Tools / flatnotes / Security

Security Deep Dive

flatnotes

Security posture and CVE patch evidence from tracked releases.

Back to Tool

22 high-severity dependency CVEs affects v5.5.4.

Review the dependency vulnerabilities below.

✗ Signed ✗ SLSA ✓ SBOM ✗ Security policy Quarterly cadence · 64d median Sporadic maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present

Signed releases Absent

Latest release artifact signature None

Last verified: 1d ago

SLSA provenance Absent

Attestation predicate level Latest release

Last verified: 1d ago

SBOM published Present

GitHub SBOM API Latest release

Last verified: 28d ago

SECURITY.md Absent

GitHub repository metadata Repository policy

Checked: 18d ago

Release cadence: quarterly Present

64d median over recent releases Release history

Latest release: 7mo ago

Maintainer sporadic Present

Recent commit activity Repository

Last commit: 3mo ago

Checksums (SHA256SUMS) Not active yet

SHA256SUMS or equivalent Release asset

Latest release: 7mo ago

GitHub Actions attestation Not active yet

actions/attest-build-provenance Workflow file

Latest release: 7mo ago

Signing assets Not active yet

.sig, .crt, cosign.pub, or similar Release asset

Latest release: 7mo ago

5.0/10 Security Score

Dependency Exposure 55 transitive dependency CVEs found in the latest SBOM.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

0.77 / 1.0

106d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

1.50 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 45.2/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

6.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

patch speed days: no_history

Dependency exposure

dependency exposure

5.5

10%

supply chain risk: 45.25 transitive cves: 0c/22h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

7.7

10%

activity freshness: 106d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none

How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 45.2/100

0 Transitive critical CVEs

0 KEV-transitive CVEs

38% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

342 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

High

Medium

Low

Unknown

Still affecting latest (55) All (55)

High 22 Medium 30 Low 3

CVE	Severity	KEV	Dependency	Affected version	Cleared in release
CVE-2024-23342	high	—	ecdsa	0.19.1	—
CVE-2025-62727	high	—	starlette	0.48.0	—
CVE-2025-64756	high	—	glob	10.4.5	—
CVE-2026-23490	high	—	pyasn1	0.6.1	—
CVE-2026-24486	high	—	python-multipart	0.0.20	—
CVE-2026-25639	high	—	axios	1.12.2	—
CVE-2026-26007	high	—	cryptography	46.0.2	—
CVE-2026-26996	high	—	minimatch	9.0.5	—
CVE-2026-27606	high	—	rollup	4.52.4	—
CVE-2026-27903	high	—	minimatch	9.0.5	—
CVE-2026-27904	high	—	minimatch	9.0.5	—
CVE-2026-29063	high	—	immutable	5.1.1	—
CVE-2026-30922	high	—	pyasn1	0.6.1	—
CVE-2026-32274	high	—	black	25.9.0	—
CVE-2026-33671	high	—	picomatch	2.3.1	—
CVE-2026-39363	high	—	vite	7.1.9	—
CVE-2026-39364	high	—	vite	7.1.9	—
CVE-2026-42033	high	—	axios	1.12.2	—
CVE-2026-42035	high	—	axios	1.12.2	—
CVE-2026-42043	high	—	axios	1.12.2	—
CVE-2026-42264	high	—	axios	1.12.2	—
CVE-2026-42561	high	—	python-multipart	0.0.20	—
CVE-2025-15599	medium	—	dompurify	2.5.8	—
CVE-2025-26791	medium	—	dompurify	2.5.8	—
CVE-2025-62522	medium	—	vite	7.1.9	—
CVE-2025-62718	medium	—	axios	1.12.2	—
CVE-2026-0540	medium	—	dompurify	2.5.8	—
CVE-2026-28684	medium	—	python-dotenv	1.1.1	—
CVE-2026-33532	medium	—	yaml	2.7.1	—
CVE-2026-33672	medium	—	picomatch	2.3.1	—
CVE-2026-33750	medium	—	brace-expansion	2.0.1	—
CVE-2026-33936	medium	—	ecdsa	0.19.1	—
CVE-2026-39365	medium	—	vite	7.1.9	—
CVE-2026-39892	medium	—	cryptography	46.0.2	—
CVE-2026-40175	medium	—	axios	1.12.2	—
CVE-2026-40347	medium	—	python-multipart	0.0.20	—
CVE-2026-41239	medium	—	dompurify	2.5.8	—
CVE-2026-41240	medium	—	dompurify	2.5.8	—
CVE-2026-41305	medium	—	postcss	8.5.6	—
CVE-2026-42034	medium	—	axios	1.12.2	—
CVE-2026-42036	medium	—	axios	1.12.2	—
CVE-2026-42037	medium	—	axios	1.12.2	—
CVE-2026-42038	medium	—	axios	1.12.2	—
CVE-2026-42039	medium	—	axios	1.12.2	—
CVE-2026-42041	medium	—	axios	1.12.2	—
CVE-2026-42042	medium	—	axios	1.12.2	—
CVE-2026-42044	medium	—	axios	1.12.2	—
GHSA-39q2-94rc-95cp	medium	—	dompurify	2.5.8	—
GHSA-cj63-jhhr-wcxv	medium	—	dompurify	2.5.8	—
GHSA-cjmm-f4jc-qw8r	medium	—	dompurify	2.5.8	—
GHSA-h8r8-wccr-v5f2	medium	—	dompurify	2.5.8	—
GHSA-r4q5-vmmm-2653	medium	—	follow-redirects	1.15.9	—
CVE-2025-5889	low	—	brace-expansion	2.0.1	—
CVE-2026-34073	low	—	cryptography	46.0.2	—
CVE-2026-42040	low	—	axios	1.12.2	—

Showing 55 of 55