https://github.com/mercurjs/mercur ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
AUC004 [AUC004] Admin route does not show super_admin separation: … |
medium | 7 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 3 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 3 |
MINED054 Ts As Any |
info | 3 |
MINED045 Ts Non Null Assertion |
info | 3 |
MINED056 React Key As Index |
info | 3 |
MINED044 Js Console Log Prod |
info | 3 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 3 |
MINED052 Ts Any Typed |
info | 3 |
SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/admin/src/components/common/file-upload/file-upload.tsx:80
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/admin/src/pages/orders/order-detail/components/order-fulfillment-section/order-fulfillment-section.tsx:414
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/admin/src/pages/product-tags/product-tag-list/loader.ts:14
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
packages/admin/src/pages/orders/order-list/components/order-list-table/order-list-data-table.tsx:58
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/cli/src/registry/errors.ts:195
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/cli/src/utils/build-vendor-extensions.ts:74
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC085
JS: child_process.exec with non-literal
packages/cli/src/registry/env.ts:8
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/admin/src/components/data-table/data-table.tsx:239
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/admin/src/components/filtering/order-by/order-by.tsx:89
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/admin/src/components/filtering/query/query.tsx:21
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 41.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
apps/api/src/api/admin/custom/route.ts:3
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
packages/registry/src/requests/api/admin/requests/[type]/[id]/accept/route.ts:8
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
packages/registry/src/requests/api/admin/requests/[type]/[id]/reject/route.ts:8
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
packages/registry/src/requests/api/admin/requests/[type]/[id]/route.ts:6
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
packages/registry/src/requests/api/admin/requests/[type]/route.ts:7
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
packages/registry/src/reviews/api/admin/reviews/[id]/route.ts:6
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
packages/registry/src/reviews/api/admin/reviews/route.ts:6
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/api/src/api/store/custom/route.ts:3
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/cli/src/utils/create-db.ts:83
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
packages/admin/src/components/data-table/data-table.tsx:295
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
packages/cli/src/registry/env.ts:8
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyAIC003
Duplicated implementation block across source files
integration-tests/helpers/create-customer-user.ts:27
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
integration-tests/helpers/create-seller-user.ts:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
integration-tests/medusa-config.ts:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
integration-tests/.mercur/_generated/index.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/data-grid/components/data-grid-number-cell.tsx:16
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/data-grid/components/data-grid-text-cell.tsx:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/data-grid/components/data-grid-text-cell.tsx:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/data-grid/components/data-grid-toggleable-number-cell.tsx:19
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/layout/pages/two-column-page/two-column-page.tsx:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/layout/settings-layout/settings-layout.tsx:227
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/layout/user-menu/user-menu.tsx:265
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/table/data-table/data-table-filter/number-filter.tsx:133
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/table/data-table/data-table-filter/string-filter.tsx:66
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/table/data-table/data-table-order-by/data-table-order-by.tsx:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/table/data-table/data-table-search/data-table-search.tsx:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/table/table-cells/common/date-cell/date-cell.tsx:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/table/table-cells/common/status-cell/status-cell.tsx:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/components/table/table-cells/sales-channel/name-cell/name-cell.tsx:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/commission-rates.tsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/customer-groups.tsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/customers.tsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/exchanges.tsx:169
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/invites.tsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/order-edits.tsx:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/payments.tsx:75
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/price-lists.tsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/price-lists.tsx:5
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/price-preferences.tsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/product-types.tsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/admin/src/hooks/api/regions.tsx:1
· conf 0.86
Duplicated implementation block across source filesWEB001
Public web app has no robots.txt
robots.txt
· conf 0.74
Public web app has no robots.txtWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtMINED043
Http Not Https
CWE-319
packages/core/src/utils/dashboard/dashboard-base.ts:91
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
packages/admin/src/components/data-grid/hooks/use-data-grid-column-visibility.tsx:62
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/admin/src/components/layout/pages/single-column-page/single-column-page.tsx:27
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/admin/src/components/layout/pages/two-column-page/two-column-page.tsx:34
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
apps/api/src/scripts/seed.ts:244
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/admin/src/components/common/metadata-section/metadata-section.tsx:21
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/admin/src/components/common/sortable-tree/sortable-tree-item.tsx:17
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED047
Emoji In Source
packages/admin/src/i18n/languages.ts:133
· conf 1.00
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.MINED052
Ts Any Typed
CWE-704
packages/admin/src/components/data-grid/components/data-grid-textarea-modal-cell.tsx:59
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/admin/src/components/data-grid/context/data-grid-context.tsx:30
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/admin/src/components/data-grid/hooks/use-data-grid-cell-handlers.tsx:105
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
integration-tests/helpers/create-seller-user.ts:80
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/admin/src/components/inputs/percentage-input/percentage-input.tsx:80
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/admin/src/components/tabbed-form/tabbed-form.tsx:32
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED056
React Key As Index
CWE-682
packages/admin/src/components/common/action-menu/action-menu.tsx:61
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
packages/admin/src/components/common/customer-info/customer-info.tsx:128
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
packages/admin/src/components/data-grid/components/data-grid-keyboard-shortcut-modal.tsx:224
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED057
Todo Bomb
packages/admin/src/pages/profile/profile-detail/components/profile-general-section/profile-general-section.tsx:66
· conf 1.00
[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — left for later but never resolved.MINED057
Todo Bomb
packages/admin/src/pages/profile/profile-edit/components/edit-profile-form/edit-profile-form.tsx:150
· conf 1.00
[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — left for later but never resolved.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/11a59421-a7a1-4fb7-a18e-f00276c92e73/.