved at ^8.4.13 but the latest stable release on the npm registry is 8.5.15 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `react-flow-renderer` is minor version(s) behind (^10.2.2 -> 10.3.17)
`react-flow-renderer` is pinned/resolved at ^10.2.2 but the latest stable release on the npm registry is 10.3.17 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…
package.json
low Security checks software dependencies conf 0.88 on-headers: GHSA-76c9-3jph-rj3q
on-headers is vulnerable to http response header manipulation
yarn.lock
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low Security checks software dependencies conf 0.88 qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
yarn.lock
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly.
public/robots.txt
low Security checks software dependencies conf 0.88 send: GHSA-m6fv-jmcg-4jfg
send vulnerable to template injection that can lead to XSS
yarn.lock
low Security checks software dependencies conf 0.88 serve-static: GHSA-cm22-4g7w-348p
serve-static vulnerable to template injection that can lead to XSS
yarn.lock
low Security checks software dependencies conf 0.88 webpack: GHSA-38r7-794h-5758
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
yarn.lock
low Security checks software dependencies conf 0.88 webpack: GHSA-8fgc-7cc6-rx7x
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
yarn.lock
low System graph software Dead code candidate conf 1.00 File has no detected symbols: postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/App.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/components/FlowComponents/Info/index.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/components/FlowComponents/Nodes/InputNode.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/Pages/Home/index.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/redux/actions/constant.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph frontend Frontend quality conf 1.00 React Flow <Controls> without dark theming — src/Pages/FlowCanvas/index.jsx:546
`<Controls>` ships with white buttons. Override `.react-flow__controls` and `.react-flow__controls-button` in your stylesheet or pass a styled wrapper. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.controls.no-bg
Fq controls no bg
low System graph frontend Frontend quality conf 1.00 React Flow <MiniMap> without dark background — src/Pages/FlowCanvas/index.jsx:456
A bare <MiniMap> renders with the vendor's white default in dark themes. Wrap the canvas in a class that overrides `.react-flow__minimap` background, or pass an explicit `style`/`maskColor`/`bgColor`. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.minimap.no-bg
Fq minimap no bg
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/Pages/FlowCanvas/index.jsx:154
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/redux/actions/auth.actions.js:133
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/redux/actions/user.actions.js:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a66c87f6-8eb8-43de-aca2-f6fdfc8daf66/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a66c87f6-8eb8-43de-aca2-f6fdfc8daf66/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.