Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
17 of your 114 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.64s · analysis 30.57s · 2.1 MB · GitHub API rate-limit (preflight)

saleor/storefront

https://github.com/saleor/storefront · scanned 2026-06-05 12:47 UTC (5 days, 9 hours ago) · 10 languages

262 raw signals (108 security + 154 graph) 9th percentile · Typescript · medium (20-100K LoC) System graph score 75 (lower by 23)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 9 hours ago · v2 · 156 actionable findings from 2 signal sources. 28 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
63.5
/100
Security checks
52
80 findings
System graph
75
100.0% cov · 76 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 19.8 0.25 4.95
testing_score 30.0 0.20 6.00
documentation_score 65.7 0.15 9.86
practices_score 77.0 0.15 11.55
code_quality 68.4 0.10 6.84
Overall 1.00 51.9
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 25 Medium 35 Low 73 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 80 System graph 76 Crowd 0 Layer: Quality 20 Security 17 Software 99 Cicd 4 Api 1 Frontend 13 Hardware 2
Scan summary Quality grade C- (52/100). Dimensions: security 20, maintainability 85. 108 findings (44 security). 26,253 lines analyzed.

Showing 135 of 156 actionable findings. 184 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 vitest: GHSA-5xrq-8626-4rwp
When Vitest UI server is listening, arbitrary file can be read and executed
pnpm-lock.yaml
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in src/checkout/views/saleor-checkout/information-step.tsx
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 253, 254
src/checkout/views/saleor-checkout/information-step.tsx:253, 254 (2 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `node:20-alpine` not pinned by digest
`FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Dockerfile:1
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 immutable: GHSA-wf6x-7x77-mvgw
Immutable is vulnerable to Prototype Pollution
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lodash-es: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 vite: GHSA-p9ff-h696-f583
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 vite: GHSA-v2wj-q39q-566r
Vite: `server.fs.deny` bypassed with queries
pnpm-lock.yaml
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 9.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 9.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /billingAddress.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /billingAddress.
src/checkout/graphql/checkout.graphql:270
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /checkoutBillingAddressUpdate.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /checkoutBillingAddressUpdate.
src/checkout/graphql/checkout.graphql:268
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /checkoutLineDelete.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /checkoutLineDelete.
src/checkout/graphql/checkout.graphql:210
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /checkoutLinesDelete.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /checkoutLinesDelete.
src/graphql/CheckoutDeleteLines.graphql:2
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /id.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /id.
src/checkout/graphql/checkout.graphql:269
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /validationRules.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /validationRules.
src/checkout/graphql/checkout.graphql:271
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /cache-info/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /cache-info/route.
src/app/api/cache-info/route.ts:17
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /revalidate/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /revalidate/route.
src/app/api/revalidate/route.ts:311
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /revalidate/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /revalidate/route.
src/app/api/revalidate/route.ts:131
medium Security checks software Open redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
src/_reference/checkout-sections/PaymentSection/AdyenDropIn/createAdyenCheckout.ts:133
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
src/checkout/views/saleor-checkout/confirmation-step.tsx:33
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
pnpm-lock.yaml
medium Security checks cicd CI/CD security conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
Dockerfile:20 CI/CD securitycontainers
high Security checks quality Quality conf 0.74 3 occurrences Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
2 files, 3 locations
src/lib/cache-life-profiles.ts:14, 79 (2 hits)
next.config.js:81
medium Security checks software dependencies conf 0.88 lodash-es: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 lodash-es: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
pnpm-lock.yaml
medium Security checks software dependencies conf 0.90 npm package `@vercel/speed-insights` is 1 major version(s) behind (1.3.1 -> 2.0.0)
`@vercel/speed-insights` is pinned/resolved at 1.3.1 but the latest stable release on the npm registry is 2.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs ra…
package.json
medium Security checks software dependencies conf 0.90 npm package `editorjs-html` is 1 major version(s) behind (3.4.3 -> 4.0.5)
`editorjs-html` is pinned/resolved at 3.4.3 but the latest stable release on the npm registry is 4.0.5 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `husky` is 1 major version(s) behind (8.0.3 -> 9.1.7)
`husky` is pinned/resolved at 8.0.3 but the latest stable release on the npm registry is 9.1.7 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `lint-staged` is 2 major version(s) behind (15.1.0 -> 17.0.7)
`lint-staged` is pinned/resolved at 15.1.0 but the latest stable release on the npm registry is 17.0.7 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `react-error-boundary` is 2 major version(s) behind (4.0.13 -> 6.1.2)
`react-error-boundary` is pinned/resolved at 4.0.13 but the latest stable release on the npm registry is 6.1.2 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…
package.json
medium Security checks software dependencies conf 0.90 npm package `schema-dts` is 1 major version(s) behind (1.1.2 -> 2.0.0)
`schema-dts` is pinned/resolved at 1.1.2 but the latest stable release on the npm registry is 2.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.90 npm package `urql` is 1 major version(s) behind (4.0.6 -> 5.0.2)
`urql` is pinned/resolved at 4.0.6 but the latest stable release on the npm registry is 5.0.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
pnpm-lock.yaml
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 smol-toml: GHSA-v3rj-xjv7-4jmq
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
pnpm-lock.yaml
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/app/[channel]/(main)/pages/[slug]/page.tsx:50
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/app/[channel]/(main)/products/[slug]/page.tsx:162
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/lib/seo/index.ts:37
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/lib/seo/json-ld.ts:25
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/ui/components/pdp/product-attributes.tsx:71
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/app/[channel]/(main)/pages/[slug]/page.tsx:50
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/app/[channel]/(main)/pages/[slug]/page.tsx:50 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/app/[channel]/(main)/products/[slug]/page.tsx:162
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/app/[channel]/(main)/products/[slug]/page.tsx:162 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/ui/components/pdp/product-attributes.tsx:71
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
src/ui/components/pdp/product-attributes.tsx:71 Dangerous innerhtml
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
5 test file(s) for 300 source file(s) (ratio 0.02). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:3 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 18 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 13 locations
src/ui/components/sign-up-form.tsx:27, 156 (2 hits)
src/_reference/checkout-sections/PaymentSection/AdyenDropIn/types.ts:24
src/app/[channel]/(main)/collections/[slug]/client.tsx:6
src/app/[channel]/(main)/collections/[slug]/page.tsx:12
src/app/[channel]/(main)/products/products-client.tsx:64
src/checkout/components/shipping-address/hybrid-address-selector.tsx:47
src/checkout/graphql/codegen.ts:27
src/checkout/views/page-not-found/page-not-found.tsx:14
duplicationquality
low Security checks software dependencies conf 0.90 npm package `@parcel/watcher` is minor version(s) behind (2.3.0 -> 2.5.6)
`@parcel/watcher` is pinned/resolved at 2.3.0 but the latest stable release on the npm registry is 2.5.6 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `@types/react-dom` is minor version(s) behind (^19.0.0 -> 19.2.3)
`@types/react-dom` is pinned/resolved at ^19.0.0 but the latest stable release on the npm registry is 19.2.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `autoprefixer` is minor version(s) behind (10.4.23 -> 10.5.0)
`autoprefixer` is pinned/resolved at 10.4.23 but the latest stable release on the npm registry is 10.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `geist` is minor version(s) behind (1.5.1 -> 1.7.2)
`geist` is pinned/resolved at 1.5.1 but the latest stable release on the npm registry is 1.7.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `lodash-es` is minor version(s) behind (4.17.21 -> 4.18.1)
`lodash-es` is pinned/resolved at 4.17.21 but the latest stable release on the npm registry is 4.18.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `prettier-plugin-tailwindcss` is minor version(s) behind (0.5.9 -> 0.8.0)
`prettier-plugin-tailwindcss` is pinned/resolved at 0.5.9 but the latest stable release on the npm registry is 0.8.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs…
package.json
low Security checks software dependencies conf 0.90 npm package `prettier` is minor version(s) behind (3.1.1 -> 3.8.3)
`prettier` is pinned/resolved at 3.1.1 but the latest stable release on the npm registry is 3.8.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `sharp` is minor version(s) behind (0.33.2 -> 0.34.5)
`sharp` is pinned/resolved at 0.33.2 but the latest stable release on the npm registry is 0.34.5 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `tailwind-merge` is minor version(s) behind (3.4.0 -> 3.6.0)
`tailwind-merge` is pinned/resolved at 3.4.0 but the latest stable release on the npm registry is 3.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low System graph quality Integrity conf 1.00 14 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `DEBUG_CACHE`, `GITHUB_ACTION`, `NEXT_BUILD_RETRIES`, `NEXT_OUTPUT`, `NEXT_PUBLIC_VERCEL_URL`, `NODE_ENV`, `REVALIDATE_SECRET`, `SALEOR_APP_TOKEN` + 6 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:1 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: .graphqlrc.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: knip.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: next.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/_reference/checkout-sections/PaymentSection/AdyenDropIn/errorMessages.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/_reference/checkout-sections/PaymentSection/AdyenDropIn/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/_reference/checkout-sections/PaymentSection/DummyDropIn/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/_reference/checkout-sections/PaymentSection/errorMessages.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/_reference/checkout-sections/PaymentSection/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/_reference/checkout-sections/PaymentSection/StripeV2DropIn/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/_reference/checkout-sections/PaymentSection/supportedPaymentApps.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/_reference/checkout-sections/PaymentSection/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/app/[channel]/(main)/account/addresses/page.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/app/[channel]/(main)/account/get-current-user.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/app/[channel]/(main)/account/settings/page.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/app/config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/components/address-form/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/components/contact/guest-contact.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/components/express-checkout/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/components/shipping-address/address-display.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/components/shipping-address/address-selector.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/components/shipping-address/hybrid-address-selector.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/graphql/codegen.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/lib/consts/countries.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/lib/consts/input-attributes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/lib/global-types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/lib/utils/money.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/ui-kit/icons/building-icon.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/ui-kit/icons/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/ui-kit/icons/lock-icon.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/ui-kit/icons/mail-icon.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/ui-kit/icons/map-pin-icon.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/ui-kit/icons/phone-icon.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/ui-kit/icons/refresh-icon.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/ui-kit/icons/shield-check-icon.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/ui-kit/icons/truck-icon.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/ui-kit/icons/user-icon.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/checkout/views/saleor-checkout/index.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/lib/cache-manifest.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/lib/search/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/ui/components/account/order-status-config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/ui/components/account/routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/ui/components/pdp/variant-selection/__fixtures__/variants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/ui/components/pdp/variant-selection/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/ui/components/pdp/variant-selection/utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/ui/components/plp/__fixtures__/products.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/ui/components/plp/filter-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/ui/components/ui/button.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/ui/components/ui/input.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/ui/components/ui/label.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `showOld` in src/ui/components/account/change-password-form.tsx:15
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/app/api/revalidate/route.ts:147
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/lib/graphql.ts:308
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/f2cf9b71-195f-43af-80b6-92922d55d511/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/f2cf9b71-195f-43af-80b6-92922d55d511/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.