Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
17 of your 85 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.86s · analysis 25.38s · 3.5 MB · GitHub API rate-limit (preflight)

iptv-org/iptv

https://github.com/iptv-org/iptv · scanned 2026-06-05 05:19 UTC (2 hours, 33 minutes ago) · 10 languages

125 findings (71 legacy + 54 scanner) 62nd percentile · Typescript · small (2-20K LoC) Scanner says 90 (lower by 19)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 hours, 33 minutes ago · v2 · 98 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
77.5
/100
Repobility
65
71 legacy
9-layer
90
88.9% cov · 27 gaps
Critical
13
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 48.9 0.25 12.22
testing_score 90.0 0.20 18.00
documentation_score 75.0 0.15 11.25
practices_score 67.0 0.15 10.05
code_quality 80.0 0.10 8.00
Overall 1.00 70.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 13 High 20 Medium 18 Low 33 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 71 9-layer 27 Crowd 0 Layer: Security 17 Software 57 Quality 7 Api 1 Frontend 13 Cicd 3
Scan summary Repository scanned at 90.0/100 with 88.9% coverage. It contains 207 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 27 findings — concentrated in frontend (13), software (8), cicd (3). Risk profile is low: 0 critical, 0 high, 3 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 82 of 98 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
streams/my.m3u:52 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
streams/my.m3u:42 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
streams/my.m3u:31 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
streams/my.m3u:27 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
streams/br.m3u:411 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
streams/br.m3u:401 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
streams/br.m3u:393 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
streams/th.m3u:69 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
streams/cy.m3u:41 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
streams/cy.m3u:3 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
streams/in.m3u:823 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
streams/lt.m3u:21 credential_exposurelegacy
high Legacy software resource_exhaustion conf 1.00 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants.
Cap user-controlled sizes BEFORE allocation: size = min(int(request.args.get('n', 100)), MAX_SIZE) Set framework-level limits: Flask: app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 FastAPI: use middleware to enforce request size Django: DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py …
scripts/api.ts:107 resource_exhaustionlegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
scripts/commands/playlist/update.ts:46 xsslegacy
high Legacy security path_traversal conf 1.00 [SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly.
After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`.
scripts/utils.ts:60 path_traversallegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/format.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/format.yml:12 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/update.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/update.yml:12 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/check.yml:15 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`
`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/format.yml:23 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`
`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/update.yml:23 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`
`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/check.yml:27 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `JamesIves/github-pages-deploy-action` pinned to mutable ref `@4.1.1`
`uses: JamesIves/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/update.yml:75 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `JamesIves/github-pages-deploy-action` pinned to mutable ref `@4.1.1`
`uses: JamesIves/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/update.yml:63 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `tibdex/github-app-token` pinned to mutable ref `@v1.8.2`
`uses: tibdex/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/format.yml:13 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `tibdex/github-app-token` pinned to mutable ref `@v1.8.2`
`uses: tibdex/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/update.yml:13 dependencylegacy
high Legacy software dependency conf 0.88 axios: GHSA-35jp-ww65-95wh
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 axios: GHSA-777c-7fjr-54vf
Allocation of Resources Without Limits or Throttling in Axios
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 axios: GHSA-hfxv-24rg-xrqf
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 axios: GHSA-j5f8-grm9-p9fc
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 axios: GHSA-p92q-9vqr-4j8v
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
package-lock.json dependencylegacy
high Legacy software dependency conf 0.88 axios: GHSA-pjwm-pj3p-43mv
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
package-lock.json dependencylegacy
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
authlegacy
medium Legacy software dependency conf 0.88 axios: GHSA-898c-q2cr-xwhg
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
package-lock.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@eslint/js` is 1 major version(s) behind (9.32.0 -> 10.0.1)
`@eslint/js` is pinned/resolved at 9.32.0 but the latest stable release on the npm registry is 10.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@inquirer/prompts` is 1 major version(s) behind (7.8.0 -> 8.5.2)
`@inquirer/prompts` is pinned/resolved at 7.8.0 but the latest stable release on the npm registry is 8.5.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@octokit/plugin-paginate-rest` is 1 major version(s) behind (13.1.1 -> 14.0.0)
`@octokit/plugin-paginate-rest` is pinned/resolved at 13.1.1 but the latest stable release on the npm registry is 14.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-upda…
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@octokit/plugin-rest-endpoint-methods` is 1 major version(s) behind (16.0.0 -> 17.0.0)
`@octokit/plugin-rest-endpoint-methods` is pinned/resolved at 16.0.0 but the latest stable release on the npm registry is 17.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot vers…
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `@octokit/types` is 2 major version(s) behind (14.1.0 -> 16.0.0)
`@octokit/types` is pinned/resolved at 14.1.0 but the latest stable release on the npm registry is 16.0.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `chalk` is 1 major version(s) behind (4.1.2 -> 5.6.2)
`chalk` is pinned/resolved at 4.1.2 but the latest stable release on the npm registry is 5.6.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `commander` is 1 major version(s) behind (14.0.0 -> 15.0.0)
`commander` is pinned/resolved at 14.0.0 but the latest stable release on the npm registry is 15.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `glob` is 3 major version(s) behind (10.5.0 -> 13.0.6)
`glob` is pinned/resolved at 10.5.0 but the latest stable release on the npm registry is 13.0.6 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `globals` is 3 major version(s) behind (14.0.0 -> 17.6.0)
`globals` is pinned/resolved at 14.0.0 but the latest stable release on the npm registry is 17.6.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `normalize-url` is 1 major version(s) behind (8.1.0 -> 9.0.1)
`normalize-url` is pinned/resolved at 8.1.0 but the latest stable release on the npm registry is 9.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium Legacy software dependency conf 0.90 npm package `socks-proxy-agent` is 2 major version(s) behind (8.0.5 -> 10.0.0)
`socks-proxy-agent` is pinned/resolved at 8.0.5 but the latest stable release on the npm registry is 10.0.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
JamesIves/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update.yml:63 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
JamesIves/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update.yml:75 supply-chaingithub-actionspinned-dependencies
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
low Legacy security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
authlegacy
low Legacy software dependency conf 0.88 axios: GHSA-654m-c8p4-x5fp
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
package-lock.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `@freearhey/core` is minor version(s) behind (0.14.3 -> 0.16.1)
`@freearhey/core` is pinned/resolved at 0.14.3 but the latest stable release on the npm registry is 0.16.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `@freearhey/storage-js` is minor version(s) behind (0.1.0 -> 0.2.0)
`@freearhey/storage-js` is pinned/resolved at 0.1.0 but the latest stable release on the npm registry is 0.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `@stylistic/eslint-plugin` is minor version(s) behind (5.2.2 -> 5.10.0)
`@stylistic/eslint-plugin` is pinned/resolved at 5.2.2 but the latest stable release on the npm registry is 5.10.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs r…
package.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `axios` is minor version(s) behind (1.15.2 -> 1.17.0)
`axios` is pinned/resolved at 1.15.2 but the latest stable release on the npm registry is 1.17.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `console-table-printer` is minor version(s) behind (2.14.6 -> 2.16.0)
`console-table-printer` is pinned/resolved at 2.14.6 but the latest stable release on the npm registry is 2.16.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…
package.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `cross-env` is minor version(s) behind (10.0.0 -> 10.1.0)
`cross-env` is pinned/resolved at 10.0.0 but the latest stable release on the npm registry is 10.1.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
low Legacy software dependency conf 0.90 npm package `jest` is minor version(s) behind (30.3.0 -> 30.4.2)
`jest` is pinned/resolved at 30.3.0 but the latest stable release on the npm registry is 30.4.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json dependencylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/generators/generator.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/tables/table.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/__data__/input/discussions.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/__data__/input/issues.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/__data__/input/playlist_test/results.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/commands/playlist/validate.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/commands/report/create.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json supply-chainnpminstall-scripts
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/commands/playlist/test.ts:182
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/commands/playlist/validate.ts:111
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/utils.ts:132
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/commands/playlist/edit.test.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/commands/playlist/export.test.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/commands/playlist/format.test.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/commands/playlist/generate.test.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/commands/playlist/test.test.ts:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/commands/playlist/update.test.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/commands/playlist/validate.test.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/commands/readme/update.test.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/commands/report/create.test.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality complexity conf 1.00 Very large file: tests/__data__/input/issues.js (2476 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
scripts/commands/playlist/edit.ts:52 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/c3786ac9-f743-4cf5-be3e-6afdde35579b/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/c3786ac9-f743-4cf5-be3e-6afdde35579b/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.