Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
112 of your 441 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 9.35s · analysis 54.59s · 22.1 MB · GitHub API rate-limit (preflight)

kzahel/yepanywhere

https://github.com/kzahel/yepanywhere · scanned 2026-06-05 19:09 UTC (4 days, 17 hours ago) · 10 languages

1222 raw signals (410 security + 812 graph) 10th percentile · Typescript · large (100-500K LoC) System graph score 50 (higher by 11)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 17 hours ago · v2 · 640 actionable findings from 2 signal sources. 176 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
49.6
/100
Security checks
49
283 findings
System graph
51
100.0% cov · 357 findings
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 24.4 0.25 6.10
testing_score 95.0 0.20 19.00
documentation_score 70.7 0.15 10.61
practices_score 89.0 0.15 13.35
code_quality 36.0 0.10 3.60
Overall 1.00 61.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 6 High 220 Medium 117 Low 238 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 283 System graph 357 Crowd 0 Layer: Quality 138 Software 254 Cicd 11 Security 24 Frontend 101 Network 2 Hardware 2 Api 108
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Ranks in the 74th percentile among medium-sized repos. 10 findings (10 high). Most common pattern: express-destructive-unauth.

Showing 575 of 640 actionable findings. 816 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 5 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
4 files, 5 locations
packages/server/test/push/PushService.test.ts:17, 34 (2 hits)
docs/research/binary-websocket-framing.md:391
site/public/open/index.html:31
site/src/layouts/BaseLayout.astro:81
critical Security checks software dependencies conf 0.88 google.golang.org/grpc: GHSA-p77j-4mvh-x3m3
gRPC-Go has an authorization bypass via missing leading slash in :path
packages/device-bridge/go.mod
critical Security checks software dependencies conf 0.88 vitest: GHSA-5xrq-8626-4rwp
When Vitest UI server is listening, arbitrary file can be read and executed
pnpm-lock.yaml
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 19 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 47, 48, 49, 50, 79, 80, 81, 101, +11 more
.github/workflows/desktop-ci.yml:47, 48, 49, 50, 79, 80, 81, 101, +11 more (19 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.
Review and fix per the pattern semantics. See CWE-682 / for context.
3 files, 3 locations
packages/server/src/auth/AuthService.ts:141
packages/server/src/metadata/ProjectMetadataService.ts:153
packages/server/src/metadata/SessionMetadataService.ts:323
high Security checks software dependencies conf 0.88 atk-sys: RUSTSEC-2024-0416
gtk-rs GTK3 bindings - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 atk-sys: RUSTSEC-2024-0416
gtk-rs GTK3 bindings - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 atk: RUSTSEC-2024-0413
gtk-rs GTK3 bindings - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 atk: RUSTSEC-2024-0413
gtk-rs GTK3 bindings - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.90 ✓ Repobility Binary file `packages/android-device-server/gradle/wrapper/gradle-wrapper.jar` committed in source repo
`packages/android-device-server/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (59,203 bytes) committed to a repo that otherwise has 980 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that get…
packages/android-device-server/gradle/wrapper/gradle-wrapper.jar:1
high Security checks software dependencies conf 0.88 defu: GHSA-737v-mqg7-c878
defu: Prototype pollution via `__proto__` key in defaults argument
site/package-lock.json
high Security checks software dependencies conf 0.88 devalue: GHSA-77vg-94rm-hx3p
Svelte devalue: DoS via sparse array deserialization
site/package-lock.json
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `node:22-slim` not pinned by digest
`FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
docker/Dockerfile:4
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE / has no auth
Express route DELETE / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/network-binding.ts:184
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /:id has no auth
Express route DELETE /:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/browser-profiles.ts:43
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /relay has no auth
Express route DELETE /relay declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/remote-access/routes.ts:201
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /sessions has no auth
Express route DELETE /sessions declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/remote-access/routes.ts:279
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /sessions/:projectId/:sessionId has no auth
Express route DELETE /sessions/:projectId/:sessionId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/public-shares.ts:797
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /sessions/:projectId/:sessionId/viewers/:viewerId has no auth
Express route DELETE /sessions/:projectId/:sessionId/viewers/:viewerId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/public-shares.ts:848
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /sessions/:sessionId has no auth
Express route DELETE /sessions/:sessionId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/remote-access/routes.ts:266
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST / has no auth
Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/client-logs.ts:38
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST / has no auth
Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/public-shares.ts:861
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /clear has no auth
Express route POST /clear declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/remote-access/routes.ts:115
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /complete has no auth
Express route POST /complete declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/onboarding.ts:43
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /configure has no auth
Express route POST /configure declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/remote-access/routes.ts:46
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /disable has no auth
Express route POST /disable declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/remote-access/routes.ts:100
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /enable has no auth
Express route POST /enable declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/remote-access/routes.ts:85
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /helper-targets/models has no auth
Express route POST /helper-targets/models declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/settings.ts:746
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /install has no auth
Express route POST /install declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/codex-updates.ts:18
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /remote-executors/:host/test has no auth
Express route POST /remote-executors/:host/test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/settings.ts:793
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /reset has no auth
Express route POST /reset declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/onboarding.ts:53
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /sessions/:projectId/:sessionId/freeze-live has no auth
Express route POST /sessions/:projectId/:sessionId/freeze-live declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/public-shares.ts:808
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /sessions/:projectId/:sessionId/viewers/:viewerId/freeze has no auth
Express route POST /sessions/:projectId/:sessionId/viewers/:viewerId/freeze declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/public-shares.ts:824
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /upload has no auth
Express route POST /upload declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/sharing.ts:15
high Security checks quality Quality conf 0.80 ✓ Repobility Express PUT / has no auth
Express route PUT / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/settings.ts:404
high Security checks quality Quality conf 0.80 ✓ Repobility Express PUT / has no auth
Express route PUT / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/network-binding.ts:74
high Security checks quality Quality conf 0.80 ✓ Repobility Express PUT /relay has no auth
Express route PUT /relay declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/remote-access/routes.ts:155
high Security checks quality Quality conf 0.80 ✓ Repobility Express PUT /remote-executors has no auth
Express route PUT /remote-executors declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
packages/server/src/routes/settings.ts:765
high Security checks software dependencies conf 0.88 2 occurrences fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
2 files, 2 locations
pnpm-lock.yaml
site/package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
2 files, 2 locations
pnpm-lock.yaml
site/package-lock.json
high Security checks software dependencies conf 0.88 fxhash: RUSTSEC-2025-0057
fxhash - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 fxhash: RUSTSEC-2025-0057
fxhash - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdk-sys: RUSTSEC-2024-0418
gtk-rs GTK3 bindings - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdk-sys: RUSTSEC-2024-0418
gtk-rs GTK3 bindings - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdk: RUSTSEC-2024-0412
gtk-rs GTK3 bindings - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdk: RUSTSEC-2024-0412
gtk-rs GTK3 bindings - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdkwayland-sys: RUSTSEC-2024-0411
gtk-rs GTK3 bindings - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdkwayland-sys: RUSTSEC-2024-0411
gtk-rs GTK3 bindings - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdkx11-sys: RUSTSEC-2024-0414
gtk-rs GTK3 bindings - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdkx11-sys: RUSTSEC-2024-0414
gtk-rs GTK3 bindings - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdkx11: RUSTSEC-2024-0417
gtk-rs GTK3 bindings - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdkx11: RUSTSEC-2024-0417
gtk-rs GTK3 bindings - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 glib: RUSTSEC-2024-0429
Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5005
Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5006
Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5013
Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5014
Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5015
Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5016
Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5017
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5018
Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5019
Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5020
Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5021
Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5023
Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5033
Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-4559
Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5025
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5026
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5027
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5028
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5029
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5030
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/sys: GO-2026-5024
Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 gtk-sys: RUSTSEC-2024-0420
gtk-rs GTK3 bindings - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gtk-sys: RUSTSEC-2024-0420
gtk-rs GTK3 bindings - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gtk3-macros: RUSTSEC-2024-0419
gtk-rs GTK3 bindings - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gtk3-macros: RUSTSEC-2024-0419
gtk-rs GTK3 bindings - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gtk: RUSTSEC-2024-0415
gtk-rs GTK3 bindings - no longer maintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gtk: RUSTSEC-2024-0415
gtk-rs GTK3 bindings - no longer maintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 h3: GHSA-22cc-p3c6-wpvm
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
site/package-lock.json
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
site/package-lock.json
high Security checks software dependencies conf 0.88 openssl: GHSA-8c75-8mhr-p7r9
rust-openssl has incorrect bounds assertion in aes key wrap
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 openssl: GHSA-ghm9-cr32-g9qj
rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 openssl: GHSA-hppc-g8h3-xhp3
rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 openssl: GHSA-pqf5-4pqq-29f5
rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 openssl: GHSA-xp3w-r5p5-63rr
rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
2 files, 2 locations
pnpm-lock.yaml
site/package-lock.json
high Security checks software dependencies conf 0.88 proc-macro-error: RUSTSEC-2024-0370
proc-macro-error is unmaintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 proc-macro-error: RUSTSEC-2024-0370
proc-macro-error is unmaintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 quinn-proto: RUSTSEC-2026-0037
Denial of service in Quinn endpoints
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 rand: RUSTSEC-2026-0097
Rand is unsound with a custom logger using `rand::rng()`
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 react-router: GHSA-49rj-9fvp-4h2h
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 react-router: GHSA-8646-j5j9-6r62
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 react-router: GHSA-8x6r-g9mw-2r78
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 react-router: GHSA-rxv8-25v2-qmq8
React Router vulnerable to Denial of Service via reflected user input in single-fetch
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0049
CRLs not considered authoritative by Distribution Point due to faulty matching logic
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0098
Name constraints for URI names were incorrectly accepted
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0099
Name constraints were accepted for certificates asserting a wildcard name
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0104
Reachable panic in certificate revocation list parsing
packages/desktop/src-tauri/Cargo.lock
high Security checks security auth conf 0.83 3 occurrences Secret-like setting is echoed into a password input value
Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.
3 files, 3 locations
packages/client/src/components/RemoteAccessSetup.tsx:535
packages/client/src/pages/DirectLoginPage.tsx:173
packages/client/src/pages/LoginPage.tsx:105
high Security checks software dependencies conf 0.88 serial: RUSTSEC-2017-0008
`serial` crate is unmaintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3955
CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4006
Excessive CPU consumption in ParseAddress in net/mail
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4008
ALPN negotiation error contains attacker controlled information in crypto/tls
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4014
Unbounded allocation when parsing GNU sparse map in archive/tar
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4015
Excessive CPU consumption in Reader.ReadResponse in net/textproto
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4155
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4175
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4337
Unexpected session resumption in crypto/tls
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in crypto/tls
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4602
FileInfo can escape from a Root in os
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4864
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4869
Unbounded allocation for old GNU sparse in archive/tar
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4946
Inefficient policy validation in crypto/x509
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4947
Unexpected work during chain building in crypto/x509
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4971
Panic in Dial and LookupPort when handling NUL byte on Windows in net
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4976
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4977
Quadratic string concatenation in consumePhrase in net/mail
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4980
Escaper bypass leads to XSS in html/template
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4981
Crash when handling long CNAME response in net
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4982
Bypass of meta content URL escaping causes XSS in html/template
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4986
Quadratic string concatentation in consumeComment in net/mail
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5037
Inefficient candidate hostname parsing in crypto/x509
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5038
Quadratic complexity in WordDecoder.DecodeHeader in mime
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5039
Arbitrary inputs are included in errors without any escaping in net/textproto
packages/device-bridge/go.mod
high Security checks software dependencies conf 0.88 svgo: GHSA-xpqw-6gx7-v673
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
site/package-lock.json
high Security checks software dependencies conf 0.88 tar: RUSTSEC-2026-0067
`unpack_in` can chmod arbitrary directories by following symlinks
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 tar: RUSTSEC-2026-0068
tar-rs incorrectly ignores PAX size headers if header size is nonzero
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 undici: GHSA-f269-vfmq-vjvj
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
sharing-worker/package-lock.json
high Security checks software dependencies conf 0.88 undici: GHSA-v9p9-hfj2-hcw8
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
sharing-worker/package-lock.json
high Security checks software dependencies conf 0.88 undici: GHSA-vrm6-8vpv-qv8q
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
sharing-worker/package-lock.json
high Security checks software dependencies conf 0.88 unic-char-property: RUSTSEC-2025-0081
`unic-char-property` is unmaintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-char-property: RUSTSEC-2025-0081
`unic-char-property` is unmaintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-char-range: RUSTSEC-2025-0075
`unic-char-range` is unmaintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-char-range: RUSTSEC-2025-0075
`unic-char-range` is unmaintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-common: RUSTSEC-2025-0080
`unic-common` is unmaintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-common: RUSTSEC-2025-0080
`unic-common` is unmaintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-ucd-ident: RUSTSEC-2025-0100
`unic-ucd-ident` is unmaintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-ucd-ident: RUSTSEC-2025-0100
`unic-ucd-ident` is unmaintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-ucd-version: RUSTSEC-2025-0098
`unic-ucd-version` is unmaintained
packages/mobile/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-ucd-version: RUSTSEC-2025-0098
`unic-ucd-version` is unmaintained
packages/desktop/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-p9ff-h696-f583
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
2 files, 2 locations
pnpm-lock.yaml
site/package-lock.json
high Security checks software dependencies conf 0.88 vite: GHSA-v2wj-q39q-566r
Vite: `server.fs.deny` bypassed with queries
pnpm-lock.yaml
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/projects (packages/server/test/api/projects.test.ts:36)
`packages/server/test/api/projects.test.ts:36` calls `GET /api/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects` If this points at an external API, prefix it with `https://` so the matcher …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/projects (packages/server/test/api/projects.test.ts:50)
`packages/server/test/api/projects.test.ts:50` calls `GET /api/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects` If this points at an external API, prefix it with `https://` so the matcher …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/projects (packages/server/test/api/projects.test.ts:67)
`packages/server/test/api/projects.test.ts:67` calls `GET /api/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects` If this points at an external API, prefix it with `https://` so the matcher …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/projects (packages/server/test/session-filtering.test.ts:108)
`packages/server/test/session-filtering.test.ts:108` calls `GET /api/projects` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects` If this points at an external API, prefix it with `https://` so the ma…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/projects/${projectId}/files (packages/server/test/api/files.test.ts:271)
`packages/server/test/api/files.test.ts:271` calls `GET /api/projects/${projectId}/files` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/files` If this points at an external API, prefix it with…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/projects/unknown-id (packages/server/test/api/projects.test.ts:80)
`packages/server/test/api/projects.test.ts:80` calls `GET /api/projects/unknown-id` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/unknown-id` If this points at an external API, prefix it with `htt…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/projects/unknown-id/sessions (packages/server/test/api/projects.test.ts:92)
`packages/server/test/api/projects.test.ts:92` calls `GET /api/projects/unknown-id/sessions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/unknown-id/sessions` If this points at an external API, p…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/sessions/unknown/pending-input (packages/server/test/api/sessions.test.ts:341)
`packages/server/test/api/sessions.test.ts:341` calls `GET /api/sessions/unknown/pending-input` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/sessions/unknown/pending-input` If this points at an external A…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/version (packages/client/src/components/ErrorBoundary.tsx:49)
`packages/client/src/components/ErrorBoundary.tsx:49` calls `GET /api/version` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/version` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /auth/status (packages/client/src/contexts/RemoteConnectionContext.tsx:365)
`packages/client/src/contexts/RemoteConnectionContext.tsx:365` calls `GET /auth/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth/status` If this points at an external API, prefix it with `https://` so the…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /auth/status (packages/client/src/contexts/RemoteConnectionContext.tsx:404)
`packages/client/src/contexts/RemoteConnectionContext.tsx:404` calls `GET /auth/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth/status` If this points at an external API, prefix it with `https://` so the…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /auth/status (packages/client/src/contexts/RemoteConnectionContext.tsx:545)
`packages/client/src/contexts/RemoteConnectionContext.tsx:545` calls `GET /auth/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth/status` If this points at an external API, prefix it with `https://` so the…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /auth/status (packages/client/src/contexts/RemoteConnectionContext.tsx:713)
`packages/client/src/contexts/RemoteConnectionContext.tsx:713` calls `GET /auth/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth/status` If this points at an external API, prefix it with `https://` so the…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /inspector (packages/server/test/maintenance/server.test.ts:168)
`packages/server/test/maintenance/server.test.ts:168` calls `GET /inspector` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/inspector` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /log/level (packages/server/test/maintenance/server.test.ts:84)
`packages/server/test/maintenance/server.test.ts:84` calls `GET /log/level` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/log/level` If this points at an external API, prefix it with `https://` so the matcher skips…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /nonexistent (packages/server/test/maintenance/server.test.ts:221)
`packages/server/test/maintenance/server.test.ts:221` calls `GET /nonexistent` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/nonexistent` If this points at an external API, prefix it with `https://` so the matcher …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /proj-1/sessions (packages/server/test/routes/projects.test.ts:66)
`packages/server/test/routes/projects.test.ts:66` calls `GET /proj-1/sessions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/proj-1/sessions` If this points at an external API, prefix it with `https://` so…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET /proxy/debug (packages/server/test/maintenance/server.test.ts:135)
`packages/server/test/maintenance/server.test.ts:135` calls `GET /proxy/debug` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/proxy/debug` If this points at an external API, prefix it with `https://` so the matcher …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /stats${queryString} (packages/server/test/routes/global-sessions.test.ts:179)
`packages/server/test/routes/global-sessions.test.ts:179` calls `GET /stats${queryString}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/stats/<p>` If this points at an external API, prefix it with `https:…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${relay.port}/stats (packages/relay/test/e2e/relay.e2e.test.ts:289)
`packages/relay/test/e2e/relay.e2e.test.ts:289` calls `GET http://localhost:${relay.port}/stats` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/stats` If this points at an external API, prefix i…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET http://localhost:${relay.port}/status (packages/relay/test/e2e/relay.e2e.test.ts:240)
`packages/relay/test/e2e/relay.e2e.test.ts:240` calls `GET http://localhost:${relay.port}/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>/status` If this points at an external API, prefix…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /${secret}/viewers/viewer-one (packages/server/test/routes/public-shares.test.ts:125)
`packages/server/test/routes/public-shares.test.ts:125` calls `POST /${secret}/viewers/viewer-one` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/<p>/viewers/viewer-one` If this points at an external API, p…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/projects/${projectId}/sessions/sess-123/resume (packages/server/test/api/sessions.test.ts:192)
`packages/server/test/api/sessions.test.ts:192` calls `POST /api/projects/${projectId}/sessions/sess-123/resume` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-123/resume` If this…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/projects/${projectId}/sessions/sess-123/resume (packages/server/test/api/sessions.test.ts:230)
`packages/server/test/api/sessions.test.ts:230` calls `POST /api/projects/${projectId}/sessions/sess-123/resume` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-123/resume` If this…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/projects/${projectId}/sessions/sess-123/resume (packages/server/test/api/sessions.test.ts:254)
`packages/server/test/api/sessions.test.ts:254` calls `POST /api/projects/${projectId}/sessions/sess-123/resume` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-123/resume` If this…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/projects/${projectId}/sessions/sess-123/resume (packages/server/test/api/sessions.test.ts:275)
`packages/server/test/api/sessions.test.ts:275` calls `POST /api/projects/${projectId}/sessions/sess-123/resume` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-123/resume` If this…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/projects/${projectId}/sessions/sess-123/resume (packages/server/test/api/sessions.test.ts:296)
`packages/server/test/api/sessions.test.ts:296` calls `POST /api/projects/${projectId}/sessions/sess-123/resume` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-123/resume` If this…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/projects/unknown/sessions (packages/server/test/api/sessions.test.ts:77)
`packages/server/test/api/sessions.test.ts:77` calls `POST /api/projects/unknown/sessions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/unknown/sessions` If this points at an external API, prefix…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/projects/unknown/sessions/sess-123/resume (packages/server/test/api/sessions.test.ts:212)
`packages/server/test/api/sessions.test.ts:212` calls `POST /api/projects/unknown/sessions/sess-123/resume` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/unknown/sessions/sess-123/resume` If this …
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/sessions/unknown/input (packages/server/test/api/sessions.test.ts:353)
`packages/server/test/api/sessions.test.ts:353` calls `POST /api/sessions/unknown/input` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/sessions/unknown/input` If this points at an external API, prefix it w…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/sessions/unknown/messages (packages/server/test/api/sessions.test.ts:322)
`packages/server/test/api/sessions.test.ts:322` calls `POST /api/sessions/unknown/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/sessions/unknown/messages` If this points at an external API, prefi…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/speech/transcribe (packages/server/test/routes/speech.test.ts:109)
`packages/server/test/routes/speech.test.ts:109` calls `POST /api/speech/transcribe` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/speech/transcribe` If this points at an external API, prefix it with `http…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/speech/transcribe (packages/server/test/routes/speech.test.ts:131)
`packages/server/test/routes/speech.test.ts:131` calls `POST /api/speech/transcribe` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/speech/transcribe` If this points at an external API, prefix it with `http…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${project.id}/sessions/sess-1/restart (packages/server/test/routes/sessions-metadata.test.ts:1099)
`packages/server/test/routes/sessions-metadata.test.ts:1099` calls `POST /projects/${project.id}/sessions/sess-1/restart` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-1/restart`…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${project.id}/sessions/sess-1/restart (packages/server/test/routes/sessions-metadata.test.ts:1222)
`packages/server/test/routes/sessions-metadata.test.ts:1222` calls `POST /projects/${project.id}/sessions/sess-1/restart` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-1/restart`…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${project.id}/sessions/sess-1/restart (packages/server/test/routes/sessions-metadata.test.ts:1317)
`packages/server/test/routes/sessions-metadata.test.ts:1317` calls `POST /projects/${project.id}/sessions/sess-1/restart` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-1/restart`…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${project.id}/sessions/sess-1/restart (packages/server/test/routes/sessions-metadata.test.ts:1433)
`packages/server/test/routes/sessions-metadata.test.ts:1433` calls `POST /projects/${project.id}/sessions/sess-1/restart` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-1/restart`…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${project.id}/sessions/sess-1/restart (packages/server/test/routes/sessions-metadata.test.ts:1574)
`packages/server/test/routes/sessions-metadata.test.ts:1574` calls `POST /projects/${project.id}/sessions/sess-1/restart` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-1/restart`…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${project.id}/sessions/sess-1/restart (packages/server/test/routes/sessions-metadata.test.ts:1655)
`packages/server/test/routes/sessions-metadata.test.ts:1655` calls `POST /projects/${project.id}/sessions/sess-1/restart` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-1/restart`…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${project.id}/sessions/sess-1/resume (packages/server/test/routes/sessions-metadata.test.ts:858)
`packages/server/test/routes/sessions-metadata.test.ts:858` calls `POST /projects/${project.id}/sessions/sess-1/resume` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-1/resume` If…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${project.id}/sessions/sess-1/resume (packages/server/test/routes/sessions-metadata.test.ts:953)
`packages/server/test/routes/sessions-metadata.test.ts:953` calls `POST /projects/${project.id}/sessions/sess-1/resume` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/sess-1/resume` If…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${projectId}/sessions/source-session/clone (packages/server/test/routes/sessions-clone-codex.test.ts:135)
`packages/server/test/routes/sessions-clone-codex.test.ts:135` calls `POST /projects/${projectId}/sessions/source-session/clone` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/source-s…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${projectId}/sessions/source-session/clone (packages/server/test/routes/sessions-clone-codex.test.ts:176)
`packages/server/test/routes/sessions-clone-codex.test.ts:176` calls `POST /projects/${projectId}/sessions/source-session/clone` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/source-s…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /projects/${projectId}/sessions/source-session/clone (packages/server/test/routes/sessions-clone-codex.test.ts:96)
`packages/server/test/routes/sessions-clone-codex.test.ts:96` calls `POST /projects/${projectId}/sessions/source-session/clone` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/projects/<p>/sessions/source-se…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /sessions/sess-1/deferred/temp-edit/edit (packages/server/test/routes/sessions-metadata.test.ts:269)
`packages/server/test/routes/sessions-metadata.test.ts:269` calls `POST /sessions/sess-1/deferred/temp-edit/edit` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/sessions/sess-1/deferred/temp-edit/edit` If t…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /sessions/sess-1/deferred/temp-edit/edit/release (packages/server/test/routes/sessions-metadata.test.ts:312)
`packages/server/test/routes/sessions-metadata.test.ts:312` calls `POST /sessions/sess-1/deferred/temp-edit/edit/release` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/sessions/sess-1/deferred/temp-edit/ed…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /sessions/sess-1/messages (packages/server/test/routes/sessions-metadata.test.ts:1006)
`packages/server/test/routes/sessions-metadata.test.ts:1006` calls `POST /sessions/sess-1/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/sessions/sess-1/messages` If this points at an external API…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /sessions/sess-1/messages (packages/server/test/routes/sessions-metadata.test.ts:125)
`packages/server/test/routes/sessions-metadata.test.ts:125` calls `POST /sessions/sess-1/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/sessions/sess-1/messages` If this points at an external API,…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /sessions/sess-1/messages (packages/server/test/routes/sessions-metadata.test.ts:206)
`packages/server/test/routes/sessions-metadata.test.ts:206` calls `POST /sessions/sess-1/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/sessions/sess-1/messages` If this points at an external API,…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST /sessions/sess-1/messages (packages/server/test/routes/sessions-metadata.test.ts:357)
`packages/server/test/routes/sessions-metadata.test.ts:357` calls `POST /sessions/sess-1/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/sessions/sess-1/messages` If this points at an external API,…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:${this.port}/shutdown (packages/server/src/device/DeviceBridgeService.ts:987)
`packages/server/src/device/DeviceBridgeService.ts:987` calls `POST http://127.0.0.1:${this.port}/shutdown` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/shutdown` If this points at an external…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST http://192.168.1.139/login (packages/server/test/auth/AuthRoutes.test.ts:130)
`packages/server/test/auth/AuthRoutes.test.ts:130` calls `POST http://192.168.1.139/login` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/192.168.1.139/login` If this points at an external API, prefix…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: POST https://example.com/login (packages/server/test/auth/AuthRoutes.test.ts:146)
`packages/server/test/auth/AuthRoutes.test.ts:146` calls `POST https://example.com/login` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/https:/example.com/login` If this points at an external API, prefix i…
Dangling fetchHelper:request
high System graph api Wiring conf 1.00 Dangling fetch: PUT /log/level (packages/server/test/maintenance/server.test.ts:113)
`packages/server/test/maintenance/server.test.ts:113` calls `PUT /log/level` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/log/level` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /log/level (packages/server/test/maintenance/server.test.ts:124)
`packages/server/test/maintenance/server.test.ts:124` calls `PUT /log/level` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/log/level` If this points at an external API, prefix it with `https://` so the matcher skip…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /log/level (packages/server/test/maintenance/server.test.ts:97)
`packages/server/test/maintenance/server.test.ts:97` calls `PUT /log/level` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/log/level` If this points at an external API, prefix it with `https://` so the matcher skips…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /proxy/debug (packages/server/test/maintenance/server.test.ts:145)
`packages/server/test/maintenance/server.test.ts:145` calls `PUT /proxy/debug` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/proxy/debug` If this points at an external API, prefix it with `https://` so the matcher …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /proxy/debug (packages/server/test/maintenance/server.test.ts:157)
`packages/server/test/maintenance/server.test.ts:157` calls `PUT /proxy/debug` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/proxy/debug` If this points at an external API, prefix it with `https://` so the matcher …
Dangling fetchFetch
high System graph security security conf 1.00 Insecure pattern 'eval_used' in packages/mobile/src-tauri/src/lib.rs:22
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/mobile/src-tauri/src/lib.rs:22 Eval used
medium Security checks software dependencies conf 0.88 @hono/node-server: GHSA-92pp-h63x-v22m
@hono/node-server: Middleware bypass via repeated slashes in serveStatic
pnpm-lock.yaml
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
packages/client/src/pages/settings/AboutSettings.tsx:67
medium Security checks software Open redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
packages/desktop/src/main/MainLayout.tsx:74
medium Security checks cicd CI/CD security conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
docs/research/subscription-access-approaches.md:44 CI/CD securityagent runtimepermissions
medium Security checks cicd CI/CD security conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
docs/competitive/emdash.md:42 CI/CD securityagent runtimepermissions
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
packages/server/src/routes/server-info.ts:17
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
packages/server/src/cli.ts:85
medium Security checks software dependencies conf 0.88 astro: GHSA-j687-52p2-xcff
Astro: XSS in define:vars via incomplete </script> tag sanitization
site/package-lock.json
low Security checks quality Error handling conf 0.55 ✓ Repobility 2 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
lines 45, 87
packages/server/src/services/voice/whisper_worker.py:45, 87 (2 hits)
Error handlingquality
medium Security checks quality Quality conf 0.73 3 occurrences Codex session log reader may expose prompts or tool-call content
Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text.
3 files, 3 locations
packages/server/src/indexes/SessionIndexService.ts:84
packages/server/src/projects/paths.ts:26
packages/server/src/projects/scanner.ts:19
medium Security checks software dependencies conf 0.88 devalue: GHSA-cfw5-2vxh-hr84
devalue has prototype pollution in devalue.parse and devalue.unflatten
site/package-lock.json
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 h3: GHSA-4hxc-9384-m385
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)
site/package-lock.json
medium Security checks software dependencies conf 0.88 h3: GHSA-72gr-qfp7-vwhw
h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`
site/package-lock.json
medium Security checks software dependencies conf 0.88 h3: GHSA-wr4h-v87w-p3r7
h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read
site/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-26pp-8wgv-hjvm
Hono missing validation of cookie name on write path in setCookie()
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-2gcr-mfcq-wcc3
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-3hrh-pfw6-9m5x
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-458j-xx4x-4375
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-69xw-7hcm-h432
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-9vqf-7f2p-gf9v
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-f577-qrjj-4474
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-p77w-8qqv-26rm
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-qp7p-654g-cw7p
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-r5rp-j6wh-rvv4
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-wmmm-f939-6g9c
Hono: Middleware bypass via repeated slashes in serveStatic
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-xf4j-xp2r-rqqx
Hono: Path traversal in toSSG() allows writing files outside the output directory
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-xpcf-pg52-r92g
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 hono: GHSA-xrhx-7g5j-rcj5
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
pnpm-lock.yaml
high Security checks quality Quality conf 0.80 7 occurrences localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
7 files, 7 locations
packages/client/src/components/CodexUpdatePrompt.tsx:19
packages/client/src/contexts/RemoteConnectionContext.tsx:169
packages/client/src/hooks/useDraftPersistence.ts:27
packages/client/src/hooks/useDrafts.ts:163
packages/client/src/hooks/useRemoteCompatibilityNoticeDismissals.ts:27
packages/client/src/hooks/useSession.ts:338
packages/client/src/lib/hostStorage.ts:59
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
site/package-lock.json
medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
site/package-lock.json
medium Security checks software dependencies conf 0.90 npm package `@hono/node-server` is 1 major version(s) behind (^1.19.9 -> 2.0.4)
`@hono/node-server` is pinned/resolved at ^1.19.9 but the latest stable release on the npm registry is 2.0.4 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/server/package.json
medium Security checks software dependencies conf 0.90 npm package `diff` is 1 major version(s) behind (8.0.3 -> 9.0.0)
`diff` is pinned/resolved at 8.0.3 but the latest stable release on the npm registry is 9.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/server/package.json
medium Security checks software dependencies conf 0.90 npm package `marked` is 1 major version(s) behind (^17.0.1 -> 18.0.5)
`marked` is pinned/resolved at ^17.0.1 but the latest stable release on the npm registry is 18.0.5 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/server/package.json
medium Security checks software dependencies conf 0.90 npm package `shiki` is 1 major version(s) behind (3.23.0 -> 4.2.0)
`shiki` is pinned/resolved at 3.23.0 but the latest stable release on the npm registry is 4.2.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
packages/server/package.json
medium Security checks software dependencies conf 0.88 openssl: GHSA-phqj-4mhp-q6mq
rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
packages/desktop/src-tauri/Cargo.lock
medium Security checks software dependencies conf 0.88 openssl: GHSA-xv59-967r-8726
rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding
packages/desktop/src-tauri/Cargo.lock
medium Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
2 files, 2 locations
pnpm-lock.yaml
site/package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
2 files, 2 locations
pnpm-lock.yaml
site/package-lock.json
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 react-router: GHSA-2j2x-hqr9-3h42
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 react-router: GHSA-f22v-gfqf-p8f3
React Router has stored XSS via unescaped Location header in prerendered redirect HTML
pnpm-lock.yaml
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
packages/server/src/index.ts:212
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
docs/archive/claude-anywhere-vision.md:299
medium Security checks software dependencies conf 0.88 smol-toml: GHSA-v3rj-xjv7-4jmq
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines
site/package-lock.json
medium Security checks software dependencies conf 0.88 tar: GHSA-3pv8-6f4r-ffg2
tar has a PAX header desynchronization issue
packages/desktop/src-tauri/Cargo.lock
medium Security checks software dependencies conf 0.88 tauri: GHSA-7gmj-67g7-phm9
Tauri has an Origin Confusion Issue that Allows Remote Pages to Invoke Local-Only IPC Commands
packages/desktop/src-tauri/Cargo.lock
medium Security checks software dependencies conf 0.88 undici: GHSA-2mjp-6q6p-2qxm
Undici has an HTTP Request/Response Smuggling issue
sharing-worker/package-lock.json
medium Security checks software dependencies conf 0.88 undici: GHSA-4992-7rv2-5pvq
Undici has CRLF Injection in undici via `upgrade` option
sharing-worker/package-lock.json
medium Security checks software dependencies conf 0.88 undici: GHSA-phc3-fgpg-7m6h
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
sharing-worker/package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
2 files, 2 locations
pnpm-lock.yaml
site/package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
2 files, 2 locations
pnpm-lock.yaml
sharing-worker/package-lock.json
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
site/package-lock.json
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/blocks/TextBlock.tsx:199
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/FileViewer.tsx:608
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/MarkdownPreview.tsx:161
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/renderers/blocks/TextRenderer.tsx:38
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/renderers/tools/BashOutputRenderer.tsx:58
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/renderers/tools/BashRenderer.tsx:111
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/renderers/tools/EditRenderer.tsx:286
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/renderers/tools/ExitPlanModeRenderer.tsx:25
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/renderers/tools/ReadRenderer.tsx:88
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/renderers/tools/WriteRenderer.tsx:129
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/renderers/tools/WriteStdinRenderer.tsx:156
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/ui/__tests__/FixedFontMathToggle.test.tsx:25
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/components/ui/AnsiText.tsx:36
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/contexts/__tests__/RenderModeContext.test.tsx:42
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/client/src/pages/GitStatusPage.tsx:436
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/client/e2e/fixtures.ts:122
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/client/e2e/ws-secure.spec.ts:252
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/client/src/api/client.ts:242
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/client/src/components/LocalMediaModal.tsx:260
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/client/src/components/Sidebar.tsx:426
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/client/src/contexts/RemoteConnectionContext.tsx:365
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/client/src/hooks/useGlobalSessions.ts:101
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/client/src/hooks/useNetworkBinding.ts:81
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/client/src/hooks/useProjects.ts:87
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness

Showing first 300 of 575. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/eda2b2c7-9bb0-4fd6-b7c0-98d81de29a7a/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/eda2b2c7-9bb0-4fd6-b7c0-98d81de29a7a/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.