https://github.com/evanw/esbuild ·
lang: go ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 7 |
MINED071 Go Panic Call |
info | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 3 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 2 |
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. |
medium | 2 |
MINED033 Go Recover Without Log |
high | 2 |
SEC085 JS: child_process.exec with non-literal |
high | 2 |
MINED035
Js New Function
CWE-95
scripts/destructuring-fuzzer.js:121
· conf 1.00
[MINED035] Js New Function: new Function(...) compiles strings to functions.SEC084
JS: require() with non-literal
scripts/register-test.js:26
· conf 1.00
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).MINED016
Go Error Ignored
CWE-754
internal/fs/iswin_wasm.go:20
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED033
Go Recover Without Log
CWE-755
internal/js_parser/global_name_parser.go:12
· conf 1.00
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.MINED033
Go Recover Without Log
CWE-755
internal/js_parser/json_parser.go:192
· conf 1.00
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:21
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:28
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v3`: `uses: actions/setup-go@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:34
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:49
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:56
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v3`: `uses: actions/setup-go@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:62
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:95
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:108
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v3`: `uses: actions/setup-go@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:114
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:119
· conf 0.90
[MINED115] Action `denoland/setup-deno` pinned to mutable ref `@main`: `uses: denoland/setup-deno@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:233
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:236
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v3`: `uses: actions/setup-go@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:294
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:307
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v3`: `uses: actions/setup-go@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:315
· conf 0.90
[MINED115] Action `denoland/setup-deno` pinned to mutable ref `@main`: `uses: denoland/setup-deno@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:320
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e.yml:16
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e.yml:19
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e.yml:26
· conf 0.90
[MINED115] Action `denoland/setup-deno` pinned to mutable ref `@main`: `uses: denoland/setup-deno@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish.yml:19
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish.yml:45
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v3`: `uses: actions/setup-go@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish.yml:50
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish.yml:80
· conf 0.90
[MINED115] Action `actions/create-release` pinned to mutable ref `@v1`: `uses: actions/create-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/validate.yml:16
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/validate.yml:23
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v3`: `uses: actions/setup-go@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
internal/helpers/dataurl.go:11
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
internal/helpers/path.go:29
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
internal/resolver/dataurl.go:16
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
compat-table/src/css_table.ts:15
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
compat-table/src/js_table.ts:15
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
scripts/browser/browser-tests.js:102
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC085
JS: child_process.exec with non-literal
scripts/test262-async.js:40
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
scripts/test-yarnpnp.js:11
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).CORE_LARGE_FILES
Average file size is 1080 lines (recommend <300)
Average file size is 986 lines (recommend <300)ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
scripts/destructuring-fuzzer.js:139
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
scripts/parse-ts-files.js:53
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC045
eval()/exec() on stored or user-supplied data
scripts/destructuring-fuzzer.js:121
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
scripts/test262-async.js:40
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AIC003
Duplicated implementation block across source files
compat-table/src/js_table.ts:5
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
compat-table/src/mdn.ts:108
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
internal/logger/logger_linux.go:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
lib/deno/wasm.ts:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
lib/npm/browser.ts:32
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/api/api.go:52
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/uglify-tests.js:244
· conf 0.86
Duplicated implementation block across source filesSEC132
String concat where the language has interpolation (AI style drift)
scripts/test262-async.js:71
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
require/yarnpnp/in.mjs:1
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
scripts/browser/browser-tests.js:14
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
scripts/node-unref-tests.js:78
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
compat-table/src/css_table.ts:29
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
compat-table/src/js_table.ts:36
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
compat-table/src/mdn.ts:132
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED071
Go Panic Call
CWE-755
[MINED071] Go Panic Call (and 4 more): Same pattern found in 4 additional files. Review if needed.MINED071
Go Panic Call
CWE-755
cmd/esbuild/stdio_protocol.go:95
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
internal/fs/fs_mock.go:320
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
internal/helpers/timer.go:83
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/8da981ac-3685-4c52-b871-6094005ae9e9/.