← Back to scan
File as GitHub Issue repo: PaddlePaddle/FastDeploy

Push this scan report to PaddlePaddle/FastDeploy

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Mutable default argument in `__init__` (list)

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
MED MINED109 [MINED109] Mutable default argument in `pre_process` (list): `def pre_process(... = []/{}… fastdeploy/model_executor/layers/sample…:476
MED MINED109 [MINED109] Mutable default argument in `apply_token_mask` (list): `def apply_token_mask(.… fastdeploy/model_executor/layers/sample…:395
MED MINED109 [MINED109] Mutable default argument in `update_vocab_mask` (list): `def update_vocab_mask… fastdeploy/model_executor/layers/sample…:317
MED MINED109 [MINED109] Mutable default argument in `add_logits_processor` (list): `def add_logits_pro… fastdeploy/model_executor/layers/sample…:266
MED MINED109 [MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set()… fastdeploy/model_executor/ops/triton_op…:588
MED MINED109 [MINED109] Mutable default argument in `paddle_use_triton` (list): `def paddle_use_triton… fastdeploy/model_executor/ops/triton_op…:828
MED MINED109 [MINED109] Mutable default argument in `paddle_use_triton` (dict): `def paddle_use_triton… fastdeploy/model_executor/ops/triton_op…:828
MED MINED109 [MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set()… fastdeploy/model_executor/ops/triton_op…:85
MED MINED109 [MINED109] Mutable default argument in `paddle_use_triton_v2` (list): `def paddle_use_tri… fastdeploy/model_executor/ops/triton_op…:340
MED MINED109 [MINED109] Mutable default argument in `paddle_use_triton_v2` (dict): `def paddle_use_tri… fastdeploy/model_executor/ops/triton_op…:340
MED MINED109 [MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set()… fastdeploy/model_executor/models/qwen2_…:67
MED MINED109 [MINED109] Mutable default argument in `per_block_cast_to_fp8` (list): `def per_block_cas… fastdeploy/model_executor/layers/utils.…:253
MED MINED109 [MINED109] Mutable default argument in `get_candidates_for_backup` (list): `def get_candi… fastdeploy/cache_manager/v1/radix_tree.…:625
MED MINED109 [MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set()… fastdeploy/cache_manager/transfer_facto…:30
MED MINED109 [MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set()… fastdeploy/cache_manager/cache_data.py:43
MED MINED109 [MINED109] Mutable default argument in `get_results` (list): `def get_results(... = []/{}… fastdeploy/scheduler/splitwise_schedule…:140
MED MINED109 [MINED109] Mutable default argument in `insert_tasks_v1` (dict): `def insert_tasks_v1(...… fastdeploy/spec_decode/mtp.py:478
MED MINED109 [MINED109] Mutable default argument in `__init__` (dict): `def __init__(... = []/{}/set()… fastdeploy/rl/rollout_config.py:24
MED MINED109 [MINED109] Mutable default argument in `form_model_get_output_topp0` (dict): `def form_mo… tests/model_loader/utils.py:81
MED MINED109 [MINED109] Mutable default argument in `run_with_timeout` (dict): `def run_with_timeout(.… tests/model_loader/utils.py:58
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func.py:1318
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func.py:1227
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func.py:1179
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func.py:1114
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func.py:1035
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func.py:633
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func.py:567
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/quick_benchmark.py:681
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func_swe.py:531
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func_swe.py:1422
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func_swe.py:275
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func_swe.py:1324
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func_swe.py:1233
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func_swe.py:1185
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func_swe.py:1120
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func_swe.py:1041
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func_swe.py:633
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… benchmarks/backend_request_func_swe.py:567
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/CheckPRTemplate.py:133
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… fastdeploy/collect_env.py:529
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… fastdeploy/utils.py:1113
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… fastdeploy/utils.py:1038
MED MINED109 [MINED109] Mutable default argument in `get_hash_str` (list): `def get_hash_str(... = []/… fastdeploy/utils.py:795
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… custom_ops/setup_ops.py:125
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… custom_ops/setup_ops_cpu.py:62
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… setup.py:122
MED SEC094 [SEC094] Go: world-writable file permissions: File or directory created with world-writab… fastdeploy/golang_router/pkg/logger/log…:40
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … fastdeploy/entrypoints/cli/tokenizer.py:222
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… fastdeploy/demo/tokenizer_client_demo.py:31
MED SEC007 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code. fastdeploy/cache_manager/multimodal_cac…:149
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… fastdeploy/entrypoints/api_server.py:117
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… fastdeploy/cache_manager/multimodal_cac…:154
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… fastdeploy/cache_manager/cache_metrics.…:103
MED SEC119 [SEC119] World-writable / world-readable file permissions: World-writable files let any l… fastdeploy/golang_router/launch.py:38
MED SEC119 [SEC119] World-writable / world-readable file permissions: World-writable files let any l… custom_ops/xpu_ops/setup_ops.py:109
MED SEC012 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation all… custom_ops/xpu_ops/setup_ops.py:59
MED SEC127 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as T… fastdeploy/cache_manager/transfer_facto…:276
MED SEC127 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as T… fastdeploy/cache_manager/multimodal_cac…:101
MED SEC127 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as T… benchmarks/paddleocr_vl/benchmark.py:38
MED SEC041 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blan… .claude/skills/research-report/scripts/…:132
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… fastdeploy/cache_manager/v1/transfer/ip…:61
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… .claude/skills/benchmark-compare/script…:107
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… benchmarks/paddleocr_vl/benchmark.py:91
MED SEC012 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation all… custom_ops/setup_ops_cpu.py:56
MED COMP001 [COMP001] High cognitive complexity: Function `run_benchmark` has cognitive complexity 17… benchmarks/benchmark_fmq.py:109
MED COMP001 [COMP001] High cognitive complexity: Function `compute_comparison` has cognitive complexi… .claude/skills/benchmark-compare/script…:113
MED DKR003 Compose service `grafana` image uses the latest tag examples/observability/docker-compose.y…:13
MED DKR003 Compose service `prometheus` image uses the latest tag examples/observability/docker-compose.y…:2
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED MINED124 [MINED124] requirements.txt: `crcmod` has no version pin: Unpinned pip requirement means … requirements.txt:29
MED MINED124 [MINED124] requirements.txt: `triton` has no version pin: Unpinned pip requirement means … requirements.txt:28
MED MINED124 [MINED124] requirements.txt: `moviepy` has no version pin: Unpinned pip requirement means… requirements.txt:27
MED MINED124 [MINED124] requirements.txt: `paddlecodec` has no version pin: Unpinned pip requirement m… requirements.txt:26
MED MINED124 [MINED124] requirements.txt: `prometheus-client` has no version pin: Unpinned pip require… requirements.txt:25
MED MINED124 [MINED124] requirements.txt: `visualdl` has no version pin: Unpinned pip requirement mean… requirements.txt:23
MED MINED124 [MINED124] requirements.txt: `xlwt` has no version pin: Unpinned pip requirement means ev… requirements.txt:22
MED MINED124 [MINED124] requirements.txt: `gradio` has no version pin: Unpinned pip requirement means … requirements.txt:21
MED MINED124 [MINED124] requirements.txt: `tabulate` has no version pin: Unpinned pip requirement mean… requirements.txt:20
MED MINED124 [MINED124] requirements.txt: `pybind11[global]` has no version pin: Unpinned pip requirem… requirements.txt:19
MED MINED124 [MINED124] requirements.txt: `cupy-cuda12x` has no version pin: Unpinned pip requirement … requirements.txt:18
MED MINED124 [MINED124] requirements.txt: `fast_dataindex` has no version pin: Unpinned pip requiremen… requirements.txt:17
MED MINED124 [MINED124] requirements.txt: `httpx` has no version pin: Unpinned pip requirement means e… requirements.txt:16
MED MINED124 [MINED124] requirements.txt: `etcd3` has no version pin: Unpinned pip requirement means e… requirements.txt:15
MED MINED124 [MINED124] requirements.txt: `redis` has no version pin: Unpinned pip requirement means e… requirements.txt:14
MED MINED124 [MINED124] requirements.txt: `fastapi` has no version pin: Unpinned pip requirement means… requirements.txt:12
MED MINED124 [MINED124] requirements.txt: `pynvml` has no version pin: Unpinned pip requirement means … requirements.txt:10
MED MINED124 [MINED124] requirements.txt: `tqdm` has no version pin: Unpinned pip requirement means ev… requirements.txt:9
MED MINED124 [MINED124] requirements.txt: `aiozmq` has no version pin: Unpinned pip requirement means … requirements.txt:7
MED MINED124 [MINED124] requirements.txt: `zmq` has no version pin: Unpinned pip requirement means eve… requirements.txt:6
MED MINED124 [MINED124] requirements.txt: `ruamel.yaml` has no version pin: Unpinned pip requirement m… requirements.txt:5
MED MINED124 [MINED124] requirements.txt: `flake8` has no version pin: Unpinned pip requirement means … requirements.txt:4
MED MINED124 [MINED124] requirements.txt: `yapf` has no version pin: Unpinned pip requirement means ev… requirements.txt:3
MED MINED124 [MINED124] requirements.txt: `pre-commit` has no version pin: Unpinned pip requirement me… requirements.txt:2
MED MINED124 [MINED124] requirements.txt: `setuptools` has no version pin: Unpinned pip requirement me… requirements.txt:1
MED DKR002 Compose service `otel-collector` image has no explicit tag examples/observability/docker-compose.y…:40
MED DKR002 Compose service `jaeger` image has no explicit tag examples/observability/docker-compose.y…:31
MED DKR007 Docker build context has no .dockerignore .dockerignore
MED DKR001 Docker final stage has no non-root USER tools/dockerfile/Dockerfile.ci:1
MED DKR001 Docker final stage has no non-root USER dockerfiles/Dockerfile.xpu:1
MED DKR001 Docker final stage has no non-root USER dockerfiles/Dockerfile.gpu:1
MED SEC017 [SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external … fastdeploy/entrypoints/cli/openai.py:198
MED SEC017 [SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external … fastdeploy/demo/openai_demo.py:22
MED SEC017 [SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external … fastdeploy/demo/openai_vl_demo.py:22
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 20.7% of discovered …
MED AGT012 Agent control bridge may listen on a network interface without visible auth fastdeploy/cache_manager/cache_messager…:12
MED AGT012 Agent control bridge may listen on a network interface without visible auth .github/workflows/_unit_test_coverage.y…:13
MED AUC012 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /…
MED AGT012 Agent control bridge may listen on a network interface without visible auth fastdeploy/engine/common_engine.py:12
MED AGT012 Agent control bridge may listen on a network interface without visible auth fastdeploy/engine/args_utils.py:12
MED AGT012 Agent control bridge may listen on a network interface without visible auth fastdeploy/config.py:12
MED AGT012 Agent control bridge may listen on a network interface without visible auth fastdeploy/cache_manager/cache_transfer…:12
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … fastdeploy/entrypoints/openai/api_serve…:727
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … fastdeploy/entrypoints/openai/api_serve…:716
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … fastdeploy/entrypoints/openai/api_serve…:705
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … fastdeploy/entrypoints/openai/api_serve…:686
LOW SEC075 [SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive — orchestrators can't detec… tools/dockerfile/docker_build.sh:1
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… custom_ops/gpu_ops/read_data_ipc.cu:59
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… custom_ops/gpu_ops/get_data_ptr_ipc.cu:45
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… custom_ops/gpu_ops/fused_cast_sigmoid_b…:120
LOW COMP001 [COMP001] High cognitive complexity: Function `extract_meta` has cognitive complexity 11 … .claude/skills/research-report/scripts/…:24
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_kernels/fp8_…:11
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_kernels/fp8_…:202
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_kernels/fp8_…:106
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_kernels/fp8_…:98
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_kernels/fp8_…:15
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:179
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:1
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:49
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:109
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:80
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:7
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:1
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:111
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:1
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:10
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:1
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:1
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:118
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:1
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:47
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:12
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:113
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:7
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/g…:1
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/e…:254
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/e…:20
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/cutlass_extensions/e…:18
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/append_attn/speculat…:9
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/append_attn/multique…:20
LOW AIC003 Duplicated implementation block across source files custom_ops/gpu_ops/append_attn/multique…:20
LOW DKR010 Dockerfile leaves apt package indexes in the image layer tools/dockerfile/Dockerfile.ci:16
LOW DKR010 Dockerfile leaves apt package indexes in the image layer tools/dockerfile/Dockerfile.ci:2
LOW DKR010 Dockerfile leaves apt package indexes in the image layer dockerfiles/Dockerfile.xpu:11
LOW DKR011 Dockerfile installs recommended OS packages tools/dockerfile/Dockerfile.ci:23
LOW DKR011 Dockerfile installs recommended OS packages tools/dockerfile/Dockerfile.ci:16
LOW DKR011 Dockerfile installs recommended OS packages tools/dockerfile/Dockerfile.ci:2
LOW DKR012 Dockerfile keeps pip download cache dockerfiles/Dockerfile.xpu:35
LOW DKR012 Dockerfile keeps pip download cache dockerfiles/Dockerfile.xpu:15
LOW DKR011 Dockerfile installs recommended OS packages dockerfiles/Dockerfile.xpu:11
LOW DKC010 Compose service lacks no-new-privileges hardening examples/observability/docker-compose.y…:40
LOW DKC010 Compose service lacks no-new-privileges hardening examples/observability/docker-compose.y…:31
LOW DKC010 Compose service lacks no-new-privileges hardening examples/observability/docker-compose.y…:13
LOW DKC010 Compose service lacks no-new-privileges hardening examples/observability/docker-compose.y…:2
LOW AIC002 Source file name looks like an AI patch artifact custom_ops/xpu_ops/src/plugin/src/wrapp…:1
LOW AIC002 Source file name looks like an AI patch artifact custom_ops/xpu_ops/src/plugin/src/wrapp…:1
LOW DKC006 Compose service does not declare a runtime user examples/observability/docker-compose.y…:40
LOW DKC006 Compose service does not declare a runtime user examples/observability/docker-compose.y…:31
LOW DKC006 Compose service does not declare a runtime user examples/observability/docker-compose.y…:13
LOW DKC006 Compose service does not declare a runtime user examples/observability/docker-compose.y…:2
INFO MINED055 [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versi… tools/codestyle/pre_commit.sh:19
INFO MINED055 [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versi… scripts/run_ci_hpu.sh:27
INFO MINED060 [MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks g… fastdeploy/golang_router/internal/manag…:273
INFO MINED060 [MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks g… fastdeploy/golang_router/cmd/main.go:57
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. fastdeploy/model_executor/layers/mtp_li…:137
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. fastdeploy/model_executor/layers/lm_hea…:154
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. fastdeploy/entrypoints/cli/openai.py:71
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… fastdeploy/multimodal/image.py:116
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… fastdeploy/entrypoints/chat_utils.py:117
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… examples/intel_hpu/bench_gsm8k.py:58
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… custom_ops/xpu_ops/src/ops/pybind/cache…:94
INFO MINED075 [MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking fo… custom_ops/xpu_ops/src/ops/pybind/alloc…:31
INFO MINED063 [MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/de… fastdeploy/logger/setup_logging.py:185
INFO MINED063 [MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/de… fastdeploy/entrypoints/chat_utils.py:222
INFO MINED063 [MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/de… custom_ops/xpu_ops/setup_ops.py:164
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. fastdeploy/engine/kv_cache_interface.py:24
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. custom_ops/utils/auto_gen_template_inst…:24
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. custom_ops/utils/auto_gen_template_atte…:24
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. custom_ops/gpu_ops/stop_generation.cu:95
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. custom_ops/gpu_ops/read_temp_ids.py:71
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. custom_ops/gpu_ops/read_ids.py:59
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … custom_ops/gpu_ops/speculate_decoding/s…:35
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … custom_ops/gpu_ops/moe/moe_fast_hardama…:79
INFO MINED080 [MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace. custom_ops/gpu_ops/mla_attn/batch_mla_w…:36
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. fastdeploy/entrypoints/cli/tokenizer.py:160
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. benchmarks/paddleocr_vl/benchmark.py:187
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. benchmarks/benchmark_mtp.py:124
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… .claude/skills/nsys-capture/nsys_defaul…:19
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… .claude/skills/nsys-capture/nsys_captur…:31
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… .claude/skills/benchmark-compare/script…:55
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `PaddlePaddle/FastDeploy`

**Score: 75/100 (A-)**  ·  392 findings  ·  scanned 2026-05-31 01:23 UTC  ·  460,329 LOC

| Severity | Count |
|---|---|
| CRITICAL | 19 |
| HIGH | 128 |
| MEDIUM | 116 |
| LOW | 54 |

📊 [Full filterable report](https://repobility.com/scan/ab654ff4-2d45-41c2-a338-f39e691f30b3/)  ·  ![scorecard](https://repobility.com/scan/ab654ff4-2d45-41c2-a338-f39e691f30b3/report.png?v=1780190629-s2)

### Top findings

1. **MEDIUM** `MINED109` — Mutable default argument in `pre_process` (list)
   `fastdeploy/model_executor/layers/sample/sampler.py:476` · ✓ Repobility
2. **MEDIUM** `MINED109` — Mutable default argument in `apply_token_mask` (list)
   `fastdeploy/model_executor/layers/sample/sampler.py:395` · ✓ Repobility
3. **MEDIUM** `MINED109` — Mutable default argument in `update_vocab_mask` (list)
   `fastdeploy/model_executor/layers/sample/sampler.py:317` · ✓ Repobility
4. **MEDIUM** `MINED109` — Mutable default argument in `add_logits_processor` (list)
   `fastdeploy/model_executor/layers/sample/sampler.py:266` · ✓ Repobility
5. **MEDIUM** `MINED109` — Mutable default argument in `__init__` (list)
   `fastdeploy/model_executor/ops/triton_ops/triton_utils.py:588` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/ab654ff4-2d45-41c2-a338-f39e691f30b3/_
Megaproject â high spam risk
Could not determine 'PaddlePaddle/FastDeploy' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
160/459 findings (35%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
Open in GitHub to file this issue Filing guard overridden Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.