Skip to content
Tools / server / Security

Security Deep Dive

server

Security posture and CVE patch evidence from tracked releases.

Back to Tool

21 critical dependency CVEs affects v0.8.3.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA ✓ SBOM ✗ Security policy Weekly cadence · 7d median Sporadic maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Present
GitHub SBOM API Latest release
Last verified: 28d ago
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 18d ago
Release cadence: weekly Present
7d median over recent releases Release history
Latest release: 3mo ago
Maintainer sporadic Present
Recent commit activity Repository
Last commit: 3mo ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 3mo ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 3mo ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 3mo ago
3.0/10 Security Score
3.7/10 Scorecard
Dependency Exposure 191 transitive dependency CVEs found in the latest SBOM. 21 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

0.81 / 1.0

94d stale

scorecard

1.48 / 4.0

Score 3.7/10

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 21c/95h

Provenance trust

provenance trust

3.7

40%

scorecard score: 3.7 openssf badge: none

Maintainer health

maintainer health

8.1

10%

activity freshness: 94d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
21 Transitive critical CVEs
0 KEV-transitive CVEs
74% Dependency freshness

Scorecard

Scorecard 3.7/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Dangerous-Workflow 10 no dangerous workflow patterns detected
Maintained 5 5 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5
Code-Review 4 Found 3/7 approved changesets -- score normalized to 4
Packaging -1 packaging workflow not detected
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
Binary-Artifacts 10 no binaries found in the repo
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Security-Policy 0 security policy file not detected
Fuzzing 0 project is not fuzzed
License 10 license file detected
Pinned-Dependencies 0 dependency not pinned by hash detected -- score normalized to 0
Branch-Protection -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases 0 Project has not signed or included provenance with any releases.
SAST 0 SAST tool is not run on all commits -- score normalized to 0

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

1732 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

21

High

95

Medium

51

Low

23

Unknown

1

Still affecting latest (191) All (191)
Critical 21 High 95 Medium 51 Low 23 Unknown 1
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2019-10744 critical lodash 4.17.11
CVE-2019-15657 critical eslint-utils 1.4.0
CVE-2019-19919 critical handlebars 4.1.2
CVE-2021-23369 critical handlebars 4.1.2
CVE-2021-23383 critical handlebars 4.1.2
CVE-2021-26707 critical merge-deep 3.0.2
CVE-2021-3918 critical json-schema 0.2.3
CVE-2021-42740 critical shell-quote 1.7.2
CVE-2021-44906 critical minimist 1.2.0
CVE-2022-0686 critical url-parse 1.4.7
CVE-2022-1650 critical eventsource 1.0.7
CVE-2022-37601 critical loader-utils 1.2.3
CVE-2023-45133 critical @babel/traverse 7.7.2
CVE-2023-45311 critical fsevents 1.2.9
CVE-2025-6545 critical pbkdf2 3.0.17
CVE-2025-6547 critical pbkdf2 3.0.17
CVE-2025-7783 critical form-data 2.3.3
CVE-2025-9287 critical cipher-base 1.0.4
CVE-2025-9288 critical sha.js 2.4.11
CVE-2026-33937 critical handlebars 4.1.2
GHSA-vjh7-7g9h-fjfh critical elliptic 6.5.0
CVE-2019-10773 high yarn 1.19.1
CVE-2019-20149 high kind-of 6.0.2
CVE-2019-20920 high handlebars 4.1.2
CVE-2019-20922 high handlebars 4.1.2
CVE-2020-13822 high elliptic 6.5.0
CVE-2020-15256 high object-path 0.11.4
CVE-2020-28469 high glob-parent 5.0.0
CVE-2020-36604 high @hapi/hoek 8.2.0
CVE-2020-7660 high serialize-javascript 1.7.0
CVE-2020-7662 high websocket-extensions 0.1.3
CVE-2020-7720 high node-forge 0.7.5
CVE-2020-7733 high ua-parser-js 0.7.19
CVE-2020-7774 high y18n 4.0.0
CVE-2020-7788 high ini 1.3.5
CVE-2020-7793 high ua-parser-js 0.7.19
CVE-2020-8116 high dot-prop 4.2.0
CVE-2020-8131 high yarn 1.19.1
CVE-2020-8203 high lodash 4.17.11
CVE-2021-23337 high lodash.template 4.5.0
CVE-2021-23337 high lodash 4.17.11
CVE-2021-23386 high dns-packet 1.3.1
CVE-2021-23424 high ansi-html 0.0.7
CVE-2021-26543 high git-parse 1.0.3
CVE-2021-27290 high ssri 6.0.1
CVE-2021-27292 high ua-parser-js 0.7.19
CVE-2021-28092 high is-svg 3.0.0
CVE-2021-29059 high is-svg 3.0.0
CVE-2021-32803 high tar 4.4.10
CVE-2021-32804 high tar 4.4.10
CVE-2021-37701 high tar 4.4.10
CVE-2021-37712 high tar 4.4.10
CVE-2021-37713 high tar 4.4.10
CVE-2021-3777 high tmpl 1.0.4
CVE-2021-3803 high nth-check 1.0.2
CVE-2021-3805 high object-path 0.11.4
CVE-2021-3807 high ansi-regex 4.1.0
CVE-2021-4435 high yarn 1.19.1
CVE-2022-0144 high shelljs 0.7.7
CVE-2022-0155 high follow-redirects 1.7.0
CVE-2022-0235 high node-fetch 1.7.3
CVE-2022-24771 high node-forge 0.7.5
CVE-2022-24772 high node-forge 0.7.5
CVE-2022-24785 high moment 2.24.0
CVE-2022-24999 high qs 6.7.0
CVE-2022-25858 high terser 4.1.3
CVE-2022-25883 high semver 6.3.0
CVE-2022-31129 high moment 2.24.0
CVE-2022-3517 high minimatch 3.0.4
CVE-2022-37599 high loader-utils 1.2.3
CVE-2022-37603 high loader-utils 1.2.3
CVE-2022-37620 high html-minifier 3.5.21
CVE-2022-38900 high decode-uri-component 0.2.0
CVE-2022-46175 high json5 1.0.1
CVE-2023-46234 high browserify-sign 4.0.4
CVE-2024-21536 high http-proxy-middleware 0.19.1
CVE-2024-21538 high cross-spawn 6.0.5
CVE-2024-29180 high webpack-dev-middleware 3.7.0
CVE-2024-29415 high ip 1.1.5
CVE-2024-37890 high ws 5.2.2
CVE-2024-4068 high braces 2.3.2
CVE-2024-45296 high path-to-regexp 1.7.0
CVE-2024-45590 high body-parser 1.19.0
CVE-2024-52798 high path-to-regexp 0.1.7
CVE-2025-12816 high node-forge 0.7.5
CVE-2025-66031 high node-forge 0.7.5
CVE-2026-23745 high tar 4.4.10
CVE-2026-23950 high tar 4.4.10
CVE-2026-24842 high tar 4.4.10
CVE-2026-26960 high tar 4.4.10
CVE-2026-26996 high minimatch 3.0.4
CVE-2026-27903 high minimatch 3.0.4
CVE-2026-27904 high minimatch 3.0.4
CVE-2026-29063 high immutable 3.8.2
CVE-2026-29786 high tar 4.4.10
CVE-2026-31802 high tar 4.4.10
CVE-2026-32141 high flatted 2.0.1
CVE-2026-33228 high flatted 2.0.1
CVE-2026-33891 high node-forge 0.7.5
CVE-2026-33894 high node-forge 0.7.5
CVE-2026-33895 high node-forge 0.7.5
CVE-2026-33896 high node-forge 0.7.5
CVE-2026-33938 high handlebars 4.1.2
CVE-2026-33939 high handlebars 4.1.2
CVE-2026-33940 high handlebars 4.1.2
CVE-2026-33941 high handlebars 4.1.2
CVE-2026-4800 high lodash 4.17.11
CVE-2026-4800 high lodash.template 4.5.0
CVE-2026-4867 high path-to-regexp 0.1.7
GHSA-2cf5-4w76-r9qv high handlebars 4.1.2
GHSA-36jr-mh4h-2g58 high d3-color 1.2.3
GHSA-5c6j-r48x-rmvq high serialize-javascript 1.7.0
GHSA-6chw-6frg-f759 high acorn 5.7.3
GHSA-6x33-pw7p-hmpq high http-proxy 1.17.0
GHSA-g9r4-xpmj-mj65 high handlebars 4.1.2
GHSA-q2c6-c6pm-g3gh high handlebars 4.1.2
CVE-2019-16769 medium serialize-javascript 1.7.0
CVE-2020-15366 medium ajv 6.10.2
CVE-2020-28498 medium elliptic 6.5.0
CVE-2020-28500 medium lodash 4.17.11
CVE-2020-7598 medium minimist 1.2.0
CVE-2020-7608 medium yargs-parser 13.1.1
CVE-2020-7693 medium sockjs 0.3.19
CVE-2020-7789 medium node-notifier 5.4.3
CVE-2021-23343 medium path-parse 1.0.6
CVE-2021-23362 medium hosted-git-info 2.8.2
CVE-2021-23364 medium browserslist 4.7.0
CVE-2021-23368 medium postcss 7.0.14
CVE-2021-23382 medium postcss 7.0.14
CVE-2021-23434 medium object-path 0.11.4
CVE-2021-24033 medium react-dev-utils 9.1.0
CVE-2021-27515 medium url-parse 1.4.7
CVE-2021-29060 medium color-string 1.5.3
CVE-2021-32640 medium ws 5.2.2
CVE-2021-3664 medium url-parse 1.4.7
CVE-2022-0122 medium node-forge 0.7.5
CVE-2022-0512 medium url-parse 1.4.7
CVE-2022-0536 medium follow-redirects 1.7.0
CVE-2022-0639 medium url-parse 1.4.7
CVE-2022-0691 medium url-parse 1.4.7
CVE-2022-24773 medium node-forge 0.7.5
CVE-2023-26136 medium tough-cookie 2.4.3
CVE-2023-26159 medium follow-redirects 1.7.0
CVE-2023-28155 medium request 2.88.0
CVE-2023-44270 medium postcss 7.0.14
CVE-2024-28849 medium follow-redirects 1.7.0
CVE-2024-28863 medium tar 4.4.10
CVE-2024-29041 medium express 4.17.1
CVE-2024-4067 medium micromatch 3.1.10
CVE-2025-13465 medium lodash 4.17.11
CVE-2025-15284 medium qs 6.7.0
CVE-2025-27789 medium @babel/helpers 7.5.5
CVE-2025-27789 medium @babel/runtime 7.3.4
CVE-2025-30359 medium webpack-dev-server 3.2.1
CVE-2025-30360 medium webpack-dev-server 3.2.1
CVE-2025-64718 medium js-yaml 3.13.1
CVE-2025-66030 medium node-forge 0.7.5
CVE-2025-69873 medium ajv 6.10.2
CVE-2026-2739 medium bn.js 4.11.8
CVE-2026-2950 medium lodash 4.17.11
CVE-2026-33750 medium brace-expansion 1.1.11
CVE-2026-33916 medium handlebars 4.1.2
CVE-2026-34043 medium serialize-javascript 1.7.0
CVE-2026-41305 medium postcss 7.0.14
GHSA-64g7-mvw6-v9qj medium shelljs 0.7.7
GHSA-f52g-6jhx-586p medium handlebars 4.1.2
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.7.0
CVE-2017-16137 low debug 3.2.6
CVE-2020-15168 low node-fetch 2.6.0
CVE-2023-42282 low ip 1.1.5
CVE-2024-27088 low es5-ext 0.10.50
CVE-2024-42459 low elliptic 6.5.0
CVE-2024-42460 low elliptic 6.5.0
CVE-2024-42461 low elliptic 6.5.0
CVE-2024-43796 low express 4.17.1
CVE-2024-43799 low send 0.17.1
CVE-2024-43800 low serve-static 1.14.1
CVE-2024-47764 low cookie 0.4.0
CVE-2024-48948 low elliptic 6.5.0
CVE-2024-48949 low elliptic 6.5.0
CVE-2025-14505 low elliptic 6.5.0
CVE-2025-54798 low tmp 0.0.33
CVE-2025-5889 low brace-expansion 1.1.11
CVE-2025-7339 low on-headers 1.0.2
CVE-2026-2391 low qs 6.7.0
CVE-2026-24001 low diff 4.0.1
GHSA-442j-39wm-28r2 low handlebars 4.1.2
GHSA-5rrq-pxf6-6jx5 low node-forge 0.7.5
GHSA-gf8q-jrpm-jvxq low node-forge 0.7.5
GHSA-wxgw-qj99-44c2 low node-forge 0.7.5
MAL-2023-462 unknown fsevents 1.2.9

Showing 191 of 191

Beta — feedback welcome: [email protected]