Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
110 of your 184 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 22.38s · analysis 33.63s · 54.1 MB · GitHub API rate-limit (preflight)

facebook/react-native

https://github.com/facebook/react-native · scanned 2026-06-05 05:06 UTC (11 hours, 10 minutes ago) · 10 languages

1374 findings (170 legacy + 1204 scanner) 11/13 scanners ran 20th percentile · Javascript · huge (>500K LoC) Scanner says 56 (higher by 31)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 11 hours, 10 minutes ago · v2 · 772 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
68.9
/100
Repobility
82
170 legacy
9-layer
56
100.0% cov · 602 gaps
Critical
16
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 81.0 0.20 16.20
documentation_score 100.0 0.15 15.00
practices_score 100.0 0.15 15.00
code_quality 66.0 0.10 6.60
Overall 1.00 86.8
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: high × excluding tests × Reset all
Severity: Critical 16 High 118 Medium 57 Low 365 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 170 9-layer 602 Crowd 0 Layer: Quality 288 Software 107 Security 22 Frontend 248 Cicd 101 Api 6
Scan summary Repository scanned at 55.6/100 with 100.0% coverage. It contains 15003 nodes across 1 cross-layer flows, written primarily in mixed languages. Engine surfaced 602 findings — concentrated in frontend (248), quality (173), cicd (101). Risk profile is high: 4 critical, 16 high, 52 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 79 of 772 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy quality quality conf 1.00 ✓ Repobility [MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match.
Review and fix per the pattern semantics. See CWE-476 / for context.
packages/react-native/React/Fabric/RCTScheduler.mm:203 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match.
Review and fix per the pattern semantics. See CWE-476 / for context.
packages/react-native/React/Base/RCTManagedPointer.mm:24 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
packages/react-native-babel-preset/src/plugin-warn-on-deep-imports.js:60 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._ensure_scope_is_defined` used but never assigned in __init__: Method `_ensure_scope_is_defined` of class `Snapshot` reads `self._ensure_scope_is_defined`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._ensure_scope_is_defined = <default>` in __init__, or add a class-level default.
scripts/cxx-api/parser/snapshot.py:206 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._ensure_scope_is_defined` used but never assigned in __init__: Method `finish` of class `Snapshot` reads `self._ensure_scope_is_defined`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._ensure_scope_is_defined = <default>` in __init__, or add a class-level default.
scripts/cxx-api/parser/snapshot.py:212 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.ensure_scope` used but never assigned in __init__: Method `create_enum` of class `Snapshot` reads `self.ensure_scope`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.ensure_scope = <default>` in __init__, or add a class-level default.
scripts/cxx-api/parser/snapshot.py:181 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.ensure_scope` used but never assigned in __init__: Method `create_interface` of class `Snapshot` reads `self.ensure_scope`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.ensure_scope = <default>` in __init__, or add a class-level default.
scripts/cxx-api/parser/snapshot.py:132 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.ensure_scope` used but never assigned in __init__: Method `create_or_get_namespace` of class `Snapshot` reads `self.ensure_scope`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.ensure_scope = <default>` in __init__, or add a class-level default.
scripts/cxx-api/parser/snapshot.py:78 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.ensure_scope` used but never assigned in __init__: Method `create_protocol` of class `Snapshot` reads `self.ensure_scope`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.ensure_scope = <default>` in __init__, or add a class-level default.
scripts/cxx-api/parser/snapshot.py:108 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.ensure_scope` used but never assigned in __init__: Method `create_struct_like` of class `Snapshot` reads `self.ensure_scope`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.ensure_scope = <default>` in __init__, or add a class-level default.
scripts/cxx-api/parser/snapshot.py:47 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/publish-bumped-packages.yml:17 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/on-issue-labeled.yml:54 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/on-issue-labeled.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/bump-podfile-lock.yml:11 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/needs-attention.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/create-draft-release.yml:16 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/publish-release.yml:74 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/publish-release.yml:29 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/generate-changelog.yml:11 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/create-release.yml:26 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/on-issue-labeled.yml:55 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/on-issue-labeled.yml:42 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/on-issue-labeled.yml:22 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/create-draft-release.yml:39 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/create-draft-release.yml:29 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/publish-release.yml:120 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/publish-release.yml:111 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/publish-release.yml:96 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/publish-release.yml:86 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/generate-changelog.yml:24 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/close-pr.yml:14 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/stale@<40-char-sha> # v10` and let Dependabot bump it on a scheduled cadence.
.github/workflows/stale-bot.yml:30 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/stale@<40-char-sha> # v10` and let Dependabot bump it on a scheduled cadence.
.github/workflows/stale-bot.yml:13 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `react-native-community/needs-attention` pinned to mutable ref `@v2.0.0`: `uses: react-native-community/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: react-native-community/needs-attention@<40-char-sha> # v2.0.0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/needs-attention.yml:21 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `reactnativecommunity/react-native-android:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/nightly.yml:76 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `reactnativecommunity/react-native-android:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/nightly.yml:45 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `reactnativecommunity/react-native-android:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/publish-release.yml:55 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 5183 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
gradle/wrapper/gradle-wrapper.jar:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `packages/gradle-plugin/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/gradle-plugin/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 5183 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
packages/gradle-plugin/gradle/wrapper/gradle-wrapper.jar:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `private/helloworld/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `private/helloworld/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (46,175 bytes) committed to a repo that otherwise has 5183 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
private/helloworld/android/gradle/wrapper/gradle-wrapper.jar:1 dependencylegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
packages/react-native/ReactAndroid/src/main/java/com/facebook/react/internal/featureflags/rewrite_feature_flag_defaults.py:69 path_traversallegacy
high Legacy software xxe conf 1.00 [SEC024] XML External Entity (XXE) — Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack.
Disable DTDs and external entities before parsing: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities"…
packages/gradle-plugin/react-native-gradle-plugin/src/main/kotlin/com/facebook/react/utils/AgpConfiguratorUtils.kt:141 xxelegacy
high 9-layer api wiring conf 1.00 Dangling fetch: GET /api (packages/react-native-babel-preset/src/__tests__/transform-snapshot-test.js:443)
`packages/react-native-babel-preset/src/__tests__/transform-snapshot-test.js:443` calls `GET /api` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/` If this points at an external API, prefix it with `https://` so the…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /api (packages/react-native-babel-preset/src/__tests__/transform-snapshot-test.js:468)
`packages/react-native-babel-preset/src/__tests__/transform-snapshot-test.js:468` calls `GET /api` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/` If this points at an external API, prefix it with `https://` so the…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://reactnative.dev/ (packages/rn-tester/js/examples/XHR/XHRExampleAbortController.js:22)
`packages/rn-tester/js/examples/XHR/XHRExampleAbortController.js:22` calls `GET https://reactnative.dev/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/reactnative.dev` If this points at an external API, pre…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://registry.npmjs.org/${pkg}/${versionOrTag} (.github/workflow-scripts/utils.js:15)
`.github/workflow-scripts/utils.js:15` calls `GET https://registry.npmjs.org/${pkg}/${versionOrTag}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/registry.npmjs.org/<p>/<p>` If this points at an external AP…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST https://example.org/post-image (packages/react-native/types/__typetests__/globals.tsx:196)
`packages/react-native/types/__typetests__/globals.tsx:196` calls `POST https://example.org/post-image` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.org/post-image` If this points at an external API…
wiringdangling-fetchfetch
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/eslint-config-react-native/shared.js:148
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/eslint-config-react-native/shared.js:148 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/react-native/Libraries/Core/Devtools/loadBundleFromServer.js:190
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/react-native/Libraries/Core/Devtools/loadBundleFromServer.js:190 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/releases/ios-prebuild/folders.js:27
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/releases/ios-prebuild/folders.js:27 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/releases/ios-prebuild/setupDependencies.js:70
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/releases/ios-prebuild/setupDependencies.js:70 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/releases/utils/npm-utils.js:149
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/releases/utils/npm-utils.js:149 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/releases/utils/release-utils.js:22
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/releases/utils/release-utils.js:22 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/releases/utils/scm-utils.js:32
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/releases/utils/scm-utils.js:32 owaspexec_used
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
scripts/cxx-api/parser/input_filters/main.py:41 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
scripts/cxx-api/parser/__main__.py:206 qualitylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
.github/actions/maestro-ios/action.yml:27 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
.github/actions/maestro-android/action.yml:35 dependencylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/parsers/typescript/components/componentsUtils.js:106 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/parsers/typescript/components/commands.js:76 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/parsers/parserMock.js:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/parsers/parserMock.js:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/parsers/parser.js:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/modules/GenerateModuleObjCpp/serializeEventEmitter.js:39 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/modules/GenerateModuleObjCpp/header/serializeRegularStruct.js:103 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/modules/GenerateModuleJniH.js:54 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/modules/GenerateModuleJniCpp.js:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/components/GenerateThirdPartyFabricComponentsProviderObjCpp.js:35 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/components/GenerateThirdPartyFabricComponentsProviderH.js:35 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/components/GenerateShadowNodeH.js:44 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/components/GenerateShadowNodeCpp.js:32 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/components/GeneratePropsJavaPojo/PojoCollector.js:27 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/components/GeneratePropsJavaInterface.js:175 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/components/GeneratePropsJavaInterface.js:123 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/components/GeneratePropsH.js:727 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/components/GenerateEventEmitterH.js:282 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/react-native-codegen/src/generators/components/GenerateComponentDescriptorH.js:36 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/gradle-plugin/react-native-gradle-plugin/src/main/kotlin/com/facebook/react/tasks/GeneratePackageListTask.kt:13 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
flow-typed/npm/listr_v14.x.x.js:2 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/fd7f2e04-3ce2-42af-a904-2847dfc65c4d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/fd7f2e04-3ce2-42af-a904-2847dfc65c4d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.