← Back to scan
File as GitHub Issue repo: remix-run/react-router

Push this scan report to remix-run/react-router

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Async function without await — fire-and-forget Promise (AI mistake)

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… scripts/utils/process.ts:41
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… packages/create-react-router/utils.ts:184
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … packages/react-router-node/stream.ts:40
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … packages/react-router-architect/server.…:119
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … integration/helpers/playwright-fixture.…:324
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… scripts/changes/version.ts:161
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… packages/react-router-dev/config/routes…:170
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… integration/helpers/fixtures.ts:131
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… integration/error-boundary-v2-test.ts:92
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… integration/browser-entry-test.ts:234
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… integration/action-test.ts:227
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/preview.yml:54
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/preview.yml:48
HIGH GHSA-v2wj-q39q-566r vite: GHSA-v2wj-q39q-566r pnpm-lock.yaml
HIGH GHSA-p9ff-h696-f583 vite: GHSA-p9ff-h696-f583 pnpm-lock.yaml
HIGH GHSA-c27g-q93r-2cwf vite: GHSA-c27g-q93r-2cwf pnpm-lock.yaml
HIGH GHSA-f269-vfmq-vjvj undici: GHSA-f269-vfmq-vjvj pnpm-lock.yaml
HIGH GHSA-vrm6-8vpv-qv8q undici: GHSA-vrm6-8vpv-qv8q pnpm-lock.yaml
HIGH GHSA-v9p9-hfj2-hcw8 undici: GHSA-v9p9-hfj2-hcw8 pnpm-lock.yaml
HIGH GHSA-vj76-c3g6-qr5v tar-fs: GHSA-vj76-c3g6-qr5v pnpm-lock.yaml
HIGH GHSA-5c6j-r48x-rmvq serialize-javascript: GHSA-5c6j-r48x-rmvq pnpm-lock.yaml
HIGH GHSA-mw96-cpmx-2vgc rollup: GHSA-mw96-cpmx-2vgc pnpm-lock.yaml
HIGH GHSA-rv78-f8rc-xrxh react-server-dom-webpack: GHSA-rv78-f8rc-xrxh pnpm-lock.yaml
HIGH GHSA-83fc-fqcc-2hmg react-server-dom-webpack: GHSA-83fc-fqcc-2hmg pnpm-lock.yaml
HIGH GHSA-479c-33wc-g2pg react-server-dom-webpack: GHSA-479c-33wc-g2pg pnpm-lock.yaml
HIGH GHSA-c2c7-rcm5-vvqj picomatch: GHSA-c2c7-rcm5-vvqj pnpm-lock.yaml
HIGH GHSA-37ch-88jc-xwx2 path-to-regexp: GHSA-37ch-88jc-xwx2 pnpm-lock.yaml
HIGH GHSA-7r86-cg39-jmmj minimatch: GHSA-7r86-cg39-jmmj pnpm-lock.yaml
HIGH GHSA-3ppc-4f35-3m26 minimatch: GHSA-3ppc-4f35-3m26 pnpm-lock.yaml
HIGH GHSA-23c5-xmqv-rm74 minimatch: GHSA-23c5-xmqv-rm74 pnpm-lock.yaml
HIGH GHSA-r5fr-rjxr-66jc lodash: GHSA-r5fr-rjxr-66jc pnpm-lock.yaml
HIGH GHSA-5j98-mcp5-4vw2 glob: GHSA-5j98-mcp5-4vw2 pnpm-lock.yaml
HIGH GHSA-v39h-62p7-jpjc fast-uri: GHSA-v39h-62p7-jpjc pnpm-lock.yaml
HIGH GHSA-q3j6-qgpj-74h6 fast-uri: GHSA-q3j6-qgpj-74h6 pnpm-lock.yaml
HIGH GHSA-grv7-fg5c-xmjg braces: GHSA-grv7-fg5c-xmjg pnpm-lock.yaml
HIGH GHSA-rpmf-866q-6p89 basic-ftp: GHSA-rpmf-866q-6p89 pnpm-lock.yaml
HIGH GHSA-rp42-5vxx-qpwr basic-ftp: GHSA-rp42-5vxx-qpwr pnpm-lock.yaml
HIGH GHSA-6v7q-wjvx-w8wg basic-ftp: GHSA-6v7q-wjvx-w8wg pnpm-lock.yaml
HIGH GHSA-q8qp-cvcw-x6jj axios: GHSA-q8qp-cvcw-x6jj pnpm-lock.yaml
HIGH GHSA-pf86-5x62-jrwf axios: GHSA-pf86-5x62-jrwf pnpm-lock.yaml
HIGH GHSA-p92q-9vqr-4j8v axios: GHSA-p92q-9vqr-4j8v pnpm-lock.yaml
HIGH GHSA-jr5f-v2jv-69x6 axios: GHSA-jr5f-v2jv-69x6 pnpm-lock.yaml
HIGH GHSA-j5f8-grm9-p9fc axios: GHSA-j5f8-grm9-p9fc pnpm-lock.yaml
HIGH GHSA-hfxv-24rg-xrqf axios: GHSA-hfxv-24rg-xrqf pnpm-lock.yaml
HIGH GHSA-8hc4-vh64-cxmj axios: GHSA-8hc4-vh64-cxmj pnpm-lock.yaml
HIGH GHSA-6chq-wfr3-2hj9 axios: GHSA-6chq-wfr3-2hj9 pnpm-lock.yaml
HIGH GHSA-4hjh-wcwx-xvwj axios: GHSA-4hjh-wcwx-xvwj pnpm-lock.yaml
HIGH GHSA-43fc-jf86-j433 axios: GHSA-43fc-jf86-j433 pnpm-lock.yaml
HIGH GHSA-pjwm-pj3p-43mv axios: GHSA-pjwm-pj3p-43mv pnpm-lock.yaml
HIGH GHSA-3g43-6gmg-66jw axios: GHSA-3g43-6gmg-66jw pnpm-lock.yaml
HIGH GHSA-35jp-ww65-95wh axios: GHSA-35jp-ww65-95wh pnpm-lock.yaml
HIGH GHSA-w94c-4vhp-22gx @vitejs/plugin-rsc: GHSA-w94c-4vhp-22gx pnpm-lock.yaml
HIGH GHSA-v457-wxvj-p9w9 @vitejs/plugin-rsc: GHSA-v457-wxvj-p9w9 pnpm-lock.yaml
HIGH GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp pnpm-lock.yaml
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. playground/performance/scripts/bench.mjs:103
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. packages/react-router-node/stream.ts:36
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. packages/create-react-router/prompts-pr…:45
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … scripts/changes/publish.ts:85
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … integration/helpers/playwright-fixture.…:230
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED DEPCUR-NPM npm package `@octokit/request` is 1 major version(s) behind (^9.1.3 -> 10.0.10) scripts/package.json
MED DEPCUR-NPM npm package `unist-util-remove` is 1 major version(s) behind (^3.1.0 -> 4.0.0) package.json
MED DEPCUR-NPM npm package `unified` is 1 major version(s) behind (^10.1.2 -> 11.0.5) package.json
MED DEPCUR-NPM npm package `remark-stringify` is 1 major version(s) behind (^10.0.2 -> 11.0.0) package.json
MED DEPCUR-NPM npm package `remark-parse` is 1 major version(s) behind (^10.0.1 -> 11.0.0) package.json
MED DEPCUR-NPM npm package `remark-gfm` is 1 major version(s) behind (^3.0.1 -> 4.0.1) package.json
MED DEPCUR-NPM npm package `jest` is 1 major version(s) behind (^29.6.4 -> 30.4.2) package.json
MED DEPCUR-NPM npm package `babel-jest` is 1 major version(s) behind (^29.7.0 -> 30.4.1) package.json
MED DEPCUR-NPM npm package `@types/jsdom` is 7 major version(s) behind (^21.1.1 -> 28.0.3) package.json
MED DEPCUR-NPM npm package `@types/jest` is 1 major version(s) behind (^29.5.4 -> 30.0.0) package.json
MED DEPCUR-NPM npm package `@manypkg/get-packages` is 2 major version(s) behind (^1.1.3 -> 3.1.0) package.json
MED GHSA-48c2-rrv3-qjmp yaml: GHSA-48c2-rrv3-qjmp pnpm-lock.yaml
MED GHSA-58qx-3vcg-4xpx ws: GHSA-58qx-3vcg-4xpx pnpm-lock.yaml
MED GHSA-xcj6-pq6g-qj4x vite: GHSA-xcj6-pq6g-qj4x pnpm-lock.yaml
MED GHSA-x574-m823-4x7w vite: GHSA-x574-m823-4x7w pnpm-lock.yaml
MED GHSA-vg6x-rcgg-rjx6 vite: GHSA-vg6x-rcgg-rjx6 pnpm-lock.yaml
MED GHSA-9cwx-2883-4wfx vite: GHSA-9cwx-2883-4wfx pnpm-lock.yaml
MED GHSA-93m4-6634-74q7 vite: GHSA-93m4-6634-74q7 pnpm-lock.yaml
MED GHSA-8jhw-289h-jh2g vite: GHSA-8jhw-289h-jh2g pnpm-lock.yaml
MED GHSA-859w-5945-r5v3 vite: GHSA-859w-5945-r5v3 pnpm-lock.yaml
MED GHSA-64vr-g452-qvp3 vite: GHSA-64vr-g452-qvp3 pnpm-lock.yaml
MED GHSA-4w7w-66w2-5vf9 vite: GHSA-4w7w-66w2-5vf9 pnpm-lock.yaml
MED GHSA-4r4m-qw57-chr8 vite: GHSA-4r4m-qw57-chr8 pnpm-lock.yaml
MED GHSA-356w-63v5-8wf4 vite: GHSA-356w-63v5-8wf4 pnpm-lock.yaml
MED GHSA-w5hq-g745-h8pq uuid: GHSA-w5hq-g745-h8pq pnpm-lock.yaml
MED GHSA-phc3-fgpg-7m6h undici: GHSA-phc3-fgpg-7m6h pnpm-lock.yaml
MED GHSA-c76h-2ccp-4975 undici: GHSA-c76h-2ccp-4975 pnpm-lock.yaml
MED GHSA-g9mf-h72j-4rw9 undici: GHSA-g9mf-h72j-4rw9 pnpm-lock.yaml
MED GHSA-4992-7rv2-5pvq undici: GHSA-4992-7rv2-5pvq pnpm-lock.yaml
MED GHSA-2mjp-6q6p-2qxm undici: GHSA-2mjp-6q6p-2qxm pnpm-lock.yaml
MED GHSA-p36q-q72m-gchr srvx: GHSA-p36q-q72m-gchr pnpm-lock.yaml
MED GHSA-qj8w-gfj5-8c6v serialize-javascript: GHSA-qj8w-gfj5-8c6v pnpm-lock.yaml
MED GHSA-q8mj-m7cp-5q26 qs: GHSA-q8mj-m7cp-5q26 pnpm-lock.yaml
MED GHSA-6rw7-vpxm-498p qs: GHSA-6rw7-vpxm-498p pnpm-lock.yaml
MED GHSA-qx2v-qp2m-jg93 postcss: GHSA-qx2v-qp2m-jg93 pnpm-lock.yaml
MED GHSA-3v7f-55p6-f55p picomatch: GHSA-3v7f-55p6-f55p pnpm-lock.yaml
MED GHSA-952p-6rrq-rcjv micromatch: GHSA-952p-6rrq-rcjv pnpm-lock.yaml
MED GHSA-4fh9-h7wg-q85m mdast-util-to-hast: GHSA-4fh9-h7wg-q85m pnpm-lock.yaml
MED GHSA-38c4-r59v-3vqw markdown-it: GHSA-38c4-r59v-3vqw pnpm-lock.yaml
MED GHSA-xxjr-mmjv-4gpg lodash: GHSA-xxjr-mmjv-4gpg pnpm-lock.yaml
MED GHSA-f23m-r3pf-42rh lodash: GHSA-f23m-r3pf-42rh pnpm-lock.yaml
MED GHSA-mh29-5h37-fv8m js-yaml: GHSA-mh29-5h37-fv8m pnpm-lock.yaml
MED GHSA-v2v4-37r5-5v8g ip-address: GHSA-v2v4-37r5-5v8g pnpm-lock.yaml
MED GHSA-r4q5-vmmm-2653 follow-redirects: GHSA-r4q5-vmmm-2653 pnpm-lock.yaml
MED GHSA-67mh-4wv8-2f99 esbuild: GHSA-67mh-4wv8-2f99 pnpm-lock.yaml
MED GHSA-jxxr-4gwj-5jf2 brace-expansion: GHSA-jxxr-4gwj-5jf2 pnpm-lock.yaml
MED GHSA-f886-m6hf-6m8v brace-expansion: GHSA-f886-m6hf-6m8v pnpm-lock.yaml
MED GHSA-xx6v-rp6x-q39c axios: GHSA-xx6v-rp6x-q39c pnpm-lock.yaml
MED GHSA-w9j2-pvgh-6h63 axios: GHSA-w9j2-pvgh-6h63 pnpm-lock.yaml
MED GHSA-vf2m-468p-8v99 axios: GHSA-vf2m-468p-8v99 pnpm-lock.yaml
MED GHSA-m7pr-hjqh-92cm axios: GHSA-m7pr-hjqh-92cm pnpm-lock.yaml
MED GHSA-fvcv-3m26-pcqx axios: GHSA-fvcv-3m26-pcqx pnpm-lock.yaml
MED GHSA-898c-q2cr-xwhg axios: GHSA-898c-q2cr-xwhg pnpm-lock.yaml
MED GHSA-62hf-57xw-28j9 axios: GHSA-62hf-57xw-28j9 pnpm-lock.yaml
MED GHSA-5c9x-8gcm-mpgx axios: GHSA-5c9x-8gcm-mpgx pnpm-lock.yaml
MED GHSA-445q-vr5w-6q77 axios: GHSA-445q-vr5w-6q77 pnpm-lock.yaml
MED GHSA-3w6x-2g7m-8v23 axios: GHSA-3w6x-2g7m-8v23 pnpm-lock.yaml
MED GHSA-2g4f-4pwh-qvx6 ajv: GHSA-2g4f-4pwh-qvx6 pnpm-lock.yaml
MED GHSA-968p-4wvh-cqc8 @babel/runtime: GHSA-968p-4wvh-cqc8 pnpm-lock.yaml
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED JRN003 Frontend API reference is not matched by discovered backend routes packages/react-router-dev/vite/plugins/…:101
MED JRN003 Frontend API reference is not matched by discovered backend routes packages/react-router/lib/components.tsx:1614
MED AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered r…
MED WEB015 Public web app has no Content Security Policy index.html
LOW DEPCUR-NPM npm package `semver` is minor version(s) behind (^7.5.4 -> 7.8.2) package.json
LOW DEPCUR-NPM npm package `prettier` is minor version(s) behind (^3.6.2 -> 3.8.3) package.json
LOW DEPCUR-NPM npm package `jsonfile` is minor version(s) behind (^6.1.0 -> 6.2.1) package.json
LOW DEPCUR-NPM npm package `fast-glob` is minor version(s) behind (3.2.11 -> 3.3.3) package.json
LOW DEPCUR-NPM npm package `@types/react-test-renderer` is minor version(s) behind (^19.0.0 -> 19.1.0) package.json
LOW DEPCUR-NPM npm package `@eslint/compat` is minor version(s) behind (^2.0.3 -> 2.1.0) package.json
LOW DEPCUR-NPM npm package `@babel/preset-typescript` is minor version(s) behind (^7.27.1 -> 7.29.7) package.json
LOW DEPCUR-NPM npm package `@babel/preset-react` is minor version(s) behind (^7.27.1 -> 7.29.7) package.json
LOW DEPCUR-NPM npm package `@babel/preset-env` is minor version(s) behind (^7.27.2 -> 7.29.7) package.json
LOW DEPCUR-NPM npm package `@babel/core` is minor version(s) behind (^7.27.7 -> 7.29.7) package.json
LOW GHSA-8fgc-7cc6-rx7x webpack: GHSA-8fgc-7cc6-rx7x pnpm-lock.yaml
LOW GHSA-38r7-794h-5758 webpack: GHSA-38r7-794h-5758 pnpm-lock.yaml
LOW GHSA-jqfw-vq24-v9c3 vite: GHSA-jqfw-vq24-v9c3 pnpm-lock.yaml
LOW GHSA-g4jq-h2w9-997c vite: GHSA-g4jq-h2w9-997c pnpm-lock.yaml
LOW GHSA-cxrh-j4jr-qwg3 undici: GHSA-cxrh-j4jr-qwg3 pnpm-lock.yaml
LOW GHSA-w7fw-mjwx-w883 qs: GHSA-w7fw-mjwx-w883 pnpm-lock.yaml
LOW GHSA-75v8-2h7p-7m2m formidable: GHSA-75v8-2h7p-7m2m pnpm-lock.yaml
LOW GHSA-73rr-hh4g-fpgx diff: GHSA-73rr-hh4g-fpgx pnpm-lock.yaml
LOW GHSA-pxg6-pf52-xh8x cookie: GHSA-pxg6-pf52-xh8x pnpm-lock.yaml
LOW GHSA-v6h2-p8h4-qcjw brace-expansion: GHSA-v6h2-p8h4-qcjw pnpm-lock.yaml
LOW GHSA-xhjh-pmcv-23jw axios: GHSA-xhjh-pmcv-23jw pnpm-lock.yaml
LOW GHSA-vpq2-c234-7xj6 @tootallnate/once: GHSA-vpq2-c234-7xj6 pnpm-lock.yaml
LOW AIC003 Duplicated implementation block across source files integration/link-test.ts:101
LOW AIC003 Duplicated implementation block across source files integration/http-test.ts:16
LOW AIC003 Duplicated implementation block across source files integration/http-test.ts:11
LOW AIC003 Duplicated implementation block across source files integration/http-test.ts:8
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-plugin-cloudfl…:1
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-plugin-cloudfl…:2
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-plugin-cloudfl…:1
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-8-template/app…:1
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-8-template/app…:2
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-8-template/app…:1
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-7-beta-templat…:1
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-7-beta-templat…:2
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-7-beta-templat…:1
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-6-template/app…:1
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-6-template/app…:2
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-6-template/app…:1
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-5-template/app…:1
LOW AIC003 Duplicated implementation block across source files integration/helpers/vite-5-template/app…:2
LOW AIC003 Duplicated implementation block across source files integration/headers-test.ts:21
LOW AIC003 Duplicated implementation block across source files integration/headers-test.ts:18
LOW AIC003 Duplicated implementation block across source files integration/fs-routes-test.ts:109
LOW AIC003 Duplicated implementation block across source files integration/fetch-globals-test.ts:2
LOW AIC003 Duplicated implementation block across source files integration/error-sanitization-test.ts:21
LOW AIC003 Duplicated implementation block across source files integration/error-sanitization-test.ts:14
LOW AIC003 Duplicated implementation block across source files integration/error-data-request-test.ts:21
LOW AIC003 Duplicated implementation block across source files integration/error-data-request-test.ts:17
LOW AIC003 Duplicated implementation block across source files integration/error-boundary-v2-test.ts:2
LOW AIC003 Duplicated implementation block across source files integration/error-boundary-test.ts:118
LOW AIC003 Duplicated implementation block across source files integration/deduped-route-modules-test.…:160
LOW AIC003 Duplicated implementation block across source files integration/custom-entry-server-test.ts:2
LOW AUC005 [AUC005] No authorization-focused tests detected: No test files with common authorization…
LOW WEB001 Public web app has no robots.txt robots.txt
LOW WEB008 Public docs site has no llms.txt llms.txt
LOW WEB011 Public web app has no humans.txt humans.txt
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… packages/react-router-serve/cli.ts:118
INFO MINED098 [MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global win… packages/react-router-dev/vite/static/r…:28
INFO MINED098 [MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global win… packages/react-router-dev/vite/static/r…:70
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. packages/react-router-dev/config/routes…:330
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. packages/react-router-dev/cli/run.ts:152
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. packages/create-react-router/prompt.ts:62
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… integration/vite-preview-test.ts:197
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … packages/create-react-router/prompt.ts:68
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … integration/helpers/playwright-fixture.…:68
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … integration/helpers/fixtures.ts:108
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. integration/route-config-test.ts:55
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. integration/helpers/playwright-fixture.…:290
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. integration/error-data-request-test.ts:14
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … integration/helpers/cloudflare-dev-prox…:19
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … integration/helpers/cleanup.mjs:5
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … integration/browser-entry-test.ts:151
INFO DEPCUR-NPM npm package `typedoc` is patch version(s) behind (^0.28.7 -> 0.28.19) package.json
INFO DEPCUR-NPM npm package `isbot` is patch version(s) behind (^5.1.11 -> 5.1.40) package.json
INFO DEPCUR-NPM npm package `eslint-plugin-jest` is patch version(s) behind (^29.15.0 -> 29.15.2) package.json
INFO DEPCUR-NPM npm package `@mdx-js/rollup` is patch version(s) behind (^3.1.0 -> 3.1.1) package.json
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `remix-run/react-router`

**Score: 63/100 (B-)**  ·  227 findings  ·  scanned 2026-06-05 10:04 UTC  ·  187,401 LOC

| Severity | Count |
|---|---|
| CRITICAL | 4 |
| HIGH | 77 |
| MEDIUM | 70 |
| LOW | 56 |

📊 [Full filterable report](https://repobility.com/scan/c1cae3d0-d9bd-47d8-9f47-019439663682/)  ·  ![scorecard](https://repobility.com/scan/c1cae3d0-d9bd-47d8-9f47-019439663682/report.png?v=1780653851-s2)

### Top findings

1. **HIGH** `SEC085` — JS: child_process.exec with non-literal
   `scripts/utils/process.ts:41`
2. **HIGH** `SEC083` — JS: new RegExp() with non-literal
   `packages/create-react-router/utils.ts:184`
3. **HIGH** `SEC128` — Async function without await — fire-and-forget Promise (AI mistake)
   `packages/react-router-node/stream.ts:40`
4. **HIGH** `SEC128` — Async function without await — fire-and-forget Promise (AI mistake)
   `packages/react-router-architect/server.ts:119`
5. **HIGH** `SEC128` — Async function without await — fire-and-forget Promise (AI mistake)
   `integration/helpers/playwright-fixture.ts:324`

---

**Security note**: this issue is public. If any flagged finding is a real, exploitable vulnerability, please redirect to your `SECURITY.md` policy or open a [private security advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) instead. We're happy to close this and re-submit privately.

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/c1cae3d0-d9bd-47d8-9f47-019439663682/_
Already filed
'remix-run' is on the known-megaproject org list. These projects use auto-triage bots and established security disclosure channels. Unsolicited automated issues from Repobility would be perceived as AI-generated spam. For security findings, follow the project's SECURITY.md policy. For non-security findings, open a focused PR or community discussion instead.
Already filed
This repo publishes a SECURITY.md policy and the scan contains 11 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'remix-run/react-router' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
77/234 findings (33%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.