https://github.com/vitejs/vite ·
lang: javascript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED122 package.json dep pulled from git URL or tarball |
high | 25 |
SEC083 JS: new RegExp() with non-literal |
high | 4 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 4 |
MINED054 Ts As Any |
info | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
SEC006 XSS Risk |
high | 4 |
MINED044 Js Console Log Prod |
info | 4 |
MINED035
Js New Function
CWE-95
packages/vite/src/node/ssr/ssrStacktrace.ts:13
· conf 1.00
[MINED035] Js New Function: new Function(...) compiles strings to functions.SEC084
JS: require() with non-literal
playground/ssr-deps/require-absolute/index.js:3
· conf 1.00
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/alias/package.json:1
· conf 0.90
[MINED122] package.json dep `aliased-module` pulled from URL/Git: `dependencies.aliased-module` = `file:./dir/module` bypasses the npm registry. No integrity hash, no version locking, no registry-sid…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps-no-discovery/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-no-discovery` pulled from URL/Git: `dependencies.@vitejs/test-dep-no-discovery` = `file:./dep-no-discovery` bypasses the npm registry. No integrity hash,…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-cjs-browser-field` pulled from URL/Git: `dependencies.@vitejs/test-dep-cjs-browser-field` = `file:./dep-cjs-browser-field` bypasses the npm registry. No …MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/longfilename-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-alias-using-absolute-path` pulled from URL/Git: `dependencies.@vitejs/test-dep-alias-using-absolute-path` = `file:./dep-alias-using-absolute-path` bypass…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-cjs-browser-field-bare` pulled from URL/Git: `dependencies.@vitejs/test-dep-cjs-browser-field-bare` = `file:./dep-cjs-browser-field-bare` bypasses the np…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-cjs-compiled-from-cjs` pulled from URL/Git: `dependencies.@vitejs/test-dep-cjs-compiled-from-cjs` = `file:./dep-cjs-compiled-from-cjs` bypasses the npm r…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-cjs-compiled-from-esm` pulled from URL/Git: `dependencies.@vitejs/test-dep-cjs-compiled-from-esm` = `file:./dep-cjs-compiled-from-esm` bypasses the npm r…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-cjs-with-assets` pulled from URL/Git: `dependencies.@vitejs/test-dep-cjs-with-assets` = `file:./dep-cjs-with-assets` bypasses the npm registry. No integr…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-cjs-with-external-deps` pulled from URL/Git: `dependencies.@vitejs/test-dep-cjs-with-external-deps` = `file:./dep-cjs-with-external-deps` bypasses the np…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-cjs-require-css-main-field` pulled from URL/Git: `dependencies.@vitejs/test-dep-cjs-require-css-main-field` = `file:./dep-cjs-require-css-main-field` byp…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-css-require` pulled from URL/Git: `dependencies.@vitejs/test-dep-css-require` = `file:./dep-css-require` bypasses the npm registry. No integrity hash, no…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-esbuild-plugin-transform` pulled from URL/Git: `dependencies.@vitejs/test-dep-esbuild-plugin-transform` = `file:./dep-esbuild-plugin-transform` bypasses …MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-incompatible` pulled from URL/Git: `dependencies.@vitejs/test-dep-incompatible` = `file:./dep-incompatible` bypasses the npm registry. No integrity hash,…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-linked` pulled from URL/Git: `dependencies.@vitejs/test-dep-linked` = `link:./dep-linked` bypasses the npm registry. No integrity hash, no version lockin…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-linked-include` pulled from URL/Git: `dependencies.@vitejs/test-dep-linked-include` = `link:./dep-linked-include` bypasses the npm registry. No integrity…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-node-env` pulled from URL/Git: `dependencies.@vitejs/test-dep-node-env` = `file:./dep-node-env` bypasses the npm registry. No integrity hash, no version …MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-not-js` pulled from URL/Git: `dependencies.@vitejs/test-dep-not-js` = `file:./dep-not-js` bypasses the npm registry. No integrity hash, no version lockin…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-optimize-exports-with-glob` pulled from URL/Git: `dependencies.@vitejs/test-dep-optimize-exports-with-glob` = `file:./dep-optimize-exports-with-glob` byp…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-optimize-exports-with-root-glob` pulled from URL/Git: `dependencies.@vitejs/test-dep-optimize-exports-with-root-glob` = `file:./dep-optimize-exports-with…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-optimize-with-glob` pulled from URL/Git: `dependencies.@vitejs/test-dep-optimize-with-glob` = `file:./dep-optimize-with-glob` bypasses the npm registry. …MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-relative-to-main` pulled from URL/Git: `dependencies.@vitejs/test-dep-relative-to-main` = `file:./dep-relative-to-main` bypasses the npm registry. No int…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-source-map-no-sources` pulled from URL/Git: `dependencies.@vitejs/test-dep-source-map-no-sources` = `file:./dep-source-map-no-sources` bypasses the npm r…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-cjs-with-es-module-flag` pulled from URL/Git: `dependencies.@vitejs/test-dep-cjs-with-es-module-flag` = `file:./dep-cjs-with-es-module-flag` bypasses the…MINED122
package.json dep pulled from git URL or tarball
CWE-829
playground/optimize-deps/package.json:1
· conf 0.90
[MINED122] package.json dep `@vitejs/test-dep-cjs-css-main-field` pulled from URL/Git: `dependencies.@vitejs/test-dep-cjs-css-main-field` = `file:./dep-cjs-css-main-field` bypasses the npm registry. …SEC006
XSS Risk
packages/create-vite/template-vanilla/src/main.js:7
· conf 1.00
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
packages/create-vite/template-vanilla-ts/src/main.ts:7
· conf 1.00
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
playground/css-codesplit/shared-css-main.js:2
· conf 1.00
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/vite/rolldown.config.ts:365
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/vite/rollupLicensePlugin.ts:177
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/vite/src/module-runner/evaluatedModules.ts:25
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
packages/create-vite/template-vanilla/src/counter.js:5
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/create-vite/template-vanilla-ts/src/counter.ts:5
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/create-vite/template-vanilla-ts/src/main.ts:7
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
packages/vite/src/node/optimizer/resolve.ts:87
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
packages/vite/src/node/plugins/assetImportMetaUrl.ts:66
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
packages/vite/src/node/plugins/define.ts:92
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
packages/vite/rolldown.config.ts:252
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
packages/vite/src/client/overlay.ts:272
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
packages/vite/src/module-runner/evaluatedModules.ts:117
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/vite/src/node/packages.ts:58
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/vite/src/node/plugins/prepareOutDir.ts:15
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/vite/src/node/plugins/wasm.ts:134
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT012
Agent control bridge may listen on a network interface without visible auth
packages/vite/src/node/server/index.ts:78
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
packages/vite/src/node/utils.ts:8
· conf 0.72
Agent control bridge may listen on a network interface without visible authERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/vite/src/node/server/environment.ts:375
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
packages/create-vite/template-lit/src/my-element.js:63
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
packages/create-vite/template-lit-ts/src/my-element.ts:57
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
packages/create-vite/template-preact-ts/src/app.tsx:44
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
packages/vite/rolldown.config.ts:252
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
packages/vite/src/client/overlay.ts:272
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
packages/vite/src/module-runner/evaluatedModules.ts:117
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyAIC003
Duplicated implementation block across source files
packages/create-vite/template-lit/src/my-element.js:27
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-preact/src/app.jsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-preact/src/app.jsx:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-preact-ts/src/app.tsx:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-qwik/src/app.jsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-qwik/src/app.jsx:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-qwik/src/app.jsx:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-qwik-ts/src/app.tsx:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-qwik-ts/src/app.tsx:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-react/src/App.jsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-solid/src/App.jsx:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-solid/src/App.jsx:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-solid/src/App.jsx:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-solid-ts/src/App.tsx:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-solid-ts/src/App.tsx:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-svelte/src/App.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-svelte/src/App.svelte:37
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-svelte-ts/src/App.svelte:37
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-vanilla/src/main.js:16
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-vue/src/components/HelloWorld.vue:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-vue/src/components/HelloWorld.vue:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/create-vite/template-vue-ts/src/components/HelloWorld.vue:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
playground/assets/vite.config-url-base.js:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
playground/css/vite.config-relative-base.js:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
playground/fs-serve/root/vite.config.js:13
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
playground/hmr/vite.config.ts:88
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
playground/multiple-entrypoints/entrypoints/a10.js:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
playground/multiple-entrypoints/entrypoints/a11.js:17
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
playground/multiple-entrypoints/entrypoints/a12.js:16
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
playground/multiple-entrypoints/entrypoints/a1.js:27
· conf 0.86
Duplicated implementation block across source filesWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtMINED043
Http Not Https
CWE-319
packages/create-vite/tsdown.config.ts:143
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
playground/proxy-bypass/vite.config.js:16
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 106 more): Same pattern found in 106 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
packages/plugin-legacy/src/snippets.ts:26
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/vite/rolldown.config.ts:272
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/vite/rollupLicensePlugin.ts:111
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 28 more): Same pattern found in 28 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
packages/create-vite/template-vanilla-ts/src/main.ts:7
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/plugin-legacy/src/snippets.ts:3
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/vite/scripts/benchCircularImport.ts:59
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 15 more): Same pattern found in 15 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
docs/_data/blog.data.ts:21
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
docs/.vitepress/theme/index.ts:22
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/vite/src/module-runner/evaluatedModules.ts:17
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
[MINED054] Ts As Any (and 13 more): Same pattern found in 13 additional files. Review if needed.MINED054
Ts As Any
CWE-704
docs/.vitepress/theme/index.ts:18
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/vite/src/module-runner/createImportMeta.ts:6
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/vite/src/module-runner/sourcemap/decoder.ts:62
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED065
Cors Wildcard
CWE-942CWE-346
packages/vite/src/node/http.ts:103
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.MINED065
Cors Wildcard
CWE-942CWE-346
packages/vite/src/node/index.ts:138
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.MINED089
Js Always False If
CWE-561
playground/optimize-deps/dep-linked-include/index.mjs:15
· conf 1.00
[MINED089] Js Always False If: if (false) — branch never taken. Dead code / disabled feature.SEC006
XSS Risk
[SEC006] XSS Risk (and 15 more): Same pattern found in 15 additional files. Review if needed.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 11 more): Same pattern found in 11 additional files. Review if needed.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer" (and 9 more): Same pattern found in 9 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 8 more): Same pattern found in 8 additional files. Review if needed.SEC083
JS: new RegExp() with non-literal
[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/ce0b060e-269d-4cad-aeaf-986153a5541a/.