Security Deep Dive
Goose
Security posture and CVE patch evidence from tracked releases.
6 high-severity dependency CVEs affects v1.37.0.
Review the dependency vulnerabilities below.
Trust Signals — 3 of 9 Present
Evidence already collected from releases and repository metadata.
Security Score
A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.
epss
0.25 / 0.5
No EPSS data
freshness
1.00 / 1.0
Up to date
scorecard
2.16 / 4.0
Score 5.4/10
cve health
1.00 / 2.5
No open CVEs
patch speed
0.50 / 0.5
⚠ Estimated — no CVE patch history
kev exposure
1.50 / 1.5
No KEV exposure
supply chain risk
-1.50 / 10.0
Risk 64.9/100
Score breakdown
schema v2Vulnerability posture
vulnerability posture
4.0
25%
Release responsiveness
release responsiveness
10.0
5%
Dependency exposure
dependency exposure
3.5
10%
Provenance trust
provenance trust
5.4
40%
Maintainer health
maintainer health
10.0
10%
Operational risk
operational risk
8.5
10%
How is this calculated?
The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.
Supply Chain Risk
Risk 64.9/100Scorecard
Scorecard 5.4/10OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.
| Check | Score | Reason |
|---|---|---|
| Code-Review | 10 | all changesets reviewed |
| Dependency-Update-Tool | 10 | update tool detected |
| Maintained | 10 | 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 |
| Security-Policy | 10 | security policy file detected |
| Dangerous-Workflow | 0 | dangerous workflow patterns detected |
| Binary-Artifacts | 10 | no binaries found in the repo |
| License | 10 | license file detected |
| Token-Permissions | 0 | detected GitHub workflow tokens with excessive permissions |
| CII-Best-Practices | 0 | no effort to earn an OpenSSF best practices badge detected |
| Packaging | 10 | packaging workflow detected |
| Signed-Releases | 0 | Project has not signed or included provenance with any releases. |
| Branch-Protection | 8 | branch protection is not maximal on development and all release branches |
| Pinned-Dependencies | 7 | dependency not pinned by hash detected -- score normalized to 7 |
| Fuzzing | 0 | project is not fuzzed |
| SAST | 0 | SAST tool is not run on all commits -- score normalized to 0 |
| Vulnerabilities | 0 | 65 existing vulnerabilities detected |
| CI-Tests | 9 | 29 out of 30 merged PRs checked by a CI test -- score normalized to 9 |
| Contributors | 10 | project has 23 contributing companies or organizations |
OpenSSF Badge
Badge indicates adherence to open-source best practices.
Dependency Vulnerabilities
Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.
Critical
0
High
6
Medium
7
Low
2
Unknown
22
| CVE | Severity | KEV | Dependency | Affected version | Cleared in release |
|---|---|---|---|---|---|
| CVE-2026-34601 | high | — | @xmldom/xmldom | 0.8.11 | v1.34.0 |
| CVE-2026-41672 | high | — | @xmldom/xmldom | 0.8.11 | v1.34.0 |
| CVE-2026-41673 | high | — | @xmldom/xmldom | 0.8.11 | v1.34.0 |
| CVE-2026-41674 | high | — | @xmldom/xmldom | 0.8.11 | v1.34.0 |
| CVE-2026-41675 | high | — | @xmldom/xmldom | 0.8.11 | v1.34.0 |
| CVE-2026-42327 | high | — | openssl | 0.10.78 | v1.34.0 |
| CVE-2023-49092 | medium | — | rsa | 0.9.10 | v1.34.0 |
| CVE-2026-33532 | medium | — | yaml | 1.10.2 | v1.34.0 |
| CVE-2026-33750 | medium | — | brace-expansion | 1.1.12 | v1.34.0 |
| CVE-2026-39406 | medium | — | @hono/node-server | 1.19.11 | v1.34.0 |
| CVE-2026-44662 | medium | — | openssl | 0.10.78 | v1.34.0 |
| GHSA-v3rj-xjv7-4jmq | medium | — | smol-toml | 1.6.0 | v1.34.0 |
| GHSA-wrw7-89jp-8q8g | medium | — | glib | 0.18.5 | v1.34.0 |
| CVE-2025-54798 | low | — | tmp | 0.0.33 | v1.34.0 |
| GHSA-cq8v-f236-94qc | low | — | rand | 0.10.0 | v1.34.0 |
| RUSTSEC-2019-0040 | unknown | — | boxfnonce | 0.1.1 | v1.34.0 |
| RUSTSEC-2024-0370 | unknown | — | proc-macro-error | 1.0.4 | v1.34.0 |
| RUSTSEC-2024-0411 | unknown | — | gdkwayland-sys | 0.18.2 | v1.34.0 |
| RUSTSEC-2024-0412 | unknown | — | gdk | 0.18.2 | v1.34.0 |
| RUSTSEC-2024-0413 | unknown | — | atk | 0.18.2 | v1.34.0 |
| RUSTSEC-2024-0414 | unknown | — | gdkx11-sys | 0.18.2 | v1.34.0 |
| RUSTSEC-2024-0415 | unknown | — | gtk | 0.18.2 | v1.34.0 |
| RUSTSEC-2024-0416 | unknown | — | atk-sys | 0.18.2 | v1.34.0 |
| RUSTSEC-2024-0417 | unknown | — | gdkx11 | 0.18.2 | v1.34.0 |
| RUSTSEC-2024-0418 | unknown | — | gdk-sys | 0.18.2 | v1.34.0 |
| RUSTSEC-2024-0419 | unknown | — | gtk3-macros | 0.18.2 | v1.34.0 |
| RUSTSEC-2024-0420 | unknown | — | gtk-sys | 0.18.2 | v1.34.0 |
| RUSTSEC-2024-0429 | unknown | — | glib | 0.18.5 | v1.34.0 |
| RUSTSEC-2024-0436 | unknown | — | paste | 1.0.15 | v1.34.0 |
| RUSTSEC-2025-0057 | unknown | — | fxhash | 0.2.1 | v1.34.0 |
| RUSTSEC-2025-0075 | unknown | — | unic-char-range | 0.9.0 | v1.34.0 |
| RUSTSEC-2025-0080 | unknown | — | unic-common | 0.9.0 | v1.34.0 |
| RUSTSEC-2025-0081 | unknown | — | unic-char-property | 0.9.0 | v1.34.0 |
| RUSTSEC-2025-0098 | unknown | — | unic-ucd-version | 0.9.0 | v1.34.0 |
| RUSTSEC-2025-0100 | unknown | — | unic-ucd-ident | 0.9.0 | v1.34.0 |
| RUSTSEC-2025-0141 | unknown | — | bincode | 1.3.3 | v1.34.0 |
| RUSTSEC-2026-0097 | unknown | — | rand | 0.10.0 | v1.34.0 |
Showing 37 of 95