← Legacy view v2 (rp.*)

sindresorhus/p-limit

https://github.com/sindresorhus/p-limit · lang: javascript · LOC: · source: user_submitted

Quality
63.8
Grade C+
Security
100.0
Findings
6
0 critical · 3 high
Status
completed
May 20, 2026 01:42
high: 3 info: 2 medium: 1
Top rules by occurrence
RuleSeverityCount
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) high 2
SEC087 JS: weak Math.random for crypto medium 1
MINED074 Ai Tell Fake Citation info 1
MINED044 Js Console Log Prod info 1
CORE_NO_TESTS No test files found high 1
First 6 findings (severity-sorted)
high CORE_NO_TESTS No test files found 
No test files found
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/main.yml:17 · conf 0.90 
Action `actions/checkout` pinned to mutable ref `@v4`
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/main.yml:18 · conf 0.90 
Action `actions/setup-node` pinned to mutable ref `@v4`
medium SEC087 JS: weak Math.random for crypto
scripts/benchmarker.js:206 · conf 1.00 
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…
info MINED044 Js Console Log Prod CWE-532
scripts/benchmarker.js:60 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED074 Ai Tell Fake Citation
benchmark.js:36 · conf 1.00 
[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/2ac87871-82f9-464a-bac8-824866c41eb3/.