Security Deep Dive
Shuffle
Security posture and CVE patch evidence from tracked releases.
12 critical dependency CVEs affects v2.2.2-rc1.
Audit transitive dependencies; consider upgrading or pinning replacements.
— Signed
— SLSA
— SBOM
✓ Security policy
Weekly cadence · 7d median
Active maintainer
Trust Signals — 3 of 9 Present
Evidence already collected from releases and repository metadata.
3/9
Present
Signed releases
Unknown
Latest release artifact signature
Latest release
—
SLSA provenance
Unknown
Attestation predicate level
Latest release
—
SBOM published
Unknown
GitHub SBOM API
Latest release
—
SECURITY.md
Present
GitHub repository metadata
Repository policy
Checked: 22d ago
Release cadence: weekly
Present
7d median over recent releases
Release history
Latest release: 7d ago
Maintainer active
Present
Recent commit activity
Repository
Last commit: 7d ago
Checksums (SHA256SUMS)
Not active yet
SHA256SUMS or equivalent
Release asset
Latest release: 7d ago
GitHub Actions attestation
Not active yet
actions/attest-build-provenance
Workflow file
Latest release: 7d ago
Signing assets
Not active yet
.sig, .crt, cosign.pub, or similar
Release asset
Latest release: 7d ago
3.8/10
Security Score
Dependency Exposure
105 transitive dependency
CVEs found in the latest SBOM.
12 critical.
Security Score
A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.
epss
0.25 / 0.5
No EPSS data
freshness
1.00 / 1.0
6d stale
scorecard
2.00 / 4.0
⚠ Estimated — not yet collected
cve health
0.00 / 2.5
⚠ No direct scan — 12c/33h transitive CVEs
patch speed
0.50 / 0.5
⚠ Estimated — no CVE patch history
kev exposure
1.50 / 1.5
No KEV exposure
supply chain risk
-1.50 / 10.0
Risk 100.0/100
Score breakdown
schema v2Vulnerability posture
vulnerability posture
0.0
25%
direct cves: clear
cve scan: estimated
Release responsiveness
release responsiveness
10.0
5%
patch speed days: no_history
Dependency exposure
dependency exposure
0.0
10%
supply chain risk: 100.0
transitive cves: 12c/33h
Provenance trust
provenance trust
5.0
40%
scorecard score: estimated
openssf badge: none
Maintainer health
maintainer health
10.0
10%
activity freshness: 6d
Operational risk
operational risk
8.5
10%
kev exposure: clear
epss max: none
How is this calculated?
The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.
Supply Chain Risk
Risk 100.0/100
12
Transitive critical CVEs
0
KEV-transitive CVEs
65%
Dependency freshness
OpenSSF Badge
OpenSSF none
Badge indicates adherence to open-source best practices.
Dependency Vulnerabilities
1554 dependencies scanned
View full dependency list →
Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.
Critical
12
High
33
Medium
39
Low
11
Unknown
10
Critical
12
High
33
Medium
39
Low
11
Unknown
10
| CVE | Severity | KEV | Dependency | Affected version | Cleared in release |
|---|---|---|---|---|---|
| CVE-2017-18342 | critical | — | pyyaml | — | v2.2.1 |
| CVE-2019-20477 | critical | — | pyyaml | — | v2.2.1 |
| CVE-2020-14343 | critical | — | pyyaml | — | v2.2.1 |
| CVE-2020-1747 | critical | — | pyyaml | — | v2.2.1 |
| CVE-2022-37601 | critical | — | loader-utils | 0.2.17 | v2.2.1 |
| CVE-2023-49569 | critical | — | gopkg.in/src-d/go-git.v4 | 4.13.1 | v2.2.1 |
| CVE-2023-49569 | critical | — | github.com/go-git/go-git/v5 | 5.0.0 | v2.2.1 |
| CVE-2024-41110 | critical | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2024-45337 | critical | — | golang.org/x/crypto | 0.0.0-20200622213623-75b288015ac9 | v2.2.1 |
| CVE-2025-21613 | critical | — | gopkg.in/src-d/go-git.v4 | 4.13.1 | v2.2.1 |
| CVE-2025-21613 | critical | — | github.com/go-git/go-git/v5 | 5.0.0 | v2.2.1 |
| CVE-2026-33186 | critical | — | google.golang.org/grpc | v1.72.2 | v2.2.1 |
| CVE-2020-29652 | high | — | golang.org/x/crypto | 0.0.0-20200622213623-75b288015ac9 | v2.2.1 |
| CVE-2021-3121 | high | — | github.com/gogo/protobuf | 1.3.1 | v2.2.1 |
| CVE-2021-43565 | high | — | golang.org/x/crypto | 0.0.0-20200622213623-75b288015ac9 | v2.2.1 |
| CVE-2022-0235 | high | — | node-fetch | 1.7.3 | v2.2.1 |
| CVE-2022-23648 | high | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2022-27191 | high | — | golang.org/x/crypto | 0.0.0-20200622213623-75b288015ac9 | v2.2.1 |
| CVE-2022-28948 | high | — | gopkg.in/yaml.v3 | 3.0.0-20210107192922-496545a6307b | v2.2.1 |
| CVE-2022-46175 | high | — | json5 | 0.5.1 | v2.2.1 |
| CVE-2023-2253 | high | — | github.com/docker/distribution | 2.7.1+incompatible | v2.2.1 |
| CVE-2023-28840 | high | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2023-49568 | high | — | gopkg.in/src-d/go-git.v4 | 4.13.1 | v2.2.1 |
| CVE-2023-49568 | high | — | github.com/go-git/go-git/v5 | 5.0.0 | v2.2.1 |
| CVE-2024-25621 | high | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2024-4068 | high | — | braces | 1.8.5 | v2.2.1 |
| CVE-2024-47068 | high | — | rollup | 0.25.8 | v2.2.1 |
| CVE-2025-21614 | high | — | github.com/go-git/go-git/v5 | 5.0.0 | v2.2.1 |
| CVE-2025-21614 | high | — | gopkg.in/src-d/go-git.v4 | 4.13.1 | v2.2.1 |
| CVE-2025-22868 | high | — | golang.org/x/oauth2 | 0.0.0-20210113160501-8b1d76fa0423 | v2.2.1 |
| CVE-2025-22869 | high | — | golang.org/x/crypto | 0.0.0-20200622213623-75b288015ac9 | v2.2.1 |
| CVE-2025-65637 | high | — | github.com/sirupsen/logrus | 1.7.0 | v2.2.1 |
| CVE-2026-24051 | high | — | go.opentelemetry.io/otel/sdk | v1.36.0 | v2.2.1 |
| CVE-2026-26996 | high | — | minimatch | 3.1.2 | v2.2.1 |
| CVE-2026-27606 | high | — | rollup | 4.56.0 | v2.2.1 |
| CVE-2026-27903 | high | — | minimatch | 3.1.2 | v2.2.1 |
| CVE-2026-27904 | high | — | minimatch | 3.1.2 | v2.2.1 |
| CVE-2026-29181 | high | — | go.opentelemetry.io/otel | v1.36.0 | v2.2.1 |
| CVE-2026-33671 | high | — | picomatch | 2.3.1 | v2.2.1 |
| CVE-2026-34040 | high | — | github.com/docker/docker | v28.3.3+incompatible | v2.2.1 |
| CVE-2026-34986 | high | — | github.com/go-jose/go-jose/v4 | v4.1.3 | v2.2.1 |
| CVE-2026-39883 | high | — | go.opentelemetry.io/otel/sdk | v1.36.0 | v2.2.1 |
| CVE-2026-4800 | high | — | lodash | 4.17.23 | v2.2.1 |
| CVE-2026-4867 | high | — | path-to-regexp | 0.1.12 | v2.2.1 |
| GHSA-m425-mq94-257g | high | — | google.golang.org/grpc | 1.34.1 | v2.2.1 |
| CVE-2021-21334 | medium | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2021-23382 | medium | — | postcss | 5.2.18 | v2.2.1 |
| CVE-2021-32760 | medium | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2021-41091 | medium | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2021-41103 | medium | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2022-23471 | medium | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2022-24769 | medium | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2022-31030 | medium | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2022-36109 | medium | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2023-25153 | medium | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2023-25173 | medium | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2023-28841 | medium | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2023-28842 | medium | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2023-44270 | medium | — | postcss | 7.0.39 | v2.2.1 |
| CVE-2023-48795 | medium | — | golang.org/x/crypto | 0.0.0-20200622213623-75b288015ac9 | v2.2.1 |
| CVE-2024-24557 | medium | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2024-29018 | medium | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2024-40635 | medium | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2024-4067 | medium | — | micromatch | 2.3.11 | v2.2.1 |
| CVE-2025-47914 | medium | — | golang.org/x/crypto | 0.0.0-20200622213623-75b288015ac9 | v2.2.1 |
| CVE-2025-58181 | medium | — | golang.org/x/crypto | 0.0.0-20200622213623-75b288015ac9 | v2.2.1 |
| CVE-2025-64329 | medium | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| CVE-2025-69873 | medium | — | ajv | 6.12.6 | v2.2.1 |
| CVE-2026-25934 | medium | — | github.com/go-git/go-git/v5 | 5.0.0 | v2.2.1 |
| CVE-2026-2950 | medium | — | lodash | 4.17.23 | v2.2.1 |
| CVE-2026-33532 | medium | — | yaml | 1.10.2 | v2.2.1 |
| CVE-2026-33672 | medium | — | picomatch | 2.3.1 | v2.2.1 |
| CVE-2026-33750 | medium | — | brace-expansion | 1.1.12 | v2.2.1 |
| CVE-2026-33997 | medium | — | github.com/docker/docker | v28.3.3+incompatible | v2.2.1 |
| CVE-2026-34165 | medium | — | github.com/go-git/go-git/v5 | v5.16.5 | v2.2.1 |
| CVE-2026-39365 | medium | — | vite | 5.4.21 | v2.2.1 |
| CVE-2026-41305 | medium | — | postcss | 8.5.6 | v2.2.1 |
| CVE-2026-41506 | medium | — | github.com/go-git/go-git/v5 | v5.16.5 | v2.2.1 |
| CVE-2026-41691 | medium | — | i18next-http-backend | 2.7.3 | v2.2.1 |
| CVE-2026-41907 | medium | — | uuid | 13.0.0 | v2.2.1 |
| GHSA-67mh-4wv8-2f99 | medium | — | esbuild | 0.21.5 | v2.2.1 |
| GHSA-7ww5-4wqc-m92c | medium | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| GHSA-jq35-85cj-fj4p | medium | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| GHSA-xmmx-7jpf-fx42 | medium | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2021-41089 | low | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2024-47764 | low | — | cookie | 0.4.2 | v2.2.1 |
| CVE-2025-54410 | low | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2026-1229 | low | — | github.com/cloudflare/circl | v1.6.1 | v2.2.1 |
| CVE-2026-2391 | low | — | qs | 6.14.1 | v2.2.1 |
| CVE-2026-33762 | low | — | github.com/go-git/go-git/v5 | v5.16.5 | v2.2.1 |
| GHSA-5j5w-g665-5m35 | low | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| GHSA-77vh-xpmg-72qh | low | — | github.com/opencontainers/image-spec | 1.0.1 | v2.2.1 |
| GHSA-c9cp-9c75-9v8c | low | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| GHSA-qq97-vm5h-rrhg | low | — | github.com/docker/distribution | 2.7.1+incompatible | v2.2.1 |
| GHSA-vp35-85q5-9f25 | low | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| CVE-2022-30636 | unknown | — | golang.org/x/crypto | 0.0.0-20200622213623-75b288015ac9 | v2.2.1 |
| CVE-2025-47913 | unknown | — | golang.org/x/crypto | 0.0.0-20200622213623-75b288015ac9 | v2.2.1 |
| CVE-2026-33814 | unknown | — | golang.org/x/net | v0.47.0 | v2.2.1 |
| GO-2022-0360 | unknown | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| GO-2022-0379 | unknown | — | github.com/docker/distribution | 2.7.1+incompatible | v2.2.1 |
| GO-2022-1107 | unknown | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
| GO-2023-2153 | unknown | — | google.golang.org/grpc | 1.34.1 | v2.2.1 |
| GO-2023-2412 | unknown | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| GO-2024-2846 | unknown | — | github.com/containerd/containerd | 1.4.3 | v2.2.1 |
| GO-2024-2914 | unknown | — | github.com/docker/docker | 20.10.3-0.20210216175712-646072ed6524+incompatible | v2.2.1 |
Showing 105 of 105