Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
46 of your 236 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.59s · analysis 68.03s · 8.9 MB · GitHub API rate-limit (preflight)

remix-run/react-router

https://github.com/remix-run/react-router · scanned 2026-06-05 10:04 UTC (5 days, 14 hours ago) · 10 languages

1057 raw signals (227 security + 830 graph) 24th percentile · Typescript · large (100-500K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 14 hours ago · v2 · 489 actionable findings from 2 signal sources. 153 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
63.5
/100
Security checks
57
157 findings
System graph
70
88.9% cov · 332 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 42.8 0.25 10.70
testing_score 95.0 0.20 19.00
documentation_score 85.1 0.15 12.76
practices_score 77.0 0.15 11.55
code_quality 50.7 0.10 5.07
Overall 1.00 68.1
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 103 Medium 136 Low 175 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 157 System graph 332 Crowd 0 Layer: Quality 127 Security 14 Software 179 Cicd 4 Frontend 105 Api 60
Scan summary Quality grade B- (68/100). Dimensions: security 43, maintainability 60. 227 findings (133 security). 187,401 lines analyzed.

Showing 415 of 489 actionable findings. 642 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 basic-ftp: GHSA-5rq4-664w-9x2c
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 form-data: GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary
pnpm-lock.yaml
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 2 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 82, 99
.github/workflows/release.yml:82, 99 (2 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks software dependencies conf 0.88 @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @vitejs/plugin-rsc: GHSA-v457-wxvj-p9w9
@vitejs/plugin-rsc has a Denial of Service with React Server Components
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @vitejs/plugin-rsc: GHSA-w94c-4vhp-22gx
@vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-35jp-ww65-95wh
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-3g43-6gmg-66jw
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-43fc-jf86-j433
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-4hjh-wcwx-xvwj
Axios is vulnerable to DoS attack through lack of data size check
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-6chq-wfr3-2hj9
Axios: Header Injection via Prototype Pollution
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-8hc4-vh64-cxmj
Server-Side Request Forgery in axios
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-hfxv-24rg-xrqf
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-j5f8-grm9-p9fc
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-jr5f-v2jv-69x6
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-p92q-9vqr-4j8v
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-pf86-5x62-jrwf
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-pjwm-pj3p-43mv
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-q8qp-cvcw-x6jj
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 basic-ftp: GHSA-6v7q-wjvx-w8wg
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 basic-ftp: GHSA-rp42-5vxx-qpwr
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 basic-ftp: GHSA-rpmf-866q-6p89
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 braces: GHSA-grv7-fg5c-xmjg
Uncontrolled resource consumption in braces
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
pnpm-lock.yaml
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 54 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
12 files, 53 locations
.github/workflows/release.yml:37, 78, 88, 111, 117, 142, 150, 172, +1 more (9 hits)
.github/workflows/preview.yml:44, 48, 54, 62 (7 hits)
.github/workflows/pr-checks.yml:26, 32, 50 (6 hits)
.github/workflows/deduplicate-lock-file.yml:21, 29 (4 hits)
.github/workflows/docs.yml:28, 37 (4 hits)
.github/workflows/release-comments.yml:19, 27 (4 hits)
.github/workflows/shared-build.yml:14, 20 (4 hits)
.github/workflows/shared-integration.yml:41, 47 (4 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 21 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `pnpm/action-setup` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
11 files, 21 locations
.github/workflows/release.yml:85, 114, 147, 180 (4 hits)
.github/workflows/deduplicate-lock-file.yml:26 (2 hits)
.github/workflows/docs.yml:34 (2 hits)
.github/workflows/pr-checks.yml:29 (2 hits)
.github/workflows/release-comments.yml:24 (2 hits)
.github/workflows/shared-build.yml:17 (2 hits)
.github/workflows/shared-integration.yml:44 (2 hits)
.github/workflows/test.yml:41 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 glob: GHSA-5j98-mcp5-4vw2
glob CLI: Command injection via -c/--cmd executes matches with shell:true
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 react-server-dom-webpack: GHSA-479c-33wc-g2pg
React Server Components have a Denial of Service Vulnerability
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 react-server-dom-webpack: GHSA-83fc-fqcc-2hmg
React Server Components have multiple Denial of Service Vulnerabilities
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 react-server-dom-webpack: GHSA-rv78-f8rc-xrxh
Facebook React has a Denial of Service Vulnerability in React Server Components
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar-fs: GHSA-vj76-c3g6-qr5v
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 undici: GHSA-f269-vfmq-vjvj
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 undici: GHSA-v9p9-hfj2-hcw8
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 undici: GHSA-vrm6-8vpv-qv8q
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 vite: GHSA-c27g-q93r-2cwf
launch-editor vulnerable to command injection via the crafted request on Windows
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 vite: GHSA-p9ff-h696-f583
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 vite: GHSA-v2wj-q39q-566r
Vite: `server.fs.deny` bypassed with queries
pnpm-lock.yaml
high System graph api Wiring conf 1.00 Dangling fetch: GET / (packages/react-router/__tests__/router/fetchers-test.ts:621)
`packages/react-router/__tests__/router/fetchers-test.ts:621` calls `GET /` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET / (packages/react-router/__tests__/router/fetchers-test.ts:649)
`packages/react-router/__tests__/router/fetchers-test.ts:649` calls `GET /` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/book (packages/react-router/lib/components.tsx:1614)
`packages/react-router/lib/components.tsx:1614` calls `GET /api/book` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/book` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /bar (packages/react-router/__tests__/router/fetchers-test.ts:363)
`packages/react-router/__tests__/router/fetchers-test.ts:363` calls `GET /bar` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/bar` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /bar (packages/react-router/__tests__/router/fetchers-test.ts:380)
`packages/react-router/__tests__/router/fetchers-test.ts:380` calls `GET /bar` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/bar` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1138)
`packages/react-router/__tests__/router/fetchers-test.ts:1138` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1142)
`packages/react-router/__tests__/router/fetchers-test.ts:1142` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1174)
`packages/react-router/__tests__/router/fetchers-test.ts:1174` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1178)
`packages/react-router/__tests__/router/fetchers-test.ts:1178` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1207)
`packages/react-router/__tests__/router/fetchers-test.ts:1207` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1211)
`packages/react-router/__tests__/router/fetchers-test.ts:1211` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1240)
`packages/react-router/__tests__/router/fetchers-test.ts:1240` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1244)
`packages/react-router/__tests__/router/fetchers-test.ts:1244` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1272)
`packages/react-router/__tests__/router/fetchers-test.ts:1272` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1276)
`packages/react-router/__tests__/router/fetchers-test.ts:1276` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1310)
`packages/react-router/__tests__/router/fetchers-test.ts:1310` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1314)
`packages/react-router/__tests__/router/fetchers-test.ts:1314` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1346)
`packages/react-router/__tests__/router/fetchers-test.ts:1346` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1380)
`packages/react-router/__tests__/router/fetchers-test.ts:1380` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1421)
`packages/react-router/__tests__/router/fetchers-test.ts:1421` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1451)
`packages/react-router/__tests__/router/fetchers-test.ts:1451` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1482)
`packages/react-router/__tests__/router/fetchers-test.ts:1482` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1517)
`packages/react-router/__tests__/router/fetchers-test.ts:1517` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1548)
`packages/react-router/__tests__/router/fetchers-test.ts:1548` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1579)
`packages/react-router/__tests__/router/fetchers-test.ts:1579` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:1607)
`packages/react-router/__tests__/router/fetchers-test.ts:1607` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:169)
`packages/react-router/__tests__/router/fetchers-test.ts:169` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:215)
`packages/react-router/__tests__/router/fetchers-test.ts:215` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:275)
`packages/react-router/__tests__/router/fetchers-test.ts:275` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:351)
`packages/react-router/__tests__/router/fetchers-test.ts:351` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:361)
`packages/react-router/__tests__/router/fetchers-test.ts:361` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:571)
`packages/react-router/__tests__/router/fetchers-test.ts:571` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:594)
`packages/react-router/__tests__/router/fetchers-test.ts:594` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:776)
`packages/react-router/__tests__/router/fetchers-test.ts:776` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:799)
`packages/react-router/__tests__/router/fetchers-test.ts:799` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:816)
`packages/react-router/__tests__/router/fetchers-test.ts:816` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo (packages/react-router/__tests__/router/fetchers-test.ts:866)
`packages/react-router/__tests__/router/fetchers-test.ts:866` calls `GET /foo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo?key=value (packages/react-router/__tests__/router/fetchers-test.ts:581)
`packages/react-router/__tests__/router/fetchers-test.ts:581` calls `GET /foo?key=value` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matche…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo?key=value (packages/react-router/__tests__/router/fetchers-test.ts:786)
`packages/react-router/__tests__/router/fetchers-test.ts:786` calls `GET /foo?key=value` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matche…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /foo?key=value (packages/react-router/__tests__/router/fetchers-test.ts:839)
`packages/react-router/__tests__/router/fetchers-test.ts:839` calls `GET /foo?key=value` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/foo` If this points at an external API, prefix it with `https://` so the matche…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /parent (packages/react-router/__tests__/router/fetchers-test.ts:3252)
`packages/react-router/__tests__/router/fetchers-test.ts:3252` calls `GET /parent` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/parent` If this points at an external API, prefix it with `https://` so the matcher s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /parent (packages/react-router/__tests__/router/fetchers-test.ts:3323)
`packages/react-router/__tests__/router/fetchers-test.ts:3323` calls `GET /parent` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/parent` If this points at an external API, prefix it with `https://` so the matcher s…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /parent/child (packages/react-router/__tests__/router/redirects-test.ts:168)
`packages/react-router/__tests__/router/redirects-test.ts:168` calls `GET /parent/child` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/parent/child` If this points at an external API, prefix it with `https://` so t…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /parent/child (packages/react-router/__tests__/router/redirects-test.ts:271)
`packages/react-router/__tests__/router/redirects-test.ts:271` calls `GET /parent/child` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/parent/child` If this points at an external API, prefix it with `https://` so t…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /parent/child?index (packages/react-router/__tests__/router/redirects-test.ts:192)
`packages/react-router/__tests__/router/redirects-test.ts:192` calls `GET /parent/child?index` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/parent/child` If this points at an external API, prefix it with `https://…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /parent?index (packages/react-router/__tests__/router/fetchers-test.ts:3288)
`packages/react-router/__tests__/router/fetchers-test.ts:3288` calls `GET /parent?index` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/parent` If this points at an external API, prefix it with `https://` so the mat…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /parent?index (packages/react-router/__tests__/router/fetchers-test.ts:3360)
`packages/react-router/__tests__/router/fetchers-test.ts:3360` calls `GET /parent?index` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/parent` If this points at an external API, prefix it with `https://` so the mat…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /resource/a/b?raw (integration/middleware-test.ts:1650)
`integration/middleware-test.ts:1650` calls `GET /resource/a/b?raw` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/resource/a/b` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /tasks (packages/react-router/__tests__/router/router-test.ts:2976)
`packages/react-router/__tests__/router/router-test.ts:2976` calls `GET /tasks` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/tasks` If this points at an external API, prefix it with `https://` so the matcher skips…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /tasks (packages/react-router/__tests__/router/router-test.ts:2977)
`packages/react-router/__tests__/router/router-test.ts:2977` calls `GET /tasks` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/tasks` If this points at an external API, prefix it with `https://` so the matcher skips…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /tasks (packages/react-router/__tests__/router/scroll-restoration-test.ts:405)
`packages/react-router/__tests__/router/scroll-restoration-test.ts:405` calls `GET /tasks` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/tasks` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /tasks (packages/react-router/__tests__/router/scroll-restoration-test.ts:542)
`packages/react-router/__tests__/router/scroll-restoration-test.ts:542` calls `GET /tasks` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/tasks` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /tasks (packages/react-router/__tests__/router/scroll-restoration-test.ts:571)
`packages/react-router/__tests__/router/scroll-restoration-test.ts:571` calls `GET /tasks` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/tasks` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /tasks (packages/react-router/__tests__/router/scroll-restoration-test.ts:577)
`packages/react-router/__tests__/router/scroll-restoration-test.ts:577` calls `GET /tasks` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/tasks` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://reqres.in/api/users?page=2 (integration/fetch-globals-test.ts:19)
`integration/fetch-globals-test.ts:19` calls `GET https://reqres.in/api/users?page=2` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/reqres.in/api/users` If this points at an external API, prefix it with `htt…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://localhost:${port}/await-component/api (integration/rsc/rsc-test.ts:1818)
`integration/rsc/rsc-test.ts:1818` calls `POST http://localhost:${port}/await-component/api` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/await-component/api` If this points at an external API…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://localhost:${port}/await-component/api (integration/rsc/rsc-test.ts:1832)
`integration/rsc/rsc-test.ts:1832` calls `POST http://localhost:${port}/await-component/api` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/await-component/api` If this points at an external API…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://localhost:${port}/get-request (integration/rsc/rsc-test.ts:1917)
`integration/rsc/rsc-test.ts:1917` calls `POST http://localhost:${port}/get-request` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/get-request` If this points at an external API, prefix it with…
Dangling fetchFetch
medium Security checks software dependencies conf 0.88 @babel/runtime: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
pnpm-lock.yaml
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
packages/create-react-router/prompts-prompt-base.ts:45
packages/react-router-node/stream.ts:36
playground/performance/scripts/bench.mjs:103
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-3w6x-2g7m-8v23
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-445q-vr5w-6q77
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-5c9x-8gcm-mpgx
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-62hf-57xw-28j9
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-898c-q2cr-xwhg
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-fvcv-3m26-pcqx
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-m7pr-hjqh-92cm
Axios: no_proxy bypass via IP alias allows SSRF
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-vf2m-468p-8v99
Axios: HTTP adapter streamed responses bypass maxContentLength
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-w9j2-pvgh-6h63
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-xx6v-rp6x-q39c
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
pnpm-lock.yaml
high Security checks quality Quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
packages/react-router-dev/vite/plugins/prerender.ts:101
high Security checks quality Quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
packages/react-router/lib/components.tsx:1614
medium Security checks software dependencies conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 markdown-it: GHSA-38c4-r59v-3vqw
markdown-it is has a Regular Expression Denial of Service (ReDoS)
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 mdast-util-to-hast: GHSA-4fh9-h7wg-q85m
mdast-util-to-hast has unsanitized class attribute
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 micromatch: GHSA-952p-6rrq-rcjv
Regular Expression Denial of Service (ReDoS) in micromatch
pnpm-lock.yaml
medium Security checks software dependencies conf 0.90 npm package `@manypkg/get-packages` is 2 major version(s) behind (^1.1.3 -> 3.1.0)
`@manypkg/get-packages` is pinned/resolved at ^1.1.3 but the latest stable release on the npm registry is 3.1.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs ra…
package.json
medium Security checks software dependencies conf 0.90 npm package `@octokit/request` is 1 major version(s) behind (^9.1.3 -> 10.0.10)
`@octokit/request` is pinned/resolved at ^9.1.3 but the latest stable release on the npm registry is 10.0.10 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
scripts/package.json
medium Security checks software dependencies conf 0.90 npm package `@types/jest` is 1 major version(s) behind (^29.5.4 -> 30.0.0)
`@types/jest` is pinned/resolved at ^29.5.4 but the latest stable release on the npm registry is 30.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `@types/jsdom` is 7 major version(s) behind (^21.1.1 -> 28.0.3)
`@types/jsdom` is pinned/resolved at ^21.1.1 but the latest stable release on the npm registry is 28.0.3 (7 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `babel-jest` is 1 major version(s) behind (^29.7.0 -> 30.4.1)
`babel-jest` is pinned/resolved at ^29.7.0 but the latest stable release on the npm registry is 30.4.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `jest` is 1 major version(s) behind (^29.6.4 -> 30.4.2)
`jest` is pinned/resolved at ^29.6.4 but the latest stable release on the npm registry is 30.4.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `remark-gfm` is 1 major version(s) behind (^3.0.1 -> 4.0.1)
`remark-gfm` is pinned/resolved at ^3.0.1 but the latest stable release on the npm registry is 4.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `remark-parse` is 1 major version(s) behind (^10.0.1 -> 11.0.0)
`remark-parse` is pinned/resolved at ^10.0.1 but the latest stable release on the npm registry is 11.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `remark-stringify` is 1 major version(s) behind (^10.0.2 -> 11.0.0)
`remark-stringify` is pinned/resolved at ^10.0.2 but the latest stable release on the npm registry is 11.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `unified` is 1 major version(s) behind (^10.1.2 -> 11.0.5)
`unified` is pinned/resolved at ^10.1.2 but the latest stable release on the npm registry is 11.0.5 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `unist-util-remove` is 1 major version(s) behind (^3.1.0 -> 4.0.0)
`unist-util-remove` is pinned/resolved at ^3.1.0 but the latest stable release on the npm registry is 4.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
pnpm-lock.yaml
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 srvx: GHSA-p36q-q72m-gchr
srvx is vulnerable to middleware bypass via absolute URI in request line
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 undici: GHSA-2mjp-6q6p-2qxm
Undici has an HTTP Request/Response Smuggling issue
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 undici: GHSA-4992-7rv2-5pvq
Undici has CRLF Injection in undici via `upgrade` option
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 undici: GHSA-c76h-2ccp-4975
Use of Insufficiently Random Values in undici
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 undici: GHSA-g9mf-h72j-4rw9
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 undici: GHSA-phc3-fgpg-7m6h
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-356w-63v5-8wf4
Vite has an `server.fs.deny` bypass with an invalid `request-target`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-4r4m-qw57-chr8
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-64vr-g452-qvp3
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-859w-5945-r5v3
Vite's server.fs.deny bypassed with /. for files under project root
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-8jhw-289h-jh2g
Vite's `server.fs.deny` did not deny requests for patterns with directories.
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-93m4-6634-74q7
vite allows server.fs.deny bypass via backslash on Windows
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-9cwx-2883-4wfx
Vite's `server.fs.deny` is bypassed when using `?import&raw`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-vg6x-rcgg-rjx6
Websites were able to send any requests to the development server and read the response in vite
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-x574-m823-4x7w
Vite bypasses server.fs.deny when using ?raw??
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-xcj6-pq6g-qj4x
Vite allows server.fs.deny to be bypassed with .svg or relative paths
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
pnpm-lock.yaml
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/react-router/__tests__/dom/ssr/meta-test.tsx:272
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/react-router/lib/dom/lib.tsx:2124
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/react-router/lib/dom/server.tsx:230
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/react-router/lib/dom/ssr/components.tsx:285
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/react-router/lib/dom/ssr/errorBoundaries.tsx:84
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/react-router/lib/dom/ssr/fallback.tsx:15
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/react-router/lib/dom/ssr/single-fetch.tsx:128
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/react-router/lib/rsc/errorBoundaries.tsx:110
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — integration/browser-entry-test.ts:224
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — integration/fetch-globals-test.ts:19
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — integration/helpers/vite-plugin-cloudflare-template/workers/app.ts:22
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — integration/loader-test.ts:98
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — integration/middleware-test.ts:1650
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — integration/rsc/rsc-test.ts:1818
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — integration/vite-extra-server-environment-test.ts:101
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/create-react-router/copy-template.ts:240
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router-dev/config/default-rsc-entries/entry.rsc.tsx:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/dom/client-on-error-test.tsx:276
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/context-middleware-test.tsx:739
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/data-strategy-test.ts:909
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/fetchers-test.ts:104
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/flush-sync-test.ts:97
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/instrumentation-test.ts:1673
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/lazy-discovery-test.ts:2372
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/lazy-test.ts:637
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/redirects-test.ts:146
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/revalidate-test.ts:904
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/router-test.ts:1115
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/scroll-restoration-test.ts:405
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/should-revalidate-test.ts:602
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/submission-test.ts:522
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/__tests__/router/utils/data-router-setup.ts:198
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/lib/components.tsx:1614
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/lib/dom/server.tsx:468
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/lib/dom/ssr/single-fetch.tsx:66
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/lib/router/router.ts:203
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/react-router/lib/router/utils.ts:67
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/rsc-vite-framework/app/entry.rsc.tsx:54
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/vite-plugin-cloudflare/workers/app.ts:22
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 2 occurrences Frontend route `/courses/` has no Link/navigate to it — packages/react-router/__tests__/useHref-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
2 occurrences
repo-level (2 hits)
Orphan pageWiring
medium System graph quality Integrity conf 1.00 7 occurrences Frontend route `/deep` has no Link/navigate to it — packages/react-router/__tests__/data-memory-router-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
7 occurrences
repo-level (7 hits)
Orphan pageWiring
medium System graph quality Integrity conf 1.00 8 occurrences Frontend route `/inline-param/:slug` has no Link/navigate to it — packages/react-router/__tests__/dom/special-characters-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
8 occurrences
repo-level (8 hits)
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `/scoped` has no Link/navigate to it — packages/react-router/__tests__/useLocation-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `:lang/*` has no Link/navigate to it — packages/react-router/__tests__/gh-issue-8165-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `accounts` has no Link/navigate to it — packages/react-router/lib/router/utils.ts
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `another-home` has no Link/navigate to it — packages/react-router/__tests__/same-component-lifecycle-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `availability` has no Link/navigate to it — packages/react-router/__tests__/gh-issue-8127-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `blog/:slug` has no Link/navigate to it — packages/react-router/__tests__/dom/navigate-encode-params-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 5 occurrences Frontend route `blog` has no Link/navigate to it — packages/react-router/lib/hooks.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
5 occurrences
repo-level (5 hits)
Orphan pageWiring
medium System graph quality Integrity conf 1.00 5 occurrences Frontend route `contacts/:id` has no Link/navigate to it — packages/react-router/__tests__/dom/nav-link-active-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
5 occurrences
repo-level (5 hits)
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `contacts` has no Link/navigate to it — packages/react-router/__tests__/useNavigate-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `content/*` has no Link/navigate to it — packages/react-router/__tests__/params-decode-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 4 occurrences Frontend route `messages/*` has no Link/navigate to it — packages/react-router/__tests__/dom/link-href-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
4 occurrences
repo-level (4 hits)
Orphan pageWiring
medium System graph quality Integrity conf 1.00 4 occurrences Frontend route `mj` has no Link/navigate to it — packages/react-router/__tests__/useResolvedPath-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
4 occurrences
repo-level (4 hits)
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `nested` has no Link/navigate to it — integration/fs-routes-test.ts
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `profile` has no Link/navigate to it — packages/react-router/__tests__/useOutlet-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `react/*` has no Link/navigate to it — packages/react-router/__tests__/descendant-routes-splat-matching-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 2 occurrences Frontend route `react` has no Link/navigate to it — packages/react-router/__tests__/descendant-routes-warning-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
2 occurrences
repo-level (2 hits)
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `search` has no Link/navigate to it — packages/react-router/__tests__/dom/search-params-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 2 occurrences Frontend route `step-2` has no Link/navigate to it — packages/react-router/lib/components.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
2 occurrences
repo-level (2 hits)
Orphan pageWiring
medium System graph quality Integrity conf 1.00 3 occurrences Frontend route `users/:userId/*` has no Link/navigate to it — packages/react-router/__tests__/descendant-routes-params-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
3 occurrences
repo-level (3 hits)
Orphan pageWiring
medium System graph quality Integrity conf 1.00 Frontend route `users/:userId` has no Link/navigate to it — packages/react-router/__tests__/Routes-location-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph quality Integrity conf 1.00 2 occurrences Frontend route `users/:username` has no Link/navigate to it — packages/react-router/__tests__/useParams-test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
2 occurrences
repo-level (2 hits)
Orphan pageWiring
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-router/lib/dom/lib.tsx:2124
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-router/lib/dom/lib.tsx:2124 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-router/lib/dom/server.tsx:230
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-router/lib/dom/server.tsx:230 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-router/lib/dom/ssr/components.tsx:285
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-router/lib/dom/ssr/components.tsx:285 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-router/lib/dom/ssr/errorBoundaries.tsx:84
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-router/lib/dom/ssr/errorBoundaries.tsx:84 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-router/lib/dom/ssr/fallback.tsx:15
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-router/lib/dom/ssr/fallback.tsx:15 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-router/lib/dom/ssr/single-fetch.tsx:128
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-router/lib/dom/ssr/single-fetch.tsx:128 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-router/lib/rsc/errorBoundaries.tsx:110
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-router/lib/rsc/errorBoundaries.tsx:110 Dangerous innerhtml
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks software dependencies conf 0.88 @tootallnate/once: GHSA-vpq2-c234-7xj6
@tootallnate/once vulnerable to Incorrect Control Flow Scoping
pnpm-lock.yaml
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
low Security checks software dependencies conf 0.88 axios: GHSA-xhjh-pmcv-23jw
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 cookie: GHSA-pxg6-pf52-xh8x
cookie accepts cookie name, path, and domain with out of bounds characters
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 diff: GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
pnpm-lock.yaml
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 21 locations
integration/http-test.ts:8, 11, 16 (3 hits)
integration/error-data-request-test.ts:17, 21 (2 hits)
integration/error-sanitization-test.ts:14, 21 (2 hits)
integration/headers-test.ts:18, 21 (2 hits)
integration/helpers/vite-6-template/app/root.tsx:1, 2 (2 hits)
integration/helpers/vite-7-beta-template/app/root.tsx:1, 2 (2 hits)
integration/helpers/vite-8-template/app/root.tsx:1, 2 (2 hits)
integration/helpers/vite-plugin-cloudflare-template/app/root.tsx:1, 2 (2 hits)
duplicationquality
low Security checks software dependencies conf 0.88 formidable: GHSA-75v8-2h7p-7m2m
Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content
pnpm-lock.yaml
low Security checks software dependencies conf 0.90 npm package `@babel/core` is minor version(s) behind (^7.27.7 -> 7.29.7)
`@babel/core` is pinned/resolved at ^7.27.7 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@babel/preset-env` is minor version(s) behind (^7.27.2 -> 7.29.7)
`@babel/preset-env` is pinned/resolved at ^7.27.2 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `@babel/preset-typescript` is minor version(s) behind (^7.27.1 -> 7.29.7)
`@babel/preset-typescript` is pinned/resolved at ^7.27.1 but the latest stable release on the npm registry is 7.29.7 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs…
2 occurrences
package.json (2 hits)
low Security checks software dependencies conf 0.90 npm package `@eslint/compat` is minor version(s) behind (^2.0.3 -> 2.1.0)
`@eslint/compat` is pinned/resolved at ^2.0.3 but the latest stable release on the npm registry is 2.1.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@types/react-test-renderer` is minor version(s) behind (^19.0.0 -> 19.1.0)
`@types/react-test-renderer` is pinned/resolved at ^19.0.0 but the latest stable release on the npm registry is 19.1.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update P…
package.json
low Security checks software dependencies conf 0.90 npm package `fast-glob` is minor version(s) behind (3.2.11 -> 3.3.3)
`fast-glob` is pinned/resolved at 3.2.11 but the latest stable release on the npm registry is 3.3.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `jsonfile` is minor version(s) behind (^6.1.0 -> 6.2.1)
`jsonfile` is pinned/resolved at ^6.1.0 but the latest stable release on the npm registry is 6.2.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `prettier` is minor version(s) behind (^3.6.2 -> 3.8.3)
`prettier` is pinned/resolved at ^3.6.2 but the latest stable release on the npm registry is 3.8.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `semver` is minor version(s) behind (^7.5.4 -> 7.8.2)
`semver` is pinned/resolved at ^7.5.4 but the latest stable release on the npm registry is 7.8.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt
low Security checks software dependencies conf 0.88 qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 undici: GHSA-cxrh-j4jr-qwg3
undici Denial of Service attack via bad certificate data
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 vite: GHSA-g4jq-h2w9-997c
Vite middleware may serve files starting with the same name with the public directory
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 vite: GHSA-jqfw-vq24-v9c3
Vite's `server.fs` settings were not applied to HTML files
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 webpack: GHSA-38r7-794h-5758
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 webpack: GHSA-8fgc-7cc6-rx7x
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
pnpm-lock.yaml
low System graph quality Maintenance conf 1.00 37 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-express/app/routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-express/react-router.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-express/server.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-express/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-spa/app/routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-spa/react-router.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-spa/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-vite-5/app/routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-vite-5/react-router.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-vite-5/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-vite-6/app/routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-vite-6/react-router.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-vite-6/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-vite-7-beta/app/routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-vite-7-beta/react-router.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework-vite-7-beta/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework/app/routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework/react-router.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/framework/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/middleware/app/contexts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/middleware/app/routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/middleware/dev-server.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/middleware/react-router.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/middleware/server.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/middleware/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/performance/react-router.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/performance/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/rsc-vite-7-framework/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/rsc-vite-framework/app/entry.client.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/rsc-vite-framework/app/routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/rsc-vite-framework/mdx.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.

Showing first 300 of 415. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/c1cae3d0-d9bd-47d8-9f47-019439663682/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/c1cae3d0-d9bd-47d8-9f47-019439663682/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.