Skip to content
Tools / liveblog / Security

Security Deep Dive

liveblog

Security posture and CVE patch evidence from tracked releases.

Back to Tool

1 actively-exploited dependency CVE affects v3.93.0.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

✗ Signed ✗ SLSA ✓ SBOM ✗ Security policy Unknown cadence Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present
Signed releases Absent
Latest release artifact signature None
Last verified: 10d ago
SLSA provenance Absent
Attestation predicate level Latest release
Last verified: 10d ago
SBOM published Present
GitHub SBOM API Latest release
Last verified: 28d ago
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 17d ago
Release cadence Unknown
12-release median Release history
Latest release: 1mo ago
Maintainer active Present
Recent commit activity Repository
Last commit: 14d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 1mo ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 1mo ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 1mo ago
4.0/10 Security Score
5.5/10 Scorecard
Dependency Exposure 220 transitive dependency CVEs found in the latest SBOM. 17 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

14d stale

scorecard

2.20 / 4.0

Score 5.5/10

cve health

0.00 / 2.5

⚠ No direct scan — 17c/93h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 17c/93h

Provenance trust

provenance trust

5.5

40%

scorecard score: 5.5 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 14d

Operational risk

operational risk

8.5

10%

kev exposure: detected epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
17 Transitive critical CVEs
1 KEV-transitive CVEs
64% Dependency freshness

Scorecard

Scorecard 5.5/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Code-Review 10 all changesets reviewed
Dangerous-Workflow 10 no dangerous workflow patterns detected
Maintained 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
Packaging -1 packaging workflow not detected
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts 10 no binaries found in the repo
Security-Policy 0 security policy file not detected
License 10 license file detected
Signed-Releases -1 no releases found
Fuzzing 0 project is not fuzzed
Pinned-Dependencies 0 dependency not pinned by hash detected -- score normalized to 0
SAST 10 SAST tool is run on all commits
Branch-Protection 0 branch protection not enabled on development/release branches

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

1956 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

17

High

89

Medium

87

Low

27

Unknown

0

1 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (220) All (236)
Critical 17 High 89 Medium 87 Low 27
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2015-8857 critical uglify-js 1.2.5
CVE-2019-10744 critical lodash 3.10.1
CVE-2019-5413 critical morgan 1.6.1
CVE-2020-28282 critical getobject 0.1.0
CVE-2020-28502 critical xmlhttprequest 1.4.2
CVE-2021-23358 critical underscore 1.4.4
CVE-2021-44906 critical minimist 0.0.8
CVE-2022-1650 critical eventsource 0.1.6
CVE-2023-45133 critical @babel/traverse 7.20.1
CVE-2023-45133 critical babel-traverse 6.26.0
CVE-2025-6545 critical pbkdf2 3.1.2
CVE-2025-6547 critical pbkdf2 3.1.2
CVE-2025-7783 critical form-data 2.1.4
CVE-2025-9287 critical cipher-base 1.0.4
CVE-2025-9288 critical sha.js 2.4.11
GHSA-28xh-wpgr-7fm8 critical open 0.0.5
GHSA-vjh7-7g9h-fjfh critical elliptic 6.5.4
CVE-2015-8855 high semver 1.0.14
CVE-2015-8858 high uglify-js 1.2.5
CVE-2016-10539 high negotiator 0.5.3
CVE-2016-10540 high minimatch 0.3.0
CVE-2016-10542 high ws 0.4.32
CVE-2017-1000048 high qs 4.0.0
CVE-2017-15010 high tough-cookie 2.2.2
CVE-2017-16119 high fresh 0.3.0
CVE-2017-16138 high mime 1.3.4
CVE-2017-20165 high debug 2.2.0
CVE-2018-14732 high webpack-dev-server 2.11.1
CVE-2018-16487 high lodash 3.10.1
CVE-2018-3728 high hoek 2.16.3
CVE-2019-10768 high angular 1.6.9
CVE-2019-17221 high phantomjs 1.9.20
CVE-2020-36604 high hoek 2.16.3
CVE-2020-7729 high grunt 1.0.2
CVE-2020-8203 high lodash 3.10.1
CVE-2021-23337 high lodash 3.10.1
CVE-2021-23337 high lodash.template 3.6.2
CVE-2021-23424 high ansi-html 0.0.7
CVE-2021-28092 high is-svg 2.1.0
CVE-2021-29059 high is-svg 2.1.0
CVE-2021-32804 high tar 2.2.2
CVE-2021-33623 high trim-newlines 1.0.0
CVE-2021-37713 high tar 2.2.2
CVE-2021-3803 high nth-check 1.0.2
CVE-2022-0144 high shelljs 0.7.7
CVE-2022-0235 high node-fetch 1.7.3
CVE-2022-1537 high grunt 1.0.2
CVE-2022-21222 high css-what 1.0.0
CVE-2022-24771 high node-forge 0.10.0
CVE-2022-24772 high node-forge 0.10.0
CVE-2022-24785 high moment 2.20.1
CVE-2022-24999 high qs 4.0.0
CVE-2022-25758 high scss-tokenizer 0.2.3
CVE-2022-25858 high terser 3.17.0
CVE-2022-25883 high semver 7.3.8
CVE-2022-25927 high ua-parser-js 0.7.32
CVE-2022-29167 high hawk 3.1.3
CVE-2022-31129 high moment 2.20.1
CVE-2022-3517 high minimatch 0.3.0
CVE-2022-37620 high html-minifier 2.1.7
CVE-2022-38900 high decode-uri-component 0.2.0
CVE-2022-46175 high json5 1.0.1
CVE-2023-26102 high rangy 1.3.0
CVE-2023-30861 high flask 1.0
CVE-2023-46234 high browserify-sign 4.2.1
CVE-2024-1135 high gunicorn 19.7.1
CVE-2024-21490 high angular 1.6.9
CVE-2024-21536 high http-proxy-middleware 0.19.2
CVE-2024-21538 high cross-spawn 5.1.0
CVE-2024-29180 high webpack-dev-middleware 1.12.2
CVE-2024-29415 high ip 1.1.8
CVE-2024-4068 high braces 2.3.2
CVE-2024-45296 high path-to-regexp 0.1.7
CVE-2024-45590 high body-parser 1.13.3
CVE-2024-47178 high basic-auth-connect 1.0.0
CVE-2024-52798 high path-to-regexp 0.1.7
CVE-2024-6221 high flask-cors 3.0.9
CVE-2024-6827 high gunicorn 19.7.1
CVE-2025-12816 high node-forge 0.10.0
CVE-2025-66031 high node-forge 0.10.0
CVE-2026-23745 high tar 2.2.2
CVE-2026-23950 high tar 2.2.2
CVE-2026-24842 high tar 2.2.2
CVE-2026-26960 high tar 2.2.2
CVE-2026-26996 high minimatch 0.3.0
CVE-2026-27601 high underscore 1.4.4
CVE-2026-27903 high minimatch 0.3.0
CVE-2026-27904 high minimatch 0.3.0
CVE-2026-29063 high immutable 3.8.2
CVE-2026-29786 high tar 2.2.2
CVE-2026-31802 high tar 2.2.2
CVE-2026-32141 high flatted 2.0.2
CVE-2026-33228 high flatted 2.0.2
CVE-2026-33671 high picomatch 2.3.1
CVE-2026-33891 high node-forge 0.10.0
CVE-2026-33894 high node-forge 0.10.0
CVE-2026-33895 high node-forge 0.10.0
CVE-2026-33896 high node-forge 0.10.0
CVE-2026-4800 high lodash-es 4.17.21
CVE-2026-4800 high lodash 4.17.21
CVE-2026-4867 high path-to-regexp 0.1.7
GHSA-5c6j-r48x-rmvq high serialize-javascript 4.0.0
GHSA-5v72-xg48-5rpm high ws 0.4.32
GHSA-6x33-pw7p-hmpq high http-proxy 0.10.4
GHSA-8j8c-7jfh-h6hx high js-yaml 3.4.6
GHSA-j4mr-9xw3-c9jx high base64-url 1.2.1
CVE-2015-9251 medium jquery 1.9.1
CVE-2016-1000232 medium tough-cookie 2.2.2
CVE-2016-10735 medium bootstrap 3.3.7
CVE-2017-16026 medium request 2.67.0
CVE-2017-20162 medium ms 0.7.1
CVE-2018-14040 medium bootstrap 3.3.7
CVE-2018-14042 medium bootstrap 3.3.7
CVE-2018-20676 medium bootstrap 3.3.7
CVE-2018-20677 medium bootstrap 3.3.7
CVE-2018-3721 medium lodash 3.10.1
CVE-2018-6341 medium react-dom 16.2.0
CVE-2019-1010266 medium lodash 4.17.5
CVE-2019-11358 medium jquery 1.9.1
CVE-2019-8331 medium bootstrap 3.3.7
CVE-2020-11022 medium jquery 3.3.1
CVE-2020-11023 medium KEV jquery 1.9.1
CVE-2020-15366 medium ajv 5.5.2
CVE-2020-24025 medium node-sass 4.9.0
CVE-2020-26311 medium useragent 2.3.0
CVE-2020-28481 medium socket.io 0.9.16
CVE-2020-28500 medium lodash 4.3.0
CVE-2020-7598 medium minimist 0.0.8
CVE-2020-7608 medium yargs-parser 7.0.0
CVE-2020-7676 medium angular 1.6.9
CVE-2020-7693 medium sockjs 0.3.19
CVE-2020-8244 medium bl 1.0.3
CVE-2021-23382 medium postcss 5.2.18
CVE-2021-23495 medium karma 0.12.37
CVE-2021-29060 medium color-string 0.3.0
CVE-2022-0122 medium node-forge 0.10.0
CVE-2022-0436 medium grunt 1.0.2
CVE-2022-0437 medium karma 0.12.37
CVE-2022-21704 medium log4js 0.6.38
CVE-2022-24773 medium node-forge 0.10.0
CVE-2022-25869 medium angular 1.6.9
CVE-2023-26115 medium word-wrap 1.2.3
CVE-2023-26116 medium angular 1.6.9
CVE-2023-26117 medium angular 1.6.9
CVE-2023-26118 medium angular 1.6.9
CVE-2023-26136 medium tough-cookie 2.3.4
CVE-2023-26159 medium follow-redirects 1.15.2
CVE-2023-28155 medium request 2.81.0
CVE-2023-44270 medium postcss 8.4.19
CVE-2024-1681 medium flask-cors 3.0.9
CVE-2024-21501 medium sanitize-html 2.7.3
CVE-2024-22195 medium jinja2 2.11.3
CVE-2024-28849 medium follow-redirects 1.15.2
CVE-2024-28863 medium tar 2.2.2
CVE-2024-29041 medium express 4.18.2
CVE-2024-34064 medium jinja2 2.11.3
CVE-2024-38355 medium socket.io 0.9.16
CVE-2024-4067 medium micromatch 4.0.5
CVE-2024-55565 medium nanoid 3.3.4
CVE-2024-5629 medium pymongo 3.11.2
CVE-2024-56326 medium jinja2 2.11.3
CVE-2024-6485 medium bootstrap 3.3.7
CVE-2024-6839 medium flask-cors 3.0.9
CVE-2024-6844 medium flask-cors 3.0.9
CVE-2024-6866 medium flask-cors 3.0.9
CVE-2025-13465 medium lodash 4.17.21
CVE-2025-13465 medium lodash-es 4.17.21
CVE-2025-15284 medium qs 4.0.0
CVE-2025-27516 medium jinja2 2.11.3
CVE-2025-27789 medium @babel/runtime 7.20.1
CVE-2025-30359 medium webpack-dev-server 2.11.1
CVE-2025-30360 medium webpack-dev-server 2.11.1
CVE-2025-64718 medium js-yaml 3.4.6
CVE-2025-66030 medium node-forge 0.10.0
CVE-2025-69873 medium ajv 6.12.6
CVE-2026-2739 medium bn.js 5.2.1
CVE-2026-2950 medium lodash 4.17.21
CVE-2026-2950 medium lodash-es 4.17.21
CVE-2026-33532 medium yaml 1.10.2
CVE-2026-33672 medium picomatch 2.3.1
CVE-2026-33750 medium brace-expansion 1.1.11
CVE-2026-34043 medium serialize-javascript 4.0.0
CVE-2026-41305 medium postcss 8.4.19
GHSA-2pr6-76vf-7546 medium js-yaml 3.4.6
GHSA-4xcv-9jjx-gfj3 medium mem 1.1.0
GHSA-5cp4-xmrw-59wf medium angular 1.6.9
GHSA-64g7-mvw6-v9qj medium shelljs 0.7.7
GHSA-9v62-24cr-58cx medium node-sass 4.9.0
GHSA-g74r-ffvr-5q9f medium concat-stream 1.5.0
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.2
GHSA-v2p6-4mp7-3r9v medium underscore.string 2.4.0
GHSA-v78c-4p63-2j6c medium moment-timezone 0.5.14
GHSA-xc7v-wxcw-j472 medium tunnel-agent 0.4.3
CVE-2016-10518 low ws 0.4.32
CVE-2017-16137 low debug 2.2.0
CVE-2023-42282 low ip 1.1.8
CVE-2024-27088 low es5-ext 0.10.62
CVE-2024-42459 low elliptic 6.5.4
CVE-2024-42460 low elliptic 6.5.4
CVE-2024-42461 low elliptic 6.5.4
CVE-2024-43796 low express 4.18.2
CVE-2024-43799 low send 0.18.0
CVE-2024-43800 low serve-static 1.10.3
CVE-2024-47764 low cookie 0.1.3
CVE-2024-48948 low elliptic 6.5.4
CVE-2024-48949 low elliptic 6.5.4
CVE-2024-8372 low angular 1.6.9
CVE-2024-8373 low angular 1.6.9
CVE-2025-0716 low angular 1.6.9
CVE-2025-14505 low elliptic 6.5.4
CVE-2025-54798 low tmp 0.0.33
CVE-2025-5889 low brace-expansion 1.1.11
CVE-2025-7339 low on-headers 1.0.2
CVE-2026-2391 low qs 6.11.0
CVE-2026-24001 low diff 4.0.2
CVE-2026-27205 low flask 1.0
GHSA-56x4-j7p9-fcf9 low moment-timezone 0.5.14
GHSA-5rrq-pxf6-6jx5 low node-forge 0.10.0
GHSA-gf8q-jrpm-jvxq low node-forge 0.10.0
GHSA-wxhq-pm8v-cw75 low clean-css 3.4.28

Showing 220 of 236

Beta — feedback welcome: [email protected]