Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
35 of your 203 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 9.59s · analysis 69.97s · 14.4 MB · GitHub API rate-limit (preflight)

mermaid-js/mermaid

https://github.com/mermaid-js/mermaid · scanned 2026-06-05 07:02 UTC (5 days, 23 hours ago) · 10 languages

666 raw signals (188 security + 478 graph) 9th percentile · Typescript · large (100-500K LoC) System graph score 81 (lower by 20)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 23 hours ago · v2 · 366 actionable findings from 2 signal sources. 61 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
62.9
/100
Security checks
45
135 findings
System graph
81
100.0% cov · 231 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 12.7 0.25 3.17
testing_score 77.0 0.20 15.40
documentation_score 86.7 0.15 13.01
practices_score 100.0 0.15 15.00
code_quality 58.3 0.10 5.83
Overall 1.00 61.4
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 44 Medium 51 Low 122 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 135 System graph 231 Crowd 0 Layer: Quality 94 Security 10 Software 139 Cicd 9 Api 1 Frontend 110 Network 2 Hardware 1
Scan summary Quality grade C+ (61/100). Dimensions: security 13, maintainability 60. 188 findings (89 security). 176,649 lines analyzed.

Showing 218 of 366 actionable findings. 427 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
.github/workflows/e2e.yml:240
critical Security checks software dependencies conf 0.88 vitest: GHSA-5xrq-8626-4rwp
When Vitest UI server is listening, arbitrary file can be read and executed
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-2v35-w6hq-6mfw
xmldom: Uncontrolled recursion in XML serialization leads to DoS
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-f6ww-3ggp-fr8h
xmldom has XML injection through unvalidated DocumentType serialization
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-j759-j44w-7fr8
xmldom has XML node injection through unvalidated comment serialization
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-wh4c-j3r5-mjhp
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-x6wf-f3px-wcqx
xmldom has XML node injection through unvalidated processing instruction serialization
pnpm-lock.yaml
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
packages/mermaid/src/diagrams/treeView/db.ts:61
high Security checks cicd CI/CD security conf 0.90 Compose service uses host networking
Sharing host namespaces reduces isolation and can expose host processes, networking, or IPC resources.
docker-compose.yml:20 CI/CD securitycontainers
high Security checks software dependencies conf 0.88 defu: GHSA-737v-mqg7-c878
defu: Prototype pollution via `__proto__` key in defaults argument
pnpm-lock.yaml
high Security checks cicd CI/CD security conf 0.95 Docker final stage runs as root
The final runtime stage explicitly uses root. A compromised app process would have root inside the container.
Dockerfile:3 CI/CD securitycontainers
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /dev/api/file has no auth
Express route POST /dev/api/file declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
.esbuild/server.ts:370
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /dev/api/sizes has no auth
Express route POST /dev/api/sizes declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
.esbuild/server.ts:432
high Security checks quality Quality conf 0.80 ✓ Repobility Express PUT /dev/api/file has no auth
Express route PUT /dev/api/file declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
.esbuild/server.ts:405
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
pnpm-lock.yaml
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 4 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 15, 82
.github/workflows/validate-lockfile.yml:15, 82 (4 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 glob: GHSA-5j98-mcp5-4vw2
glob CLI: Command injection via -c/--cmd executes matches with shell:true
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lodash-es: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-2328-f5f3-gj25
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-554w-wpv2-vw27
node-forge has ASN.1 Unbounded Recursion
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-5gfm-wpxj-wjgq
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-5m6q-g25r-mvwx
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-ppp5-5v6c-4jwp
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-q67f-28xg-22rw
Forge has signature forgery in Ed25519 due to missing S > L check
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-j3q9-mxjg-w52f
path-to-regexp vulnerable to Denial of Service via sequential optional groups
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 preact: GHSA-36hm-qxxp-pg3m
Preact has JSON VNode Injection issue
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar-fs: GHSA-vj76-c3g6-qr5v
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 underscore: GHSA-qpx9-hpmf-5gmw
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
pnpm-lock.yaml
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences Workflow container/services image `cypress/browsers:node-20.16.0-chrome-127.0.6533.88-1-ff-128.0.3-edge-127.0.2651.74-1` unpinned
`container/services image: cypress/browsers:node-20.16.0-chrome-127.0.6533.88-1-ff-128.0.3-edge-127.0.2651.74-1` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
2 files, 3 locations
.github/workflows/e2e.yml:37, 161 (2 hits)
.github/workflows/e2e-timings.yml:20
high System graph cicd CI/CD security conf 1.00 pull_request_target workflow appears to check out untrusted PR code
pull_request_target runs with base-repo privileges. Checking out PR head code in that context can expose repository tokens or secrets to attacker-controlled code.
.github/workflows/validate-lockfile.yml CI/CD securitySupply chainGithub actions
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 16.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 16.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
packages/mermaid/src/diagrams/kanban/kanbanDb.ts:129
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
packages/mermaid/src/diagram-api/frontmatter.ts:43
medium Security checks software Resource exhaustion conf 1.00 [SEC037] Uncontrolled Recursion — stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a depth limit, or recursive function over user-controlled structure. Attacker sends `{"a":{"a":{"a":...10000 levels...}}}` to blow the stack. Real CVEs: CVE-2019-16935 (Python xmlrpc), CVE-2020-25659 (PyYAML before 5.4). CWE-674/1325.
Use `defusedxml.ElementTree` instead of `xml.etree.ElementTree` — it rejects deeply-nested + billion-laughs payloads. For JSON: set a depth limit explicitly: import json data = json.loads(s) # then validate structure depth manually For YAML: always use `yaml.safe_load`. For recursive code over…
packages/mermaid/src/diagram-api/frontmatter.ts:43
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
.esbuild/dev-explorer/console-panel.ts:81
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
pnpm-lock.yaml
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
pnpm-lock.yaml
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
.esbuild/dev-explorer/diagram-viewer.ts:127
medium Security checks software dependencies conf 0.88 lodash-es: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 markdown-it: GHSA-38c4-r59v-3vqw
markdown-it is has a Regular Expression Denial of Service (ReDoS)
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 mdast-util-to-hast: GHSA-4fh9-h7wg-q85m
mdast-util-to-hast has unsanitized class attribute
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 node-forge: GHSA-65ch-62r8-g69g
node-forge is vulnerable to ASN.1 OID Integer Truncation
pnpm-lock.yaml
medium Security checks software dependencies conf 0.90 npm package `@argos-ci/cypress` is 1 major version(s) behind (^6.2.12 -> 7.0.5)
`@argos-ci/cypress` is pinned/resolved at ^6.2.12 but the latest stable release on the npm registry is 7.0.5 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `@cypress/code-coverage` is 1 major version(s) behind (^3.14.7 -> 4.0.3)
`@cypress/code-coverage` is pinned/resolved at ^3.14.7 but the latest stable release on the npm registry is 4.0.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs …
package.json
medium Security checks software dependencies conf 0.90 npm package `@eslint/js` is 1 major version(s) behind (^9.26.0 -> 10.0.1)
`@eslint/js` is pinned/resolved at ^9.26.0 but the latest stable release on the npm registry is 10.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `@types/jsdom` is 7 major version(s) behind (^21.1.7 -> 28.0.3)
`@types/jsdom` is pinned/resolved at ^21.1.7 but the latest stable release on the npm registry is 28.0.3 (7 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 3 occurrences npm package `@vitest/ui` is 1 major version(s) behind (^3.2.4 -> 4.1.8)
`@vitest/ui` is pinned/resolved at ^3.2.4 but the latest stable release on the npm registry is 4.1.8 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
3 occurrences
package.json (3 hits)
medium Security checks software dependencies conf 0.90 npm package `chokidar` is 2 major version(s) behind (3.6.0 -> 5.0.0)
`chokidar` is pinned/resolved at 3.6.0 but the latest stable release on the npm registry is 5.0.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `concurrently` is 1 major version(s) behind (^9.2.1 -> 10.0.3)
`concurrently` is pinned/resolved at ^9.2.1 but the latest stable release on the npm registry is 10.0.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `cpy-cli` is 2 major version(s) behind (^5.0.0 -> 7.0.0)
`cpy-cli` is pinned/resolved at ^5.0.0 but the latest stable release on the npm registry is 7.0.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `cross-env` is 3 major version(s) behind (^7.0.3 -> 10.1.0)
`cross-env` is pinned/resolved at ^7.0.3 but the latest stable release on the npm registry is 10.1.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 2 occurrences npm package `cspell` is 1 major version(s) behind (^9.3.2 -> 10.0.1)
`cspell` is pinned/resolved at ^9.3.2 but the latest stable release on the npm registry is 10.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 occurrences
package.json (2 hits)
medium Security checks software dependencies conf 0.90 npm package `cypress` is 1 major version(s) behind (^14.5.4 -> 15.16.0)
`cypress` is pinned/resolved at ^14.5.4 but the latest stable release on the npm registry is 15.16.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `eslint-plugin-cypress` is 1 major version(s) behind (^5.3.0 -> 6.4.1)
`eslint-plugin-cypress` is pinned/resolved at ^5.3.0 but the latest stable release on the npm registry is 6.4.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs ra…
package.json
medium Security checks software dependencies conf 0.90 npm package `eslint-plugin-unicorn` is 2 major version(s) behind (^62.0.0 -> 64.0.0)
`eslint-plugin-unicorn` is pinned/resolved at ^62.0.0 but the latest stable release on the npm registry is 64.0.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs …
package.json
medium Security checks software dependencies conf 0.88 path-to-regexp: GHSA-27v5-c462-wpq7
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
pnpm-lock.yaml
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 smol-toml: GHSA-v3rj-xjv7-4jmq
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-93m4-6634-74q7
vite allows server.fs.deny bypass via backslash on Windows
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-4v9v-hfq4-rm2v
webpack-dev-server users' source code may be stolen when they access a malicious web site
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-79cf-xcqc-c78w
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-9jgg-88mc-972h
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
pnpm-lock.yaml
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/mermaid/src/rendering-util/multi-diagram-id-uniqueness.spec.ts:29
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 7 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
7 files, 7 locations
.github/workflows/e2e-timings.yml
.github/workflows/lint.yml
.github/workflows/publish-docs.yml
.github/workflows/release-preview-publish.yml
.github/workflows/release-preview.yml
.github/workflows/release.yml
.github/workflows/scorecard.yml
CI/CD securitySupply chainGithub actions
medium System graph network Security conf 1.00 Privileged port 256 in use
Port 256 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
Dockerfile Ports
medium System graph network Security conf 1.00 Privileged port 40 in use
Port 40 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
Dockerfile Ports
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
54 test file(s) for 849 source file(s) (ratio 0.06). Consider adding integration or unit tests for critical paths.
Coverage
high Security checks cicd CI/CD security conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
docker-compose.yml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:1 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 14 locations
packages/mermaid/src/diagrams/flowchart/styles.ts:4, 97 (2 hits)
packages/mermaid/src/rendering-util/rendering-elements/edges.js:75, 212 (2 hits)
packages/mermaid-layout-tidy-tree/src/layout.ts:311
packages/mermaid-zenuml/src/mermaidUtils.ts:2
packages/mermaid/src/dagre-wrapper/edges.js:256
packages/mermaid/src/diagrams/class/classDiagram.ts:1
packages/mermaid/src/diagrams/class/classRenderer-v2.ts:309
packages/mermaid/src/diagrams/gantt/ganttDb.js:542
duplicationquality
low Security checks software dependencies conf 0.90 npm package `@changesets/changelog-github` is minor version(s) behind (^0.5.2 -> 0.7.0)
`@changesets/changelog-github` is pinned/resolved at ^0.5.2 but the latest stable release on the npm registry is 0.7.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update P…
package.json
low Security checks software dependencies conf 0.90 npm package `@changesets/cli` is minor version(s) behind (^2.29.8 -> 2.31.0)
`@changesets/cli` is pinned/resolved at ^2.29.8 but the latest stable release on the npm registry is 2.31.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@rollup/plugin-typescript` is minor version(s) behind (^12.1.4 -> 12.3.0)
`@rollup/plugin-typescript` is pinned/resolved at ^12.1.4 but the latest stable release on the npm registry is 12.3.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
package.json
low Security checks software dependencies conf 0.90 npm package `ajv` is minor version(s) behind (^8.17.1 -> 8.20.0)
`ajv` is pinned/resolved at ^8.17.1 but the latest stable release on the npm registry is 8.20.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `dotenv` is minor version(s) behind (^17.2.4 -> 17.4.2)
`dotenv` is pinned/resolved at ^17.2.4 but the latest stable release on the npm registry is 17.4.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `esbuild` is minor version(s) behind (^0.25.12 -> 0.28.0)
`esbuild` is pinned/resolved at ^0.25.12 but the latest stable release on the npm registry is 0.28.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `eslint-plugin-jest` is minor version(s) behind (^29.0.1 -> 29.15.2)
`eslint-plugin-jest` is pinned/resolved at ^29.0.1 but the latest stable release on the npm registry is 29.15.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
package.json
low Security checks software dependencies conf 0.90 npm package `eslint-plugin-no-only-tests` is minor version(s) behind (^3.3.0 -> 3.4.0)
`eslint-plugin-no-only-tests` is pinned/resolved at ^3.3.0 but the latest stable release on the npm registry is 3.4.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
package.json
low Security checks software dependencies conf 0.90 npm package `eslint-plugin-tsdoc` is minor version(s) behind (^0.4.0 -> 0.5.2)
`eslint-plugin-tsdoc` is pinned/resolved at ^0.4.0 but the latest stable release on the npm registry is 0.5.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low Security checks software dependencies conf 0.88 qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 webpack: GHSA-38r7-794h-5758
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 webpack: GHSA-8fgc-7cc6-rx7x
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
pnpm-lock.yaml
low System graph quality Maintenance conf 1.00 157 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cypress.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid-example-diagram/src/diagram-definition.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid-example-diagram/src/exampleDiagram.spec.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid-example-diagram/src/types/index.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid-layout-elk/src/__tests__/render.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid-layout-elk/src/find-common-ancestor.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid-layout-tidy-tree/src/layout.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid-layout-tidy-tree/src/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/accessibility.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/config.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/er/erDetector.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/er/erDiagram.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/er/erMarkers.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/er/erRenderer-unified.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/er/erRenderer.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/er/erTypes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/info/infoDiagram.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/info/infoParser.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/radar/detector.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/radar/diagram.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/radar/radar.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/radar/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/requirement/requirementDb.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/requirement/requirementDetector.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/requirement/requirementDiagram.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/requirement/requirementRenderer.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/requirement/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/sequence/sequenceDetector.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/sequence/sequenceDiagram.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/sequence/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/user-journey/journeyDb.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/user-journey/journeyDb.spec.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/user-journey/journeyDetector.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/user-journey/journeyDiagram.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/venn/parser/venn.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/venn/vennDetector.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/venn/vennDiagram.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/diagrams/venn/vennTypes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/internals.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/setupGraphViewbox.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/setupGraphViewbox.spec.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/type.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/types/cytoscape-cose-bilkent.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/mermaid/src/utils.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/e2e-diagram-scope.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/run-e2e-scoped.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/webpack/webpack.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.workspace.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `index_v2` in cypress/integration/rendering/appli.spec.js:38
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `staleOrLegacy` in packages/mermaid/src/rendering-util/layout-algorithms/ddlt/fixtureMetadata.spec.ts:12
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cypress/integration/rendering/flowchart/flowchart-shape-themes.spec.ts:90
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cypress/platform/bundle-test.js:55
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cypress/platform/viewer.js:49
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — demos/dev/reload.js:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/assignWithDepth.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/dagre-wrapper/intersect/intersect-polygon.js:51
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/dagre-wrapper/nodes.js:401
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/diagrams/kanban/kanbanDb.ts:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/diagrams/mindmap/mindmap.spec.ts:19
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/diagrams/state/stateRenderer-v3-unified.ts:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/mermaid.ts:337
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/ddlt/layout-fixtures.ddlt.spec.ts:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/10-node-placement.ddlt.spec.ts:74
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/4-car-fun-sales-tb.ddlt.spec.ts:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/5-car-fun-sales-wide-tb.ddlt.spec.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/6-legal-constr-sales.ddlt.spec.ts:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/7-car-sales-constr.ddlt.spec.ts:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/8-query-process-2.ddlt.spec.ts:44
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/__tests__/pipeline.hoe.lr.spec.ts:224
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/__tests__/pipeline.knsv3.lr.spec.ts:218
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/__tests__/pipeline.lr.e2e.spec.ts:95
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/orthogonalRouter/__tests__/raykov.crossing.spec.ts:159
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/orthogonalRouter/__tests__/raykov.detour.spec.ts:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/orthogonalRouter/__tests__/raykov.issues.spec.ts:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/orthogonalRouter/__tests__/raykov.repro_crossing.spec.ts:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/orthogonalRouter/__tests__/raykov.router.spec.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/orthogonalRouter/__tests__/raykov.wide_node.spec.ts:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/query-process.ddlt.spec.ts:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/simple-2.ddlt.spec.ts:31
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/render.ts:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/rendering-elements/lineJump.integration.spec.ts:171
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/rendering-util/rendering-elements/shapes/drawRect.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/mermaid/src/utils/imperativeState.ts:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/compare-timings.ts:40
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/run-e2e-scoped.ts:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/size.ts:75
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/swimlanes-size.ts:117
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/tsc-check.ts:81
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/webpack/src/index.js:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: cypress/integration/rendering/git/gitGraph.spec.js (2182 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: cypress/integration/rendering/sequence/sequencediagram-v2.spec.js (1629 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/mermaid/src/config.type.ts (2070 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/mermaid/src/diagrams/class/classDiagram.spec.ts (2252 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/mermaid/src/diagrams/sequence/sequenceDiagram.spec.js (2820 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/mermaid/src/diagrams/sequence/sequenceRenderer.ts (2150 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/mermaid/src/diagrams/sequence/svgDraw.js (2037 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/orthogonalRouter/router.ts (2242 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/eb0e01a6-f8a4-4dcb-b77b-71f719fa226f/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/eb0e01a6-f8a4-4dcb-b77b-71f719fa226f/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.