← Legacy view v2 (rp.*)

pnpm/pnpm

https://github.com/pnpm/pnpm · lang: typescript · source: both

Quality

75.9

Grade B+

Security

87.7

Findings

0 critical · 0 high

Status

completed

May 15, 2026 00:07

medium: 4 info: 2

Top rules by occurrence

Rule	Severity	Count
`SEC007` Unsafe Deserialization	medium	3
`SEC020` Secret Printed to Logs	high	2
`SEC001` Hardcoded Password	critical	1

First 6 findings (severity-sorted)

medium SEC001 Hardcoded Password

pacquet/crates/config/src/npmrc_auth/tests.rs:159 · conf 0.30

[SEC001] Hardcoded Password: Hardcoded password found in source code.

medium SEC007 Unsafe Deserialization

lockfile/fs/src/envLockfile.ts:33 · conf 1.00

[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.

medium SEC007 Unsafe Deserialization

lockfile/fs/src/gitMergeFile.ts:15 · conf 1.00

[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.

medium SEC007 Unsafe Deserialization

lockfile/fs/src/read.ts:114 · conf 1.00

[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.

info SEC020 Secret Printed to Logs

__fixtures__/multiple-scripts-error-exit/dev-bar.js:7 · conf 0.10

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

info SEC020 Secret Printed to Logs

__fixtures__/multiple-scripts-error-exit/process-foo.js:7 · conf 0.10

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/7bb8abe5-b64a-4a6a-a079-91f6049c3769/.