Skip to content
Tools / papra / Security

Security Deep Dive

papra

Security posture and CVE patch evidence from tracked releases.

Back to Tool

3 critical dependency CVEs affects @papra/[email protected].

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA — SBOM ✓ Security policy Weekly cadence · 0d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Present
GitHub repository metadata Repository policy
Checked: 18d ago
Release cadence: weekly Present
0d median over recent releases Release history
Latest release: 14d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 3d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 14d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 14d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 14d ago
3.8/10 Security Score
Dependency Exposure 99 transitive dependency CVEs found in the latest SBOM. 3 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

3d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 3c/53h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 3d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
3 Transitive critical CVEs
0 KEV-transitive CVEs
59% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

2836 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

3

High

53

Medium

31

Low

12

Unknown

0

Still affecting latest (0) All (99)
Critical 3 High 53 Medium 31 Low 12
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2026-25896 critical fast-xml-parser 4.4.1 @papra/[email protected]
CVE-2026-41242 critical protobufjs 7.5.4 @papra/[email protected]
GHSA-xg6x-h9c9-2m83 critical better-auth 1.4.6 @papra/[email protected]
CVE-2025-12816 high node-forge 1.3.1 @papra/[email protected]
CVE-2025-14874 high nodemailer 7.0.3 @papra/[email protected]
CVE-2025-48387 high tar-fs 2.1.2 @papra/[email protected]
CVE-2025-59343 high tar-fs 2.1.2 @papra/[email protected]
CVE-2025-64756 high glob 10.4.5 @papra/[email protected]
CVE-2025-65945 high jws 3.2.2 @papra/[email protected]
CVE-2025-66031 high node-forge 1.3.1 @papra/[email protected]
CVE-2026-0933 high wrangler 4.50.0 @papra/[email protected]
CVE-2026-1526 high undici 7.14.0 @papra/[email protected]
CVE-2026-1528 high undici 7.14.0 @papra/[email protected]
CVE-2026-2229 high undici 7.14.0 @papra/[email protected]
CVE-2026-23736 high seroval 1.3.1 @papra/[email protected]
CVE-2026-23737 high seroval 1.3.1 @papra/[email protected]
CVE-2026-23745 high tar 6.2.1 @papra/[email protected]
CVE-2026-23950 high tar 6.2.1 @papra/[email protected]
CVE-2026-23956 high seroval 1.3.1 @papra/[email protected]
CVE-2026-23957 high seroval 1.3.1 @papra/[email protected]
CVE-2026-24006 high seroval 1.3.1 @papra/[email protected]
CVE-2026-24842 high tar 6.2.1 @papra/[email protected]
CVE-2026-25128 high fast-xml-parser 5.3.3 @papra/[email protected]
CVE-2026-26278 high fast-xml-parser 4.4.1 @papra/[email protected]
CVE-2026-26960 high tar 6.2.1 @papra/[email protected]
CVE-2026-26996 high minimatch 5.1.6 @papra/[email protected]
CVE-2026-27606 high rollup 4.52.4 @papra/[email protected]
CVE-2026-27903 high minimatch 5.1.6 @papra/[email protected]
CVE-2026-27904 high minimatch 5.1.6 @papra/[email protected]
CVE-2026-29074 high svgo 4.0.0 @papra/[email protected]
CVE-2026-29786 high tar 6.2.1 @papra/[email protected]
CVE-2026-31802 high tar 6.2.1 @papra/[email protected]
CVE-2026-32141 high flatted 3.3.2 @papra/[email protected]
CVE-2026-32763 high kysely 0.28.8 @papra/[email protected]
CVE-2026-33036 high fast-xml-parser 4.4.1 @papra/[email protected]
CVE-2026-33128 high h3 1.15.5 @papra/[email protected]
CVE-2026-33228 high flatted 3.3.2 @papra/[email protected]
CVE-2026-33468 high kysely 0.28.8 @papra/[email protected]
CVE-2026-33671 high picomatch 4.0.2 @papra/[email protected]
CVE-2026-33891 high node-forge 1.3.1 @papra/[email protected]
CVE-2026-33894 high node-forge 1.3.1 @papra/[email protected]
CVE-2026-33895 high node-forge 1.3.1 @papra/[email protected]
CVE-2026-33896 high node-forge 1.3.1 @papra/[email protected]
CVE-2026-34601 high @xmldom/xmldom 0.7.13 @papra/[email protected]
CVE-2026-35209 high defu 6.1.4 @papra/[email protected]
CVE-2026-39356 high drizzle-orm 0.38.4 @papra/[email protected]
CVE-2026-39363 high vite 7.1.9 @papra/[email protected]
CVE-2026-39364 high vite 7.1.9 @papra/[email protected]
CVE-2026-41672 high @xmldom/xmldom 0.7.13 @papra/[email protected]
CVE-2026-41673 high @xmldom/xmldom 0.7.13 @papra/[email protected]
CVE-2026-41674 high @xmldom/xmldom 0.7.13 @papra/[email protected]
CVE-2026-41675 high @xmldom/xmldom 0.7.13 @papra/[email protected]
CVE-2026-44665 high fast-xml-builder 1.1.4 @papra/[email protected]
CVE-2026-4800 high lodash 4.17.21 @papra/[email protected]
CVE-2026-6321 high fast-uri 3.0.6 @papra/[email protected]
CVE-2026-6322 high fast-uri 3.0.6 @papra/[email protected]
CVE-2025-13033 medium nodemailer 7.0.3 @papra/[email protected]
CVE-2025-13465 medium lodash 4.17.21 @papra/[email protected]
CVE-2025-15284 medium qs 6.14.0 @papra/[email protected]
CVE-2025-62522 medium vite 7.1.9 @papra/[email protected]
CVE-2025-64718 medium js-yaml 3.14.1 @papra/[email protected]
CVE-2025-66030 medium node-forge 1.3.1 @papra/[email protected]
CVE-2025-66400 medium mdast-util-to-hast 13.2.0 @papra/[email protected]
CVE-2025-69873 medium ajv 6.12.6 @papra/[email protected]
CVE-2026-1525 medium undici 7.14.0 @papra/[email protected]
CVE-2026-1527 medium undici 7.14.0 @papra/[email protected]
CVE-2026-22036 medium undici 7.14.0 @papra/[email protected]
CVE-2026-2950 medium lodash 4.17.21 @papra/[email protected]
CVE-2026-30226 medium devalue 5.6.2 @papra/[email protected]
CVE-2026-31808 medium file-type 21.3.0 @papra/[email protected]
CVE-2026-32630 medium file-type 21.3.0 @papra/[email protected]
CVE-2026-33349 medium fast-xml-parser 4.4.1 @papra/[email protected]
CVE-2026-33532 medium yaml 2.7.1 @papra/[email protected]
CVE-2026-33672 medium picomatch 4.0.2 @papra/[email protected]
CVE-2026-33750 medium brace-expansion 1.1.11 @papra/[email protected]
CVE-2026-39365 medium vite 7.1.9 @papra/[email protected]
CVE-2026-41067 medium astro 5.16.15 @papra/[email protected]
CVE-2026-41305 medium postcss 8.4.49 @papra/[email protected]
CVE-2026-41650 medium fast-xml-parser 5.5.10 @papra/[email protected]
CVE-2026-44455 medium hono 4.12.14 @papra/[email protected]
CVE-2026-44456 medium hono 4.12.14 @papra/[email protected]
GHSA-4hxc-9384-m385 medium h3 1.15.5 @papra/[email protected]
GHSA-67mh-4wv8-2f99 medium esbuild 0.24.2 @papra/[email protected]
GHSA-72gr-qfp7-vwhw medium h3 1.15.5 @papra/[email protected]
GHSA-v3rj-xjv7-4jmq medium smol-toml 1.6.0 @papra/[email protected]
GHSA-vvjj-xcjg-gr5g medium nodemailer 7.0.3 @papra/[email protected]
GHSA-wr4h-v87w-p3r7 medium h3 1.15.5 @papra/[email protected]
CVE-2025-54798 low tmp 0.0.33 @papra/[email protected]
CVE-2025-5889 low brace-expansion 1.1.11 @papra/[email protected]
CVE-2026-2391 low qs 6.14.0 @papra/[email protected]
CVE-2026-24001 low diff 7.0.0 @papra/[email protected]
CVE-2026-27942 low fast-xml-parser 4.4.1 @papra/[email protected]
CVE-2026-33769 low astro 5.16.15 @papra/[email protected]
CVE-2026-41321 low @astrojs/cloudflare 12.6.10 @papra/[email protected]
GHSA-33hq-fvwr-56pm low devalue 5.6.2 @papra/[email protected]
GHSA-6475-r3vj-m8vf low @smithy/config-resolver 4.1.4 @papra/[email protected]
GHSA-8qm3-746x-r74r low devalue 5.6.2 @papra/[email protected]
GHSA-c7w3-x93f-qmm8 low nodemailer 7.0.3 @papra/[email protected]
GHSA-mwv9-gp5h-frr4 low devalue 5.6.2 @papra/[email protected]

Showing 99 of 99

Beta — feedback welcome: [email protected]