Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
29 of your 185 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 12.76s · analysis 35.72s · 17.1 MB · GitHub API rate-limit (preflight)

chartjs/Chart.js

https://github.com/chartjs/Chart.js · scanned 2026-06-05 08:43 UTC (5 days, 19 hours ago) · 10 languages

332 raw signals (184 security + 148 graph) 57th percentile · Javascript · medium (20-100K LoC) System graph score 83 (lower by 11)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 19 hours ago · v2 · 219 actionable findings from 2 signal sources. 39 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
77.1
/100
Security checks
71
150 findings
System graph
83
66.7% cov · 69 findings
Critical
10
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 55.0 0.25 13.75
testing_score 85.0 0.20 17.00
documentation_score 64.0 0.15 9.60
practices_score 82.0 0.15 12.30
code_quality 72.9 0.10 7.29
Overall 1.00 72.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 10 High 45 Medium 57 Low 83 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 150 System graph 69 Crowd 0 Layer: Software 189 Quality 17 Cicd 6 Security 2 Api 1 Frontend 4
Scan summary Quality grade B (73/100). Dimensions: security 55, maintainability 85. 184 findings (126 security). 74,647 lines analyzed.

Showing 195 of 219 actionable findings. 258 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 @babel/traverse: GHSA-67hx-6x53-jw92
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 cipher-base: GHSA-cpq7-6gpm-g9rc
cipher-base is missing type checks, leading to hash rewind and passing on crafted data
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 elliptic: GHSA-vjh7-7g9h-fjfh
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 form-data: GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 handlebars: GHSA-2w6w-674q-4c4q
Handlebars.js has JavaScript Injection via AST Type Confusion
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 loader-utils: GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 pbkdf2: GHSA-h7cp-r72f-jxh6
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 pbkdf2: GHSA-v62p-rq8g-8h59
pbkdf2 silently disregards Uint8Array input, returning static keys
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 sha.js: GHSA-95m3-7q98-8xr5
sha.js is missing type checks leading to hash rewind and passing on crafted data
pnpm-lock.yaml
critical Security checks security secrets conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
docs/getting-started/usage.md:152
high Security checks software dependencies conf 0.88 body-parser: GHSA-qwcr-r2fm-qrc7
body-parser vulnerable to denial of service when url encoding is enabled
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 braces: GHSA-grv7-fg5c-xmjg
Uncontrolled resource consumption in braces
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 browserify-sign: GHSA-x9w5-v3q2-3rhw
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 cross-spawn: GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
pnpm-lock.yaml
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 8 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `pnpm/action-setup` pinned to mutable ref `@v4.2.0` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
5 files, 8 locations
.github/workflows/ci.yml:34, 40 (2 hits)
.github/workflows/compressed-size.yml:20, 21 (2 hits)
.github/workflows/release.yml:30, 75 (2 hits)
.github/workflows/deploy-docs.yml:27
.github/workflows/release-drafter.yml:29
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 13 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
4 files, 13 locations
.github/workflows/release.yml:29, 31, 60, 74, 76 (6 hits)
.github/workflows/ci.yml:33, 36 (3 hits)
.github/workflows/deploy-docs.yml:26, 29 (3 hits)
.github/workflows/compressed-size.yml:19
CI/CD securitySupply chainGitHub Actions
high Security checks cicd CI/CD security conf 0.90 ✓ Repobility 3 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `coverallsapp/github-action` pinned to mutable ref `@master` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 86, 96, 111
.github/workflows/ci.yml:86, 96, 111 (3 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 handlebars: GHSA-3mfm-83xf-c92r
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 handlebars: GHSA-9cx6-37pm-9jff
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 handlebars: GHSA-xhpv-hc6g-r9c6
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 handlebars: GHSA-xjpj-3mr7-gcpf
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 html-minifier: GHSA-pfq8-rq6v-vf5m
kangax html-minifier REDoS vulnerability
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-c7qv-q95q-8v27
Denial of service in http-proxy-middleware
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 ip: GHSA-2p57-rm9w-gvfp
ip SSRF improper categorization in isPublic
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 json5: GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 launch-editor: GHSA-c27g-q93r-2cwf
launch-editor vulnerable to command injection via the crafted request on Windows
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lodash.template: GHSA-35jh-r3h4-6jhm
Command Injection in lodash
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lodash.template: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-2328-f5f3-gj25
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-554w-wpv2-vw27
node-forge has ASN.1 Unbounded Recursion
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-5gfm-wpxj-wjgq
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-5m6q-g25r-mvwx
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-ppp5-5v6c-4jwp
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-q67f-28xg-22rw
Forge has signature forgery in Ed25519 due to missing S > L check
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 nth-check: GHSA-rp65-9cf3-cjxr
Inefficient Regular Expression Complexity in nth-check
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-rhx6-c78j-4q9w
path-to-regexp contains a ReDoS
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 rollup: GHSA-gcx4-mw62-g8wm
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 semver: GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 socket.io-parser: GHSA-677m-j7p3-52f9
socket.io allows an unbounded number of binary attachments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 svgo: GHSA-xpqw-6gx7-v673
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6
Path traversal in webpack-dev-middleware
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 ws: GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers
pnpm-lock.yaml
high System graph cicd CI/CD security conf 1.00 3 occurrences GitHub Action tracks a moving branch
coverallsapp/github-action@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
lines 86, 96, 111
.github/workflows/ci.yml:86, 96, 111 (3 hits)
CI/CD securitySupply chainGithub actions
medium Security checks software dependencies conf 0.88 @babel/helpers: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 @babel/runtime: GHSA-968p-4wvh-cqc8
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 bn.js: GHSA-378v-28hj-76wf
bn.js affected by an infinite loop
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 ejs: GHSA-ghr5-ch3p-vcr6
ejs lacks certain pollution protection
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 express: GHSA-rv95-896h-c2vc
Express.js Open Redirect in malformed URLs
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 got: GHSA-pfrx-2q88-qq97
Got allows a redirect to a UNIX socket
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 handlebars: GHSA-2qvq-rjwj-gvw9
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 handlebars: GHSA-7rx3-28cr-v5wh
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 highlight.js: GHSA-7wwv-vh3v-89cq
ReDOS vulnerabities: multiple grammars
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-4www-5p9h-95mh
http-proxy-middleware can call writeBody twice because "else if" is not used
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-9gqv-wp59-fq42
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 markdown-it: GHSA-6vfc-qv3f-vr6c
Uncontrolled Resource Consumption in markdown-it
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 micromatch: GHSA-952p-6rrq-rcjv
Regular Expression Denial of Service (ReDoS) in micromatch
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 nanoid: GHSA-mwcw-c2x4-8c55
Predictable results in nanoid generation when given non-integer values
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 node-forge: GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in `node-forge`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 node-forge: GHSA-65ch-62r8-g69g
node-forge is vulnerable to ASN.1 OID Integer Truncation
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 node-forge: GHSA-8fr3-hfg3-gpgp
Open Redirect in node-forge
pnpm-lock.yaml
medium Security checks software dependencies conf 0.90 npm package `@rollup/plugin-commonjs` is 6 major version(s) behind (^23.0.2 -> 29.0.3)
`@rollup/plugin-commonjs` is pinned/resolved at ^23.0.2 but the latest stable release on the npm registry is 29.0.3 (6 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
package.json
medium Security checks software dependencies conf 0.90 npm package `@rollup/plugin-json` is 1 major version(s) behind (^5.0.1 -> 6.1.0)
`@rollup/plugin-json` is pinned/resolved at ^5.0.1 but the latest stable release on the npm registry is 6.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
package.json
medium Security checks software dependencies conf 0.90 npm package `@rollup/plugin-node-resolve` is 1 major version(s) behind (^15.0.1 -> 16.0.3)
`@rollup/plugin-node-resolve` is pinned/resolved at ^15.0.1 but the latest stable release on the npm registry is 16.0.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-updat…
package.json
medium Security checks software dependencies conf 0.90 npm package `concurrently` is 3 major version(s) behind (^7.3.0 -> 10.0.3)
`concurrently` is pinned/resolved at ^7.3.0 but the latest stable release on the npm registry is 10.0.3 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `cross-env` is 3 major version(s) behind (^7.0.3 -> 10.1.0)
`cross-env` is pinned/resolved at ^7.0.3 but the latest stable release on the npm registry is 10.1.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `eslint-plugin-html` is 1 major version(s) behind (^7.1.0 -> 8.1.4)
`eslint-plugin-html` is pinned/resolved at ^7.1.0 but the latest stable release on the npm registry is 8.1.4 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `eslint-plugin-markdown` is 2 major version(s) behind (^3.0.0 -> 5.1.0)
`eslint-plugin-markdown` is pinned/resolved at ^3.0.0 but the latest stable release on the npm registry is 5.1.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs r…
package.json
medium Security checks software dependencies conf 0.90 npm package `glob` is 5 major version(s) behind (^8.0.3 -> 13.0.6)
`glob` is pinned/resolved at ^8.0.3 but the latest stable release on the npm registry is 13.0.6 (5 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `jasmine-core` is 3 major version(s) behind (^3.7.1 -> 6.2.0)
`jasmine-core` is pinned/resolved at ^3.7.1 but the latest stable release on the npm registry is 6.2.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `jasmine` is 3 major version(s) behind (^3.7.0 -> 6.2.0)
`jasmine` is pinned/resolved at ^3.7.0 but the latest stable release on the npm registry is 6.2.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `karma-jasmine-html-reporter` is 1 major version(s) behind (^1.5.4 -> 2.2.0)
`karma-jasmine-html-reporter` is pinned/resolved at ^1.5.4 but the latest stable release on the npm registry is 2.2.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update …
package.json
medium Security checks software dependencies conf 0.90 npm package `karma-jasmine` is 1 major version(s) behind (^4.0.1 -> 5.1.0)
`karma-jasmine` is pinned/resolved at ^4.0.1 but the latest stable release on the npm registry is 5.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 postcss: GHSA-7fh5-64p2-3v2j
PostCSS line return parsing error
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 prismjs: GHSA-x7hr-w5r2-h6wg
PrismJS DOM Clobbering vulnerability
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 request: GHSA-p8p7-x288-28g6
Server-Side Request Forgery in Request
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-76p7-773f-r4q5
Cross-site Scripting (XSS) in serialize-javascript
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 tough-cookie: GHSA-72xf-g2v4-qvf3
tough-cookie Prototype Pollution vulnerability
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vue-template-compiler: GHSA-g3ch-rx76-35fx
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-4v9v-hfq4-rm2v
webpack-dev-server users' source code may be stolen when they access a malicious web site
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-79cf-xcqc-c78w
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-9jgg-88mc-972h
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 word-wrap: GHSA-j8xg-fqg3-53r7
word-wrap vulnerable to Regular Expression Denial of Service
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
pnpm-lock.yaml
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-drafter.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml CI/CD securitySupply chainGithub actions
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks software dependencies conf 0.88 @tootallnate/once: GHSA-vpq2-c234-7xj6
@tootallnate/once vulnerable to Incorrect Control Flow Scoping
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 cookie: GHSA-pxg6-pf52-xh8x
cookie accepts cookie name, path, and domain with out of bounds characters
pnpm-lock.yaml
low Security checks quality Quality conf 0.60 11 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
9 files, 11 locations
test/specs/controller.polarArea.tests.js:102, 300 (2 hits)
test/specs/controller.radar.tests.js:230, 360 (2 hits)
src/controllers/controller.scatter.js:93
src/scales/scale.logarithmic.js:128
test/integration/react-browser/src/AppAuto.tsx:5
test/specs/controller.doughnut.tests.js:238
test/specs/controller.scatter.tests.js:159
test/types/plugins/plugin.tooltip/tooltip_scriptable_background_color.ts:1
duplicationquality
low Security checks software dependencies conf 0.88 elliptic: GHSA-434g-2637-qmqr
Elliptic's verify function omits uniqueness validation
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 elliptic: GHSA-49q7-c7j4-3p7m
Elliptic allows BER-encoded signatures
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 elliptic: GHSA-848j-6mx2-7j84
Elliptic Uses a Cryptographic Primitive with a Risky Implementation
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 elliptic: GHSA-977x-g7h5-7qgw
Elliptic's ECDSA missing check for whether leading bit of r and s is zero
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 elliptic: GHSA-f7q4-pwc6-w24p
Elliptic's EDDSA missing signature length check
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 elliptic: GHSA-fc9h-whq2-v747
Valid ECDSA signatures erroneously rejected in Elliptic
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 express: GHSA-qw6h-vgh9-j6wx
express vulnerable to XSS via response.redirect()
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 handlebars: GHSA-442j-39wm-28r2
Handlebars.js has a Property Access Validation Bypass in container.lookup
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 ip: GHSA-78xj-cgh5-2h22
NPM IP package incorrectly identifies some private IP addresses as public
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 min-document: GHSA-rx8g-88g5-qh64
min-document vulnerable to prototype pollution
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 node-forge: GHSA-5rrq-pxf6-6jx5
Prototype Pollution in node-forge debug API.
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 node-forge: GHSA-gf8q-jrpm-jvxq
URL parsing in node-forge could lead to undesired behavior.
pnpm-lock.yaml
low Security checks software dependencies conf 0.90 npm package `@kurkle/color` is minor version(s) behind (^0.3.0 -> 0.4.0)
`@kurkle/color` is pinned/resolved at ^0.3.0 but the latest stable release on the npm registry is 0.4.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `chartjs-adapter-luxon` is minor version(s) behind (^1.2.0 -> 1.3.1)
`chartjs-adapter-luxon` is pinned/resolved at ^1.2.0 but the latest stable release on the npm registry is 1.3.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
package.json
low Security checks software dependencies conf 0.90 npm package `chartjs-test-utils` is minor version(s) behind (^0.4.0 -> 0.5.0)
`chartjs-test-utils` is pinned/resolved at ^0.4.0 but the latest stable release on the npm registry is 0.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `karma-chrome-launcher` is minor version(s) behind (^3.1.0 -> 3.2.0)
`karma-chrome-launcher` is pinned/resolved at ^3.1.0 but the latest stable release on the npm registry is 3.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
package.json
low Security checks software dependencies conf 0.90 npm package `karma-coverage` is minor version(s) behind (^2.0.3 -> 2.2.1)
`karma-coverage` is pinned/resolved at ^2.0.3 but the latest stable release on the npm registry is 2.2.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `luxon` is minor version(s) behind (^3.0.1 -> 3.7.2)
`luxon` is pinned/resolved at ^3.0.1 but the latest stable release on the npm registry is 3.7.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.88 on-headers: GHSA-76c9-3jph-rj3q
on-headers is vulnerable to http response header manipulation
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 send: GHSA-m6fv-jmcg-4jfg
send vulnerable to template injection that can lead to XSS
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 serve-static: GHSA-cm22-4g7w-348p
serve-static vulnerable to template injection that can lead to XSS
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 tmp: GHSA-52f5-9888-hmc6
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
pnpm-lock.yaml
low Security checks software dependencies conf 0.88 vue: GHSA-5j4c-8p2g-v4jx
ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
pnpm-lock.yaml
low System graph software Dead code candidate conf 1.00 File has no detected symbols: auto/auto.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: auto/auto.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/BasicChartWebWorker.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/fixtures/plugin.legend/horizontal-rtl-hitbox.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/integration/node-commonjs/test-auto.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/integration/node-commonjs/test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/integration/node/test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/integration/react-browser/src/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/animation.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/autogen.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/chart_types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/bar_floating_data.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/bubble_chart_options.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/doughnut_meta_total.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/doughnut_offset.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/doughnut_outer_radius.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/doughnut_spacing_offset.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/line_scriptable_parsed_data.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/line_segments.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/line_span_gaps.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/line_styling_array.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/controllers/radar_dataset_indexable_options.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/data_types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/dataset_null_data.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/date_adapter.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/defaults.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/elements/scriptable_element_options.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/extensions/plugin.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/helpers/dom.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/helpers/options.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/interaction.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/layout/position.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/options.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/overrides.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/parsed.data.type.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/plugins/defaults.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/plugins/plugin.colors/colors.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/plugins/plugin.decimation/decimation_algorithm.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/plugins/plugin.filler/fill_target_true.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/plugins/plugin.tooltip/chart.tooltip.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/plugins/plugin.tooltip/tooltip_dataset_type.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/plugins/plugin.tooltip/tooltip_parsed_data.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/plugins/plugin.tooltip/tooltip_parsed_data_chart_defaults.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/plugins/plugin.tooltip/tooltip_scriptable_background_color.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/register.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/scales/chart_options.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/scales/time_string_max.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/scriptable.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/test_instance_assignment.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: test/types/ticks/ticks.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/core/core.adapters.ts:83
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: src/types/index.d.ts (3934 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: test/specs/core.controller.tests.js (2339 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: test/specs/plugin.tooltip.tests.js (1951 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/eeb80552-a1eb-4649-af77-347a6778b9d1/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/eeb80552-a1eb-4649-af77-347a6778b9d1/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.