← Back to scan
File as GitHub Issue repo: h5bp/Front-end-Developer-Interview-Questions

Push this scan report to h5bp/Front-end-Developer-Interview-Questions

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Action `actions/setup-node` pinned to mutable ref `@v4`

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT GHSA-gf2q-c269-pqgc liquidjs: GHSA-gf2q-c269-pqgc package-lock.json
CRIT GHSA-2w6w-674q-4c4q handlebars: GHSA-2w6w-674q-4c4q package-lock.json
HIGH MINED115 Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4` .github/workflows/gh-pages-build.yml:23
HIGH MINED115 Action `TartanLlama/actions-eleventy` pinned to mutable ref `@master` .github/workflows/gh-pages-build.yml:19
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/gh-pages-build.yml:14
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/gh-pages-build.yml:12
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@master` .github/workflows/gh-pages-build.yml:11
HIGH MINED115 Action `github/codeql-action/analyze` pinned to mutable ref `@v4` .github/workflows/codeql-analysis.yml:38
HIGH MINED115 Action `github/codeql-action/autobuild` pinned to mutable ref `@v4` .github/workflows/codeql-analysis.yml:35
HIGH MINED115 Action `github/codeql-action/init` pinned to mutable ref `@v4` .github/workflows/codeql-analysis.yml:30
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/codeql-analysis.yml:27
HIGH GHSA-ph9p-34f9-6g65 tmp: GHSA-ph9p-34f9-6g65 package-lock.json
HIGH GHSA-c2qf-rxjj-qqgw semver: GHSA-c2qf-rxjj-qqgw package-lock.json
HIGH GHSA-c2c7-rcm5-vvqj picomatch: GHSA-c2c7-rcm5-vvqj package-lock.json
HIGH GHSA-9wv6-86v2-598j path-to-regexp: GHSA-9wv6-86v2-598j package-lock.json
HIGH GHSA-7r86-cg39-jmmj minimatch: GHSA-7r86-cg39-jmmj package-lock.json
HIGH GHSA-3ppc-4f35-3m26 minimatch: GHSA-3ppc-4f35-3m26 package-lock.json
HIGH GHSA-23c5-xmqv-rm74 minimatch: GHSA-23c5-xmqv-rm74 package-lock.json
HIGH GHSA-r5fr-rjxr-66jc lodash: GHSA-r5fr-rjxr-66jc package-lock.json
HIGH GHSA-wmfp-5q7x-987x liquidjs: GHSA-wmfp-5q7x-987x package-lock.json
HIGH GHSA-r7g9-xpmj-5fcq liquidjs: GHSA-r7g9-xpmj-5fcq package-lock.json
HIGH GHSA-hh27-hf48-9f5q liquidjs: GHSA-hh27-hf48-9f5q package-lock.json
HIGH GHSA-9r5m-9576-7f6x liquidjs: GHSA-9r5m-9576-7f6x package-lock.json
HIGH GHSA-6q5m-63h6-5x4v liquidjs: GHSA-6q5m-63h6-5x4v package-lock.json
HIGH GHSA-56p5-8mhr-2fph liquidjs: GHSA-56p5-8mhr-2fph package-lock.json
HIGH GHSA-4rc3-7j7w-m548 liquidjs: GHSA-4rc3-7j7w-m548 package-lock.json
HIGH GHSA-pfq8-rq6v-vf5m html-minifier: GHSA-pfq8-rq6v-vf5m package-lock.json
HIGH GHSA-xjpj-3mr7-gcpf handlebars: GHSA-xjpj-3mr7-gcpf package-lock.json
HIGH GHSA-xhpv-hc6g-r9c6 handlebars: GHSA-xhpv-hc6g-r9c6 package-lock.json
HIGH GHSA-9cx6-37pm-9jff handlebars: GHSA-9cx6-37pm-9jff package-lock.json
HIGH GHSA-3mfm-83xf-c92r handlebars: GHSA-3mfm-83xf-c92r package-lock.json
HIGH GHSA-3xgq-45jj-v275 cross-spawn: GHSA-3xgq-45jj-v275 package-lock.json
MED DEPCUR-NPM npm package `markdown-it-anchor` is 1 major version(s) behind (8.6.7 -> 9.2.0) package.json
MED DEPCUR-NPM npm package `markdown-it` is 1 major version(s) behind (13.0.2 -> 14.2.0) package.json
MED DEPCUR-NPM npm package `@11ty/eleventy` is 1 major version(s) behind (2.0.1 -> 3.1.6) package.json
MED GHSA-58qx-3vcg-4xpx ws: GHSA-58qx-3vcg-4xpx package-lock.json
MED GHSA-x7hr-w5r2-h6wg prismjs: GHSA-x7hr-w5r2-h6wg package-lock.json
MED GHSA-3v7f-55p6-f55p picomatch: GHSA-3v7f-55p6-f55p package-lock.json
MED GHSA-x77j-w7wf-fjmw nunjucks: GHSA-x77j-w7wf-fjmw package-lock.json
MED GHSA-952p-6rrq-rcjv micromatch: GHSA-952p-6rrq-rcjv package-lock.json
MED GHSA-38c4-r59v-3vqw markdown-it: GHSA-38c4-r59v-3vqw package-lock.json
MED GHSA-xxjr-mmjv-4gpg lodash: GHSA-xxjr-mmjv-4gpg package-lock.json
MED GHSA-f23m-r3pf-42rh lodash: GHSA-f23m-r3pf-42rh package-lock.json
MED GHSA-v273-448j-v4qj liquidjs: GHSA-v273-448j-v4qj package-lock.json
MED GHSA-rv5g-f82m-qrvv liquidjs: GHSA-rv5g-f82m-qrvv package-lock.json
MED GHSA-9x9p-qf8f-mvjg liquidjs: GHSA-9x9p-qf8f-mvjg package-lock.json
MED GHSA-8xx9-69p8-7jp3 liquidjs: GHSA-8xx9-69p8-7jp3 package-lock.json
MED GHSA-2qv6-9wx5-cwv4 liquidjs: GHSA-2qv6-9wx5-cwv4 package-lock.json
MED GHSA-mh29-5h37-fv8m js-yaml: GHSA-mh29-5h37-fv8m package-lock.json
MED GHSA-7rx3-28cr-v5wh handlebars: GHSA-7rx3-28cr-v5wh package-lock.json
MED GHSA-2qvq-rjwj-gvw9 handlebars: GHSA-2qvq-rjwj-gvw9 package-lock.json
MED GHSA-f886-m6hf-6m8v brace-expansion: GHSA-f886-m6hf-6m8v package-lock.json
MED GHSA-968p-4wvh-cqc8 @babel/runtime: GHSA-968p-4wvh-cqc8 package-lock.json
LOW DEPCUR-NPM npm package `luxon` is minor version(s) behind (3.4.4 -> 3.7.2) package.json
LOW GHSA-52f5-9888-hmc6 tmp: GHSA-52f5-9888-hmc6 package-lock.json
LOW GHSA-mmg9-6m6j-jqqx liquidjs: GHSA-mmg9-6m6j-jqqx package-lock.json
LOW GHSA-442j-39wm-28r2 handlebars: GHSA-442j-39wm-28r2 package-lock.json
LOW GHSA-v6h2-p8h4-qcjw brace-expansion: GHSA-v6h2-p8h4-qcjw package-lock.json
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … src/_includes/assets/js/app.js:1
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … config/eleventy.config.js:33
INFO DEPCUR-NPM npm package `@11ty/eleventy-plugin-syntaxhighlight` is patch version(s) behind (5.0.0 -> … package.json
Reset to top 5 61 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `h5bp/Front-end-Developer-Interview-Questions`

**Score: 82/100 (B)**  ·  61 findings  ·  scanned 2026-06-05 09:38 UTC  ·  122 LOC

| Severity | Count |
|---|---|
| CRITICAL | 2 |
| HIGH | 30 |
| MEDIUM | 21 |
| LOW | 5 |

📊 [Full filterable report](https://repobility.com/scan/b55642cb-d669-422e-9596-eb2058a0a549/)  ·  ![scorecard](https://repobility.com/scan/b55642cb-d669-422e-9596-eb2058a0a549/report.png?v=1780652330-s2)

### Top findings

1. **CRITICAL** `GHSA-gf2q-c269-pqgc` — liquidjs: GHSA-gf2q-c269-pqgc
   `package-lock.json`
2. **CRITICAL** `GHSA-2w6w-674q-4c4q` — handlebars: GHSA-2w6w-674q-4c4q
   `package-lock.json`
3. **HIGH** `MINED115` — Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`
   `.github/workflows/gh-pages-build.yml:23` · ✓ Repobility
4. **HIGH** `MINED115` — Action `TartanLlama/actions-eleventy` pinned to mutable ref `@master`
   `.github/workflows/gh-pages-build.yml:19` · ✓ Repobility
5. **HIGH** `MINED115` — Action `actions/setup-node` pinned to mutable ref `@v4`
   `.github/workflows/gh-pages-build.yml:14` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/b55642cb-d669-422e-9596-eb2058a0a549/_
Megaproject â high spam risk
Could not determine 'h5bp/Front-end-Developer-Interview-Questions' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.