vercel/ai

[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.

[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.

[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.

[MINED035] Js New Function: new Function(...) compiles strings to functions.

[MINED116] Workflow uses `secrets.GR2M_PR_REVIEW_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GR2M_PR_REVIEW…

[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a P…

[MINED116] Workflow uses `secrets.SLACK_PR_REVIEW_REQUEST_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_P…

[COMP001] High cognitive complexity: Function `stream_text` has cognitive complexity 61 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested …

[MINED112] FastAPI POST /api/chat has no auth: Handler `handle_chat_data` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the funct…

[MINED113] Express POST /api/clear has no auth: Express route POST /api/clear declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated …

[MINED113] Express POST /api/notify has no auth: Express route POST /api/notify declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticate…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…

[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…

[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…

[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

[COMP001] High cognitive complexity: Function `convert_to_openai_messages` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to under…

No README file found

[ERR002] Empty Catch Block: Empty catch blocks hide errors.

[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…

[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pullin…

[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…

[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…

[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…

Public web service has no security.txt

Public web app has no Content Security Policy

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Public web app has no robots.txt

Public web app has no sitemap

Public web app has no humans.txt

[MINED024] Js Eval Usage (and 1 more): Same pattern found in 1 additional files. Review if needed.

[MINED044] Js Console Log Prod (and 1181 more): Same pattern found in 1181 additional files. Review if needed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED049] Print Pii (and 286 more): Same pattern found in 286 additional files. Review if needed.

[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.

[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.

[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.

[MINED052] Ts Any Typed (and 14 more): Same pattern found in 14 additional files. Review if needed.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.

[MINED054] Ts As Any (and 22 more): Same pattern found in 22 additional files. Review if needed.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED056] React Key As Index (and 91 more): Same pattern found in 91 additional files. Review if needed.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.

[SEC020] Secret Printed to Logs (and 271 more): Same pattern found in 271 additional files. Review if needed.

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 35 more): Same pattern found in 35 additional files. Review if needed.

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer" (and 3 more): Same pattern found in 3 additional files. Review if needed.

[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed.

[SEC087] JS: weak Math.random for crypto (and 2 more): Same pattern found in 2 additional files. Review if needed.

[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.

[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.

[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed.

[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code (and 2 more): Same pattern found in 2 additional files. Review if needed.

[SEC135] Auth/permission check missing on AI-generated endpoint (and 13 more): Same pattern found in 13 additional files. Review if needed.