1 Critical
Critical-severity findings across all ecosystems.
Security Audit Report
Security Audit Report
Section titled “Security Audit Report”Severity Overview
Section titled “Severity Overview”32 High
High-severity findings across all ecosystems.
50 Medium
Medium-severity findings across all ecosystems.
5 Low
Low-severity findings across all ecosystems.
Ecosystem Breakdown
Section titled “Ecosystem Breakdown”npm
74 advisories
Cargo
43 advisories
Python
0 advisories
CodeQL
0 alerts
Dependabot
0 alerts
Severity Distribution
Section titled “Severity Distribution”pie showData
title Findings by Severity
"Critical" : 1
"High" : 32
"Medium" : 50
"Low" : 5
Findings by Ecosystem
Section titled “Findings by Ecosystem”pie showData
title Findings by Ecosystem
"npm" : 74
"Cargo" : 43
| Ecosystem | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
| npm | 1 | 32 | 36 | 5 | 74 |
| Cargo | 0 | 0 | 14 | 0 | 43 |
| Python | 0 | 0 | 0 | 0 | 0 |
| CodeQL | 0 | 0 | 0 | 0 | 0 |
| Dependabot | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 32 | 50 | 5 | 117 |
| Severity | Package | Advisory | Link |
|---|---|---|---|
| Critical | handlebars | Handlebars.js has JavaScript Injection via AST Type Confu… | Details |
| High | glob | glob CLI: Command injection via -c/—cmd executes matches… | Details |
| High | rollup | Rollup 4 has Arbitrary File Write via Path Traversal | Details |
| High | koa | Koa has Host Header Injection via ctx.hostname | Details |
| High | serialize-javascript | Serialize JavaScript is Vulnerable to RCE via RegExp.flag… | Details |
| High | svgo | SVGO DoS through entity expansion in DOCTYPE (Billion Lau… | Details |
| High | svgo | SVGO DoS through entity expansion in DOCTYPE (Billion Lau… | Details |
| High | tar | tar has Hardlink Path Traversal via Drive-Relative Linkpath | Details |
| High | tar | node-tar Symlink Path Traversal via Drive-Relative Linkpath | Details |
| High | flatted | flatted vulnerable to unbounded recursion DoS in parse() … | Details |
| High | undici | Undici has Unbounded Memory Consumption in WebSocket perm… | Details |
| High | undici | Undici has Unhandled Exception in WebSocket Client Due to… | Details |
| High | h3 | h3 has a Server-Sent Events Injection via Unsanitized New… | Details |
| High | flatted | Prototype Pollution via parse() in NodeJS flatted | Details |
| High | path-to-regexp | path-to-regexp vulnerable to Regular Expression Denial of… | Details |
| High | handlebars | Handlebars.js has JavaScript Injection via AST Type Confu… | Details |
| High | picomatch | Picomatch has a ReDoS vulnerability via extglob quantifiers | Details |
| High | picomatch | Picomatch has a ReDoS vulnerability via extglob quantifiers | Details |
| High | handlebars | Handlebars.js has JavaScript Injection via AST Type Confu… | Details |
| High | handlebars | Handlebars.js has Denial of Service via Malformed Decorat… | Details |
| High | lodash-es | lodash vulnerable to Code Injection via _.template impo… | Details |
| High | lodash | lodash vulnerable to Code Injection via _.template impo… | Details |
| High | defu | defu: Prototype pollution via __proto__ key in defaults… | Details |
| High | vite | Vite: server.fs.deny bypassed with queries | Details |
| High | vite | Vite Vulnerable to Arbitrary File Read via Vite Dev Serve… | Details |
| High | vite | Vite Vulnerable to Arbitrary File Read via Vite Dev Serve… | Details |
| High | @xmldom/xmldom | xmldom: Uncontrolled recursion in XML serialization leads… | Details |
| High | @xmldom/xmldom | xmldom has XML injection through unvalidated DocumentType… | Details |
| High | @xmldom/xmldom | xmldom has XML node injection through unvalidated process… | Details |
| High | @xmldom/xmldom | xmldom has XML node injection through unvalidated comment… | Details |
| High | immutable | Immutable is vulnerable to Prototype Pollution | Details |
| High | @xmldom/xmldom | xmldom: XML injection via unsafe CDATA serialization allo… | Details |
| High | handlebars | Handlebars.js has JavaScript Injection in CLI Precompiler… | Details |
| Medium | got | Got allows a redirect to a UNIX socket | Details |
| Medium | vue-template-compiler | vue-template-compiler vulnerable to client-side Cross-Sit… | Details |
| Medium | lodash | Lodash has Prototype Pollution Vulnerability in _.unset… | Details |
| Medium | undici | Undici has an unbounded decompression chain in HTTP respo… | Details |
| Medium | js-yaml | js-yaml has prototype pollution in merge (<<) | Details |
| Medium | mdast-util-to-hast | mdast-util-to-hast has unsanitized class attribute | Details |
| Medium | ajv | ajv has ReDoS when using $data option | Details |
| Medium | ajv | ajv has ReDoS when using $data option | Details |
| Medium | qs | qs’s arrayLimit bypass in its bracket notation allows DoS… | Details |
| Medium | file-type | file-type affected by infinite loop in ASF parser on malf… | Details |
| Medium | undici | Undici has an HTTP Request/Response Smuggling issue | Details |
| Medium | undici | Undici has CRLF Injection in undici via upgrade option | Details |
| Medium | yauzl | yauzl contains an off-by-one error | Details |
| Medium | h3 | h3 has a Path Traversal via Percent-Encoded Dot Segments … | Details |
| Medium | h3 | h3: SSE Event Injection via Unsanitized Carriage Return (… | Details |
| Medium | h3 | h3: Double Decoding in serveStatic Bypasses `resolveDot… | Details |
| Medium | smol-toml | smol-toml: Denial of Service via TOML documents containin… | Details |
| Medium | brace-expansion | brace-expansion: Zero-step sequence causes process hang a… | Details |
| Medium | brace-expansion | brace-expansion: Zero-step sequence causes process hang a… | Details |
| Medium | brace-expansion | brace-expansion: Zero-step sequence causes process hang a… | Details |
| Medium | handlebars | Handlebars.js has Prototype Pollution Leading to XSS thro… | Details |
| Medium | picomatch | Picomatch: Method Injection in POSIX Character Classes ca… | Details |
| Medium | picomatch | Picomatch: Method Injection in POSIX Character Classes ca… | Details |
| Medium | yaml | yaml is vulnerable to Stack Overflow via deeply nested YA… | Details |
| Medium | yaml | yaml is vulnerable to Stack Overflow via deeply nested YA… | Details |
| Medium | handlebars | Handlebars.js has a Prototype Method Access Control Gap v… | Details |
| Medium | serialize-javascript | Serialize JavaScript has CPU Exhaustion Denial of Service… | Details |
| Medium | lodash-es | lodash vulnerable to Prototype Pollution via array path b… | Details |
| Medium | lodash | lodash vulnerable to Prototype Pollution via array path b… | Details |
| Medium | vite | Vite Vulnerable to Path Traversal in Optimized Deps `.map… | Details |
| Medium | vite | Vite Vulnerable to Path Traversal in Optimized Deps `.map… | Details |
| Medium | follow-redirects | follow-redirects leaks Custom Authentication Headers to C… | Details |
| Medium | fast-xml-parser | fast-xml-parser XMLBuilder: XML Comment and CDATA Injecti… | Details |
| Medium | uuid | uuid: Missing buffer bounds check in v3/v5/v6 when buf is… | Details |
| Medium | postcss | PostCSS has XSS via Unescaped </style> in its CSS Stringi… | Details |
| Medium | astro | Astro: XSS in define:vars via incomplete </script> tag sa… | Details |
| Low | diff | jsdiff has a Denial of Service vulnerability in parsePatc… | Details |
| Low | diff | jsdiff has a Denial of Service vulnerability in parsePatc… | Details |
| Low | qs | qs’s arrayLimit bypass in comma parsing allows denial of … | Details |
| Low | astro | Astro: Remote allowlist bypass via unanchored matchPathna… | Details |
| Low | handlebars | Handlebars.js has a Property Access Validation Bypass in … | Details |
| Severity | Package | Advisory | Link |
|---|---|---|---|
| Medium | hickory-proto | NSEC3 closest-encloser proof validation enters unbounded … | Details |
| Medium | hickory-proto | CPU exhaustion during message encoding due to O(n²) name … | Details |
| Medium | rsa | Marvin Attack: potential key recovery through timing side… | Details |
| Medium | rustls-webpki | Name constraints for URI names were incorrectly accepted | |
| Medium | rustls-webpki | Name constraints were accepted for certificates asserting… | |
| Medium | rustls-webpki | Reachable panic in certificate revocation list parsing | |
| Medium | rustls-webpki | CRLs not considered authoritative by Distribution Point d… | |
| Medium | rustls-webpki | Name constraints for URI names were incorrectly accepted | |
| Medium | rustls-webpki | Name constraints were accepted for certificates asserting… | |
| Medium | rustls-webpki | Reachable panic in certificate revocation list parsing | |
| Medium | rustls-webpki | Name constraints for URI names were incorrectly accepted | |
| Medium | rustls-webpki | Name constraints were accepted for certificates asserting… | |
| Medium | rustls-webpki | Reachable panic in certificate revocation list parsing | |
| Medium | sqlx | Binary Protocol Misinterpretation caused by Truncating or… | Details |
| Info | atk | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | atk-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | bincode | Bincode is unmaintained | Details |
| Info | derivative | derivative is unmaintained; consider using an alternative | Details |
| Info | fxhash | fxhash - no longer maintained | Details |
| Info | gdk | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdk-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdkwayland-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdkx11 | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdkx11-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gtk | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gtk-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gtk3-macros | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | paste | paste - no longer maintained | Details |
| Info | proc-macro-error | proc-macro-error is unmaintained | Details |
| Info | rustls-pemfile | rustls-pemfile is unmaintained | Details |
| Info | rustls-pemfile | rustls-pemfile is unmaintained | Details |
| Info | serde_cbor | serde_cbor is unmaintained | Details |
| Info | unic-char-property | unic-char-property is unmaintained | Details |
| Info | unic-char-range | unic-char-range is unmaintained | Details |
| Info | unic-common | unic-common is unmaintained | Details |
| Info | unic-ucd-ident | unic-ucd-ident is unmaintained | Details |
| Info | unic-ucd-version | unic-ucd-version is unmaintained | Details |
| Info | diesel | Possible UTF-8 corruption in Diesels SQLite backend | Details |
| Info | glib | Unsoundness in Iterator and DoubleEndedIterator impls… | Details |
| Info | rand | Rand is unsound with a custom logger using rand::rng() | Details |
| Info | rand | Rand is unsound with a custom logger using rand::rng() | Details |
| Info | rand | Rand is unsound with a custom logger using rand::rng() | Details |
| Info | rand | Rand is unsound with a custom logger using rand::rng() | Details |
Auto-generated by ci-dashboard.yml