holaboss-ai/holaos

[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.

[MINED116] Workflow uses `secrets.HOLABOSS_RELEASES_REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HOLABO…

[MINED116] Workflow uses `secrets.MAC_CERTIFICATE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MAC_CERTIFICATE }` …

[MINED116] Workflow uses `secrets.MAC_CERTIFICATE_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MAC_CERTIF…

[MINED116] Workflow uses `secrets.APPLE_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_ID }` lets a PR from…

[MINED116] Workflow uses `secrets.APPLE_APP_SPECIFIC_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_A…

[MINED116] Workflow uses `secrets.APPLE_TEAM_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_TEAM_ID }` lets…

[MINED116] Workflow uses `secrets.SENTRY_DSN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_DSN }` lets a PR …

[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN…

[MINED116] Workflow uses `secrets.SENTRY_DSN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_DSN }` lets a PR …

[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN…

[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` …

[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` …

[MINED116] Workflow uses `secrets.AZURE_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_SE…

[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` …

[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` …

[MINED116] Workflow uses `secrets.AZURE_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_SE…

[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` …

[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` …

[MINED116] Workflow uses `secrets.AZURE_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_SE…

[MINED116] Workflow uses `secrets.SENTRY_DSN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_DSN }` lets a PR …

[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN…

[MINED116] Workflow uses `secrets.HOLABOSS_RELEASES_REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HOLABO…

[MINED116] Workflow uses `secrets.R2_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ACCESS_KEY_ID }…

[MINED116] Workflow uses `secrets.R2_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_SECRET_ACCE…

[MINED116] Workflow uses `secrets.R2_ENDPOINT_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.R2_ENDPOINT_URL }` …

[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-…

[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).

[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dang…

LLM memory extraction can be prompt-injected into storing fake facts

LLM memory extraction can be prompt-injected into storing fake facts

Consent is collected in UI without visible backend audit persistence

Secret-like setting is echoed into a password input value

Secret-like setting is echoed into a password input value

[MINED113] Express PUT /api/v1/runtime/config has no auth: Express route PUT /api/v1/runtime/config declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATC…

[MINED113] Express PUT /api/v1/runtime/profile has no auth: Express route PUT /api/v1/runtime/profile declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PA…

[MINED113] Express POST /api/v1/runtime/profile/auth-fallback has no auth: Express route POST /api/v1/runtime/profile/auth-fallback declared without an auth middleware in its handler chain. Destructi…

[MINED113] Express POST /api/v1/capabilities/browser/tools/:toolId has no auth: Express route POST /api/v1/capabilities/browser/tools/:toolId declared without an auth middleware in its handler chain.…

[MINED113] Express POST /api/v1/terminal-sessions has no auth: Express route POST /api/v1/terminal-sessions declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DEL…

[MINED113] Express POST /api/v1/terminal-sessions/:terminalId/input has no auth: Express route POST /api/v1/terminal-sessions/:terminalId/input declared without an auth middleware in its handler chai…

[MINED113] Express POST /api/v1/terminal-sessions/:terminalId/resize has no auth: Express route POST /api/v1/terminal-sessions/:terminalId/resize declared without an auth middleware in its handler ch…

[MINED113] Express POST /api/v1/terminal-sessions/:terminalId/signal has no auth: Express route POST /api/v1/terminal-sessions/:terminalId/signal declared without an auth middleware in its handler ch…

[MINED113] Express POST /api/v1/terminal-sessions/:terminalId/close has no auth: Express route POST /api/v1/terminal-sessions/:terminalId/close declared without an auth middleware in its handler chai…

[MINED113] Express POST /api/v1/integrations/connections has no auth: Express route POST /api/v1/integrations/connections declared without an auth middleware in its handler chain. Destructive methods…

[MINED113] Express PATCH /api/v1/integrations/connections/:connectionId has no auth: Express route PATCH /api/v1/integrations/connections/:connectionId declared without an auth middleware in its hand…

[MINED113] Express POST /api/v1/integrations/connections/:connectionId/merge has no auth: Express route POST /api/v1/integrations/connections/:connectionId/merge declared without an auth middleware i…

[MINED113] Express DELETE /api/v1/integrations/connections/:connectionId has no auth: Express route DELETE /api/v1/integrations/connections/:connectionId declared without an auth middleware in its ha…

[MINED113] Express PUT /api/v1/integrations/bindings/:workspaceId/:targetType/:targetId/:integrationKey has no auth: Express route PUT /api/v1/integrations/bindings/:workspaceId/:targetType/:targetId…

[MINED113] Express DELETE /api/v1/integrations/bindings/:bindingId has no auth: Express route DELETE /api/v1/integrations/bindings/:bindingId declared without an auth middleware in its handler chain.…

[MINED113] Express POST /api/v1/integrations/broker/token has no auth: Express route POST /api/v1/integrations/broker/token declared without an auth middleware in its handler chain. Destructive metho…

[MINED113] Express POST /api/v1/integrations/broker/proxy has no auth: Express route POST /api/v1/integrations/broker/proxy declared without an auth middleware in its handler chain. Destructive metho…

[MINED113] Express PUT /api/v1/integrations/oauth/configs/:providerId has no auth: Express route PUT /api/v1/integrations/oauth/configs/:providerId declared without an auth middleware in its handler …

[MINED113] Express DELETE /api/v1/integrations/oauth/configs/:providerId has no auth: Express route DELETE /api/v1/integrations/oauth/configs/:providerId declared without an auth middleware in its ha…

[MINED113] Express POST /api/v1/integrations/oauth/authorize has no auth: Express route POST /api/v1/integrations/oauth/authorize declared without an auth middleware in its handler chain. Destructive…

[MINED113] Express POST /api/v1/integrations/composio/finalize has no auth: Express route POST /api/v1/integrations/composio/finalize declared without an auth middleware in its handler chain. Destruc…

[MINED113] Express POST /api/v1/integrations/context-fetch has no auth: Express route POST /api/v1/integrations/context-fetch declared without an auth middleware in its handler chain. Destructive met…

[MINED113] Express POST /api/v1/integrations/memory-clear has no auth: Express route POST /api/v1/integrations/memory-clear declared without an auth middleware in its handler chain. Destructive metho…

[MINED113] Express POST /api/v1/capabilities/runtime-tools/onboarding/alignment-report has no auth: Express route POST /api/v1/capabilities/runtime-tools/onboarding/alignment-report declared without …

[MINED113] Express POST /api/v1/capabilities/runtime-tools/onboarding/alignment-question has no auth: Express route POST /api/v1/capabilities/runtime-tools/onboarding/alignment-question declared with…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …

[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …

[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…

[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…

[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…

[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

Agent control bridge may listen on a network interface without visible auth

Agent control bridge may listen on a network interface without visible auth

Docker final stage has no non-root USER

Docker final stage has no non-root USER

Docker build context has no .dockerignore

[ERR002] Empty Catch Block: Empty catch blocks hide errors.

[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Dockerfile base image is selected through a build variable

[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED044] Js Console Log Prod (and 32 more): Same pattern found in 32 additional files. Review if needed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED045] Ts Non Null Assertion (and 22 more): Same pattern found in 22 additional files. Review if needed.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.

[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.

[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.

[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.

[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.

[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed.

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed.

[SEC040] innerHTML XSS — template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed.

[SEC045] eval()/exec() on stored or user-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed.

[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed.

[SEC114] path.join / Path() on user-controlled segment without containment check (and 1 more): Same pattern found in 1 additional files. Review if needed.

[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed.