Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
31 of your 169 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 8.23s · analysis 19.19s · 16.4 MB · GitHub preflight 487ms

upstash/context7

https://github.com/upstash/context7 · scanned 2026-06-05 10:00 UTC (5 days, 14 hours ago) · 10 languages

332 raw signals (164 security + 168 graph) 39th percentile · Typescript · small (2-20K LoC) System graph score 56 (higher by 8)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 14 hours ago · v2 · 166 actionable findings from 2 signal sources. 82 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
56.3
/100
Security checks
57
103 findings
System graph
56
100.0% cov · 63 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 45.8 0.25 11.45
testing_score 79.0 0.20 15.80
documentation_score 64.0 0.15 9.60
practices_score 72.0 0.15 10.80
code_quality 71.0 0.10 7.10
Overall 1.00 63.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 35 Medium 49 Low 61 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 103 System graph 63 Crowd 0 Layer: Software 120 Cicd 7 Quality 13 Security 8 Frontend 12 Hardware 3 Api 3
Scan summary Quality grade C+ (64/100). Dimensions: security 46, maintainability 60. 164 findings (94 security). 13,267 lines analyzed.

Showing 146 of 166 actionable findings. 248 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 6 occurrences Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
2 files, 6 locations
docs/api-guide.mdx:120, 124, 128, 163, 166 (5 hits)
docs/howto/api-keys.mdx:26
critical Security checks software dependencies conf 0.88 vitest: GHSA-5xrq-8626-4rwp
When Vitest UI server is listening, arbitrary file can be read and executed
pnpm-lock.yaml
critical System graph security Secrets conf 1.00 Possible secret in packages/tools-ai-sdk/src/agents/context7.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
packages/tools-ai-sdk/src/agents/context7.ts:30
high Security checks software dependencies conf 0.88 @hono/node-server: GHSA-wc8c-qw6v-h7f6
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @modelcontextprotocol/sdk: GHSA-345p-7cg4-v4c7
@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse
pnpm-lock.yaml
high Security checks security secrets conf 1.00 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.
Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.
packages/cli/src/utils/github.ts:88
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences Dockerfile FROM `node:lts-alpine` not pinned by digest
`FROM node:lts-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
lines 2, 15
packages/mcp/Dockerfile:2, 15 (2 hits)
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
pnpm-lock.yaml
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 15 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `pnpm/action-setup` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
4 files, 15 locations
.github/workflows/ecr-deploy.yml:20, 28, 31, 34, 38 (7 hits)
.github/workflows/release.yml:27, 43 (4 hits)
.github/workflows/canary-release.yml:29 (2 hits)
.github/workflows/test.yml:25 (2 hits)
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 23 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
6 files, 23 locations
.github/workflows/test.yml:17, 20, 36 (5 hits)
.github/workflows/canary-release.yml:19, 24 (4 hits)
.github/workflows/changeset-check.yml:13, 18 (4 hits)
.github/workflows/mcp-registry.yml:20, 23 (4 hits)
.github/workflows/release.yml:19, 22 (4 hits)
.github/workflows/ecr-deploy.yml:17 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 hono: GHSA-3vhc-576x-3qv4
Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 hono: GHSA-f67f-6cw9-8mq4
Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 hono: GHSA-q5qw-h33p-qvwr
Hono vulnerable to arbitrary file access via serveStatic vulnerability
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-j3q9-mxjg-w52f
path-to-regexp vulnerable to Denial of Service via sequential optional groups
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 undici: GHSA-f269-vfmq-vjvj
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 undici: GHSA-v9p9-hfj2-hcw8
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 undici: GHSA-vrm6-8vpv-qv8q
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 vite: GHSA-p9ff-h696-f583
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 vite: GHSA-v2wj-q39q-566r
Vite: `server.fs.deny` bypassed with queries
pnpm-lock.yaml
high System graph api Wiring conf 1.00 Dangling fetch: GET https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest (packages/cli/src/utils/update-check.ts:180)
`packages/cli/src/utils/update-check.ts:180` calls `GET https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/registry.npmjs.org/<p>/latest` If t…
Dangling fetchFetch
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/sdk/src/commands/command.ts:25
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/sdk/src/commands/command.ts:25 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/sdk/src/commands/get-context/index.ts:27
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/sdk/src/commands/get-context/index.ts:27 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in packages/sdk/src/commands/search-library/index.ts:28
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/sdk/src/commands/search-library/index.ts:28 Exec used
medium Security checks software dependencies conf 0.88 @hono/node-server: GHSA-92pp-h63x-v22m
@hono/node-server: Middleware bypass via repeated slashes in serveStatic
pnpm-lock.yaml
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
packages/cli/src/utils/tracking.ts:9
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 body-parser: GHSA-wqch-xfxh-vrr4
body-parser is vulnerable to denial of service when url encoding is used
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
pnpm-lock.yaml
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
packages/mcp/Dockerfile:15 CI/CD securitycontainers
high Security checks software dependencies conf 0.90 GitHub Action `actions/github-script@v7` is 2 major version(s) behind (latest v9.0.0)
`uses: actions/github-script@v7` is 2 major version(s) behind the latest published release v9.0.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/changeset-check.yml:18
high Security checks software dependencies conf 0.90 4 occurrences GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)
`uses: actions/setup-node@v4` is 2 major version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
4 files, 4 locations
.github/workflows/canary-release.yml:24
.github/workflows/mcp-registry.yml:23
.github/workflows/release.yml:22
.github/workflows/test.yml:20
high Security checks software dependencies conf 0.90 GitHub Action `aws-actions/configure-aws-credentials@v5` is 1 major version(s) behind (latest v6.2.0)
`uses: aws-actions/configure-aws-credentials@v5` is 1 major version(s) behind the latest published release v6.2.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had…
.github/workflows/ecr-deploy.yml:20
high Security checks software dependencies conf 0.90 3 occurrences GitHub Action `pnpm/action-setup@v4` is 2 major version(s) behind (latest v6.0.8)
`uses: pnpm/action-setup@v4` is 2 major version(s) behind the latest published release v6.0.8. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
3 files, 3 locations
.github/workflows/canary-release.yml:29
.github/workflows/release.yml:27
.github/workflows/test.yml:25
medium Security checks software dependencies conf 0.88 hono: GHSA-26pp-8wgv-hjvm
Hono missing validation of cookie name on write path in setCookie()
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-2gcr-mfcq-wcc3
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-3hrh-pfw6-9m5x
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-458j-xx4x-4375
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-5pq2-9x2x-5p6w
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-69xw-7hcm-h432
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-6wqw-2p9w-4vw4
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-9r54-q6cx-xmh5
Hono vulnerable to XSS through ErrorBoundary component
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-9vqf-7f2p-gf9v
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-f577-qrjj-4474
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-p6xx-57qc-3wxr
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-p77w-8qqv-26rm
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-qp7p-654g-cw7p
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-r354-f388-2fhh
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-r5rp-j6wh-rvv4
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-v8w9-8mx6-g223
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-w332-q679-j88p
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-wmmm-f939-6g9c
Hono: Middleware bypass via repeated slashes in serveStatic
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-xf4j-xp2r-rqqx
Hono: Path traversal in toSSG() allows writing files outside the output directory
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-xpcf-pg52-r92g
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-xrhx-7g5j-rcj5
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
pnpm-lock.yaml
medium Security checks software dependencies conf 0.90 npm package `commander` is 1 major version(s) behind (^14.0.0 -> 15.0.0)
`commander` is pinned/resolved at ^14.0.0 but the latest stable release on the npm registry is 15.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/mcp/package.json
medium Security checks software dependencies conf 0.90 npm package `commander` is 2 major version(s) behind (^13.1.0 -> 15.0.0)
`commander` is pinned/resolved at ^13.1.0 but the latest stable release on the npm registry is 15.0.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/cli/package.json
medium Security checks software dependencies conf 0.90 npm package `open` is 1 major version(s) behind (^10.1.0 -> 11.0.0)
`open` is pinned/resolved at ^10.1.0 but the latest stable release on the npm registry is 11.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/cli/package.json
medium Security checks software dependencies conf 0.90 npm package `undici` is 2 major version(s) behind (^6.6.3 -> 8.3.0)
`undici` is pinned/resolved at ^6.6.3 but the latest stable release on the npm registry is 8.3.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/mcp/package.json
medium Security checks software dependencies conf 0.88 path-to-regexp: GHSA-27v5-c462-wpq7
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 undici: GHSA-2mjp-6q6p-2qxm
Undici has an HTTP Request/Response Smuggling issue
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 undici: GHSA-4992-7rv2-5pvq
Undici has CRLF Injection in undici via `upgrade` option
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 undici: GHSA-g9mf-h72j-4rw9
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
pnpm-lock.yaml
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/commands/auth.ts:255
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/utils/api.ts:31
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/utils/github.ts:162
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/mcp/src/lib/api.ts:122
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/pi/lib/api.ts:43
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: packages/mcp/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/mcp-registry.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml CI/CD securitySupply chainGithub actions
low Security checks quality Quality conf 0.60 14 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
8 files, 14 locations
packages/sdk/eslint.config.js:1, 4, 7 (3 hits)
packages/tools-ai-sdk/eslint.config.js:1, 4, 7 (3 hits)
packages/pi/eslint.config.js:1, 7 (2 hits)
packages/tools-ai-sdk/src/prompts/system.ts:31, 34 (2 hits)
packages/mcp/eslint.config.js:16
packages/pi/lib/format.ts:2
packages/pi/lib/prompts.ts:3
packages/pi/lib/types.ts:1
duplicationquality
high Security checks software dependencies conf 0.90 GitHub Action `aws-actions/amazon-ecr-login@v2` is minor version(s) behind (latest v2.1.5)
`uses: aws-actions/amazon-ecr-login@v2` is minor version(s) behind the latest published release v2.1.5. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverag…
.github/workflows/ecr-deploy.yml:28
high Security checks software dependencies conf 0.90 GitHub Action `changesets/action@v1` is minor version(s) behind (latest v1.9.0)
`uses: changesets/action@v1` is minor version(s) behind the latest published release v1.9.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/release.yml:43
low Security checks software dependencies conf 0.88 hono: GHSA-gq3j-xvxp-8hrf
Hono added timing comparison hardening in basicAuth and bearerAuth
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 hono: GHSA-hm8q-7f3q-5f36
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
pnpm-lock.yaml
low Security checks software dependencies conf 0.90 npm package `@changesets/cli` is minor version(s) behind (^2.29.8 -> 2.31.0)
`@changesets/cli` is pinned/resolved at ^2.29.8 but the latest stable release on the npm registry is 2.31.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@earendil-works/pi-coding-agent` is minor version(s) behind (^0.75.4 -> 0.78.1)
`@earendil-works/pi-coding-agent` is pinned/resolved at ^0.75.4 but the latest stable release on the npm registry is 0.78.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-upd…
packages/pi/package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `@inquirer/core` is minor version(s) behind (^11.1.1 -> 11.2.1)
`@inquirer/core` is pinned/resolved at ^11.1.1 but the latest stable release on the npm registry is 11.2.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
package.json
packages/cli/package.json
low Security checks software dependencies conf 0.90 npm package `@inquirer/prompts` is minor version(s) behind (^8.2.0 -> 8.5.2)
`@inquirer/prompts` is pinned/resolved at ^8.2.0 but the latest stable release on the npm registry is 8.5.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/cli/package.json
low Security checks software dependencies conf 0.90 npm package `@modelcontextprotocol/sdk` is minor version(s) behind (^1.25.1 -> 1.29.0)
`@modelcontextprotocol/sdk` is pinned/resolved at ^1.25.1 but the latest stable release on the npm registry is 1.29.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
packages/mcp/package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `dotenv` is minor version(s) behind (^17.2.3 -> 17.4.2)
`dotenv` is pinned/resolved at ^17.2.3 but the latest stable release on the npm registry is 17.4.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
packages/sdk/package.json
packages/tools-ai-sdk/package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `eslint-plugin-prettier` is minor version(s) behind (^5.2.5 -> 5.5.6)
`eslint-plugin-prettier` is pinned/resolved at ^5.2.5 but the latest stable release on the npm registry is 5.5.6 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…
2 files, 2 locations
package.json
packages/cli/package.json
low Security checks software dependencies conf 0.90 npm package `express` is minor version(s) behind (^5.1.0 -> 5.2.1)
`express` is pinned/resolved at ^5.1.0 but the latest stable release on the npm registry is 5.2.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/mcp/package.json
low Security checks software dependencies conf 0.90 npm package `figlet` is minor version(s) behind (^1.9.4 -> 1.11.0)
`figlet` is pinned/resolved at ^1.9.4 but the latest stable release on the npm registry is 1.11.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/cli/package.json
low Security checks software dependencies conf 0.90 npm package `jose` is minor version(s) behind (^6.1.3 -> 6.2.3)
`jose` is pinned/resolved at ^6.1.3 but the latest stable release on the npm registry is 6.2.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/mcp/package.json
low Security checks software dependencies conf 0.90 npm package `ora` is minor version(s) behind (^9.0.0 -> 9.4.0)
`ora` is pinned/resolved at ^9.0.0 but the latest stable release on the npm registry is 9.4.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/cli/package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `prettier` is minor version(s) behind (^3.6.2 -> 3.8.3)
`prettier` is pinned/resolved at ^3.6.2 but the latest stable release on the npm registry is 3.8.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
package.json
packages/cli/package.json
low Security checks software dependencies conf 0.88 qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
pnpm-lock.yaml
low System graph quality Integrity conf 1.00 5 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `API_KEY`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_REGION`, `CONTEXT7_BASE_URL`, `HTTP_PROXY`. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 2 occurrences Docker base image is tag-pinned but not digest-pinned: node:lts-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
lines 2, 15
packages/mcp/Dockerfile:2, 15 (2 hits)
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cli/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cli/src/__tests__/auth-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cli/src/__tests__/update-check.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cli/src/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cli/src/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cli/tsup.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/cli/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mcp/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mcp/src/lib/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mcp/src/lib/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mcp/test/certificate.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/pi/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/pi/lib/tools/query-docs.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/pi/lib/tools/resolve-library-id.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/pi/lib/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/pi/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/sdk/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/sdk/src/client.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/sdk/src/commands/get-context/index.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/sdk/src/commands/get-context/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/sdk/src/commands/search-library/index.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/sdk/src/commands/search-library/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/sdk/src/commands/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/sdk/tsup.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/sdk/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/tools-ai-sdk/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/tools-ai-sdk/src/index.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/tools-ai-sdk/src/tools/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/tools-ai-sdk/tsup.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/tools-ai-sdk/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `warnSkillHubDeprecated` in packages/cli/src/commands/skill.ts:66
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/auth.ts:125
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/docs.ts:89
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/generate.ts:88
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/commands/skill.ts:731
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/index.ts:68
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/utils/logger.ts:19
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: ALL /mcp
`packages/mcp/src/index.ts` declares `ALL /mcp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: ALL /mcp/oauth
`packages/mcp/src/index.ts` declares `ALL /mcp/oauth` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
high Security checks software dependencies conf 0.90 6 occurrences GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)
`uses: actions/checkout@v6` is patch version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
6 files, 6 locations
.github/workflows/canary-release.yml:19
.github/workflows/changeset-check.yml:13
.github/workflows/ecr-deploy.yml:17
.github/workflows/mcp-registry.yml:20
.github/workflows/release.yml:19
.github/workflows/test.yml:17
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/c1b43730-b3d0-4cb5-b932-51efa221260d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/c1b43730-b3d0-4cb5-b932-51efa221260d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.