← Back to scan
File as GitHub Issue repo: Azim-Ahmed/Node-flow-diagram

Push this scan report to Azim-Ahmed/Node-flow-diagram

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Server-Side Request Forgery (SSRF) — outbound HTTP from user input

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT GHSA-hc6q-2mpp-qw7j webpack: GHSA-hc6q-2mpp-qw7j yarn.lock
CRIT GHSA-76p3-8jx3-jpfq loader-utils: GHSA-76p3-8jx3-jpfq yarn.lock
CRIT GHSA-fjxv-7rqg-78g4 form-data: GHSA-fjxv-7rqg-78g4 yarn.lock
CRIT GHSA-67hx-6x53-jw92 @babel/traverse: GHSA-67hx-6x53-jw92 yarn.lock
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… src/helpers/index.js:44
HIGH GHSA-3h5v-q93c-6h6q ws: GHSA-3h5v-q93c-6h6q yarn.lock
HIGH GHSA-wr3j-pwj9-hqq6 webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6 yarn.lock
HIGH GHSA-4wf5-vphf-c2xc terser: GHSA-4wf5-vphf-c2xc yarn.lock
HIGH GHSA-xpqw-6gx7-v673 svgo: GHSA-xpqw-6gx7-v673 yarn.lock
HIGH GHSA-5c6j-r48x-rmvq serialize-javascript: GHSA-5c6j-r48x-rmvq yarn.lock
HIGH GHSA-c2qf-rxjj-qqgw semver: GHSA-c2qf-rxjj-qqgw yarn.lock
HIGH GHSA-mw96-cpmx-2vgc rollup: GHSA-mw96-cpmx-2vgc yarn.lock
HIGH GHSA-gcx4-mw62-g8wm rollup: GHSA-gcx4-mw62-g8wm yarn.lock
HIGH GHSA-c2c7-rcm5-vvqj picomatch: GHSA-c2c7-rcm5-vvqj yarn.lock
HIGH GHSA-rhx6-c78j-4q9w path-to-regexp: GHSA-rhx6-c78j-4q9w yarn.lock
HIGH GHSA-9wv6-86v2-598j path-to-regexp: GHSA-9wv6-86v2-598j yarn.lock
HIGH GHSA-37ch-88jc-xwx2 path-to-regexp: GHSA-37ch-88jc-xwx2 yarn.lock
HIGH GHSA-rp65-9cf3-cjxr nth-check: GHSA-rp65-9cf3-cjxr yarn.lock
HIGH GHSA-q67f-28xg-22rw node-forge: GHSA-q67f-28xg-22rw yarn.lock
HIGH GHSA-ppp5-5v6c-4jwp node-forge: GHSA-ppp5-5v6c-4jwp yarn.lock
HIGH GHSA-5m6q-g25r-mvwx node-forge: GHSA-5m6q-g25r-mvwx yarn.lock
HIGH GHSA-5gfm-wpxj-wjgq node-forge: GHSA-5gfm-wpxj-wjgq yarn.lock
HIGH GHSA-554w-wpv2-vw27 node-forge: GHSA-554w-wpv2-vw27 yarn.lock
HIGH GHSA-2328-f5f3-gj25 node-forge: GHSA-2328-f5f3-gj25 yarn.lock
HIGH GHSA-f8q6-p94x-37v3 minimatch: GHSA-f8q6-p94x-37v3 yarn.lock
HIGH GHSA-7r86-cg39-jmmj minimatch: GHSA-7r86-cg39-jmmj yarn.lock
HIGH GHSA-3ppc-4f35-3m26 minimatch: GHSA-3ppc-4f35-3m26 yarn.lock
HIGH GHSA-23c5-xmqv-rm74 minimatch: GHSA-23c5-xmqv-rm74 yarn.lock
HIGH GHSA-r5fr-rjxr-66jc lodash: GHSA-r5fr-rjxr-66jc yarn.lock
HIGH GHSA-hhq3-ff78-jv3g loader-utils: GHSA-hhq3-ff78-jv3g yarn.lock
HIGH GHSA-3rfm-jhwj-7488 loader-utils: GHSA-3rfm-jhwj-7488 yarn.lock
HIGH GHSA-9c47-m6qq-7p4h json5: GHSA-9c47-m6qq-7p4h yarn.lock
HIGH GHSA-c7qv-q95q-8v27 http-proxy-middleware: GHSA-c7qv-q95q-8v27 yarn.lock
HIGH GHSA-rf6f-7fwh-wjgh flatted: GHSA-rf6f-7fwh-wjgh yarn.lock
HIGH GHSA-25h7-pfq9-p65f flatted: GHSA-25h7-pfq9-p65f yarn.lock
HIGH GHSA-w573-4hg7-7wgq decode-uri-component: GHSA-w573-4hg7-7wgq yarn.lock
HIGH GHSA-3xgq-45jj-v275 cross-spawn: GHSA-3xgq-45jj-v275 yarn.lock
HIGH GHSA-grv7-fg5c-xmjg braces: GHSA-grv7-fg5c-xmjg yarn.lock
HIGH GHSA-qwcr-r2fm-qrc7 body-parser: GHSA-qwcr-r2fm-qrc7 yarn.lock
HIGH GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp yarn.lock
MED DEPCUR-NPM npm package `web-vitals` is 3 major version(s) behind (^2.1.4 -> 5.3.0) package.json
MED DEPCUR-NPM npm package `uuid` is 6 major version(s) behind (^8.3.2 -> 14.0.0) package.json
MED DEPCUR-NPM npm package `redux-thunk` is 1 major version(s) behind (^2.4.1 -> 3.1.0) package.json
MED DEPCUR-NPM npm package `redux` is 1 major version(s) behind (^4.2.0 -> 5.0.1) package.json
MED DEPCUR-NPM npm package `react-resizable` is 1 major version(s) behind (^3.0.4 -> 4.0.1) package.json
MED DEPCUR-NPM npm package `react-redux` is 1 major version(s) behind (^8.0.2 -> 9.3.0) package.json
MED DEPCUR-NPM npm package `react-icons` is 1 major version(s) behind (^4.3.1 -> 5.6.0) package.json
MED DEPCUR-NPM npm package `react-final-form` is 1 major version(s) behind (^6.5.9 -> 7.0.1) package.json
MED DEPCUR-NPM npm package `final-form` is 1 major version(s) behind (^4.20.7 -> 5.0.1) package.json
MED DEPCUR-NPM npm package `@testing-library/user-event` is 1 major version(s) behind (^13.5.0 -> 14.6.1) package.json
MED DEPCUR-NPM npm package `@testing-library/react` is 3 major version(s) behind (^13.2.0 -> 16.3.2) package.json
MED DEPCUR-NPM npm package `@testing-library/jest-dom` is 1 major version(s) behind (^5.16.4 -> 6.9.1) package.json
MED DEPCUR-NPM npm package `@mui/material` is 4 major version(s) behind (^5.7.0 -> 9.0.1) package.json
MED GHSA-48c2-rrv3-qjmp yaml: GHSA-48c2-rrv3-qjmp yarn.lock
MED GHSA-58qx-3vcg-4xpx ws: GHSA-58qx-3vcg-4xpx yarn.lock
MED GHSA-j8xg-fqg3-53r7 word-wrap: GHSA-j8xg-fqg3-53r7 yarn.lock
MED GHSA-9jgg-88mc-972h webpack-dev-server: GHSA-9jgg-88mc-972h yarn.lock
MED GHSA-79cf-xcqc-c78w webpack-dev-server: GHSA-79cf-xcqc-c78w yarn.lock
MED GHSA-4v9v-hfq4-rm2v webpack-dev-server: GHSA-4v9v-hfq4-rm2v yarn.lock
MED GHSA-4vvj-4cpr-p986 webpack: GHSA-4vvj-4cpr-p986 yarn.lock
MED GHSA-w5hq-g745-h8pq uuid: GHSA-w5hq-g745-h8pq yarn.lock
MED GHSA-72xf-g2v4-qvf3 tough-cookie: GHSA-72xf-g2v4-qvf3 yarn.lock
MED GHSA-qj8w-gfj5-8c6v serialize-javascript: GHSA-qj8w-gfj5-8c6v yarn.lock
MED GHSA-76p7-773f-r4q5 serialize-javascript: GHSA-76p7-773f-r4q5 yarn.lock
MED GHSA-9jcx-v3wj-wh4m react-router: GHSA-9jcx-v3wj-wh4m yarn.lock
MED GHSA-6rw7-vpxm-498p qs: GHSA-6rw7-vpxm-498p yarn.lock
MED GHSA-qx2v-qp2m-jg93 postcss: GHSA-qx2v-qp2m-jg93 yarn.lock
MED GHSA-7fh5-64p2-3v2j postcss: GHSA-7fh5-64p2-3v2j yarn.lock
MED GHSA-3v7f-55p6-f55p picomatch: GHSA-3v7f-55p6-f55p yarn.lock
MED GHSA-65ch-62r8-g69g node-forge: GHSA-65ch-62r8-g69g yarn.lock
MED GHSA-mwcw-c2x4-8c55 nanoid: GHSA-mwcw-c2x4-8c55 yarn.lock
MED GHSA-952p-6rrq-rcjv micromatch: GHSA-952p-6rrq-rcjv yarn.lock
MED GHSA-xxjr-mmjv-4gpg lodash: GHSA-xxjr-mmjv-4gpg yarn.lock
MED GHSA-f23m-r3pf-42rh lodash: GHSA-f23m-r3pf-42rh yarn.lock
MED GHSA-mh29-5h37-fv8m js-yaml: GHSA-mh29-5h37-fv8m yarn.lock
MED GHSA-9gqv-wp59-fq42 http-proxy-middleware: GHSA-9gqv-wp59-fq42 yarn.lock
MED GHSA-4www-5p9h-95mh http-proxy-middleware: GHSA-4www-5p9h-95mh yarn.lock
MED GHSA-r4q5-vmmm-2653 follow-redirects: GHSA-r4q5-vmmm-2653 yarn.lock
MED GHSA-jchw-25xp-jwwc follow-redirects: GHSA-jchw-25xp-jwwc yarn.lock
MED GHSA-cxjh-pqwp-8mfp follow-redirects: GHSA-cxjh-pqwp-8mfp yarn.lock
MED GHSA-rv95-896h-c2vc express: GHSA-rv95-896h-c2vc yarn.lock
MED GHSA-ghr5-ch3p-vcr6 ejs: GHSA-ghr5-ch3p-vcr6 yarn.lock
MED GHSA-f886-m6hf-6m8v brace-expansion: GHSA-f886-m6hf-6m8v yarn.lock
MED GHSA-2g4f-4pwh-qvx6 ajv: GHSA-2g4f-4pwh-qvx6 yarn.lock
MED GHSA-968p-4wvh-cqc8 @babel/runtime-corejs3: GHSA-968p-4wvh-cqc8 yarn.lock
MED GHSA-968p-4wvh-cqc8 @babel/runtime: GHSA-968p-4wvh-cqc8 yarn.lock
MED GHSA-968p-4wvh-cqc8 @babel/helpers: GHSA-968p-4wvh-cqc8 yarn.lock
MED JRN002 Browser storage is used for session token material src/redux/actions/auth.actions.js:37
MED JRN002 Browser storage is used for session token material src/redux/actions/auth.actions.js:15
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED WEB015 Public web app has no Content Security Policy index.html
MED CORE_NO_CI No CI/CD configuration found
LOW DEPCUR-NPM npm package `postcss` is minor version(s) behind (^8.4.13 -> 8.5.15) package.json
LOW DEPCUR-NPM npm package `autoprefixer` is minor version(s) behind (^10.4.7 -> 10.5.0) package.json
LOW DEPCUR-NPM npm package `react-flow-renderer` is minor version(s) behind (^10.2.2 -> 10.3.17) package.json
LOW DEPCUR-NPM npm package `@xyflow/react` is minor version(s) behind (^12.1.1 -> 12.11.0) package.json
LOW DEPCUR-NPM npm package `html-to-image` is minor version(s) behind (^1.9.0 -> 1.11.13) package.json
LOW DEPCUR-NPM npm package `@emotion/styled` is minor version(s) behind (^11.8.1 -> 11.14.1) package.json
LOW DEPCUR-NPM npm package `@emotion/react` is minor version(s) behind (^11.9.0 -> 11.14.0) package.json
LOW GHSA-8fgc-7cc6-rx7x webpack: GHSA-8fgc-7cc6-rx7x yarn.lock
LOW GHSA-38r7-794h-5758 webpack: GHSA-38r7-794h-5758 yarn.lock
LOW GHSA-cm22-4g7w-348p serve-static: GHSA-cm22-4g7w-348p yarn.lock
LOW GHSA-m6fv-jmcg-4jfg send: GHSA-m6fv-jmcg-4jfg yarn.lock
LOW GHSA-w7fw-mjwx-w883 qs: GHSA-w7fw-mjwx-w883 yarn.lock
LOW GHSA-76c9-3jph-rj3q on-headers: GHSA-76c9-3jph-rj3q yarn.lock
LOW GHSA-qw6h-vgh9-j6wx express: GHSA-qw6h-vgh9-j6wx yarn.lock
LOW GHSA-pxg6-pf52-xh8x cookie: GHSA-pxg6-pf52-xh8x yarn.lock
LOW GHSA-v6h2-p8h4-qcjw brace-expansion: GHSA-v6h2-p8h4-qcjw yarn.lock
LOW GHSA-vpq2-c234-7xj6 @tootallnate/once: GHSA-vpq2-c234-7xj6 yarn.lock
LOW AIC003 Duplicated implementation block across source files src/components/FlowComponents/Nodes/Dec…:17
LOW WEB005 robots.txt does not advertise a sitemap public/robots.txt
LOW WEB002 Public web app has no sitemap sitemap.xml
LOW WEB008 Public docs site has no llms.txt llms.txt
LOW WEB011 Public web app has no humans.txt humans.txt
LOW CORE_NO_LICENSE No LICENSE file
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … src/redux/actions/user.actions.js:10
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… src/components/FlowComponents/Nodes/Cus…:14
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… src/components/FlowComponents/Nodes/Cus…:20
INFO DEPCUR-NPM npm package `reactjs-popup` is patch version(s) behind (^2.0.5 -> 2.0.6) package.json
Reset to top 5 119 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `Azim-Ahmed/Node-flow-diagram`

**Score: 77/100 (D+)**  ·  119 findings  ·  scanned 2026-06-05 16:56 UTC  ·  2,068 LOC

| Severity | Count |
|---|---|
| CRITICAL | 4 |
| HIGH | 36 |
| MEDIUM | 52 |
| LOW | 23 |

📊 [Full filterable report](https://repobility.com/scan/a66c87f6-8eb8-43de-aca2-f6fdfc8daf66/)  ·  ![scorecard](https://repobility.com/scan/a66c87f6-8eb8-43de-aca2-f6fdfc8daf66/report.png?v=1780678572-s2)

### Top findings

1. **CRITICAL** `GHSA-hc6q-2mpp-qw7j` — webpack: GHSA-hc6q-2mpp-qw7j
   `yarn.lock`
2. **CRITICAL** `GHSA-76p3-8jx3-jpfq` — loader-utils: GHSA-76p3-8jx3-jpfq
   `yarn.lock`
3. **CRITICAL** `GHSA-fjxv-7rqg-78g4` — form-data: GHSA-fjxv-7rqg-78g4
   `yarn.lock`
4. **CRITICAL** `GHSA-67hx-6x53-jw92` — @babel/traverse: GHSA-67hx-6x53-jw92
   `yarn.lock`
5. **HIGH** `SEC029` — Server-Side Request Forgery (SSRF) — outbound HTTP from user input
   `src/helpers/index.js:44` · A10:2021 SSRF

---

**Security note**: this issue is public. If any flagged finding is a real, exploitable vulnerability, please redirect to your `SECURITY.md` policy or open a [private security advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) instead. We're happy to close this and re-submit privately.

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/a66c87f6-8eb8-43de-aca2-f6fdfc8daf66/_
Megaproject â high spam risk
Could not determine 'Azim-Ahmed/Node-flow-diagram' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.