← Back to Build Report

🔒 Security Scan Report

Commit: 2c5b12de1e97947a2ba245ea27314a3b1fde00b0

npm Vulnerabilities

22
info: 0, low: 1, moderate: 2, high: 8, critical: 0, total: 11

ESLint Errors

13
Security-related errors

ESLint Warnings

31
Security-related warnings
⚠️ Note: All security findings are for informational purposes only and do not block builds. Please review and address high-severity vulnerabilities as soon as possible.

Download Security Data

📄 Download npm audit JSON 📄 Download ESLint JSON 📄 Download Combined JSON

npm Audit Vulnerabilities

Package Severity Description
@cloudflare/vitest-pool-workers high miniflare
ajv moderate { "source": 1113714, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<6.14.0" }
brace-expansion moderate { "source": 1115540, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<1.1.13" }
flatted high { "source": 1114526, "name": "flatted", "dependency": "flatted", "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase", "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f", "severity": "high", "cwe": [ "CWE-674" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.4.0" }
miniflare high undici
minimatch high { "source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<3.1.3" }
picomatch high { "source": 1115549, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<2.3.2" }
qs low { "source": 1113161, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in comma parsing allows denial of service", "url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883", "severity": "low", "cwe": [ "CWE-20" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=6.7.0 <=6.14.1" }
rollup high { "source": 1113515, "name": "rollup", "dependency": "rollup", "title": "Rollup 4 has Arbitrary File Write via Path Traversal", "url": "https://github.com/advisories/GHSA-mw96-cpmx-2vgc", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=4.0.0 <4.59.0" }
undici high { "source": 1112497, "name": "undici", "dependency": "undici", "title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion", "url": "https://github.com/advisories/GHSA-g9mf-h72j-4rw9", "severity": "moderate", "cwe": [ "CWE-770" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.18.2" }
wrangler high miniflare

ESLint Security Issues

File:Line Severity Rule Message
src/api/auth.js:690 warning jsdoc/require-param-description Missing JSDoc @param "request" description.
src/api/auth.js:691 warning jsdoc/require-param-description Missing JSDoc @param "env" description.
src/api/auth.js:692 warning jsdoc/require-param-description Missing JSDoc @param "keyId" description.
src/api/content-deletion.js:258 warning no-unused-vars 'disputeId' is assigned a value but never used.
src/api/content-deletion.test.js:11 warning no-unused-vars 'storage' is assigned a value but never used.
src/api/disputes.js:199 warning no-unused-vars 'userId' is assigned a value but never used.
src/api/payments.js:586 warning no-unused-vars 'env' is defined but never used. Allowed unused args must match /^_/u.
src/api/payments.test.js:16 warning no-unused-vars 'apiKey' is defined but never used. Allowed unused args must match /^_/u.
src/api/payments.test.js:16 warning no-unused-vars 'options' is defined but never used. Allowed unused args must match /^_/u.
src/auth/utils.test.js:355 warning no-unused-vars 'result' is assigned a value but never used.
src/durable-objects/alert-store.js:66 warning no-unused-vars 'key' is assigned a value but never used.
src/durable-objects/content-metadata-rate-limit.test.js:417 warning no-unused-vars 'now' is assigned a value but never used.
src/durable-objects/content-metadata.js:8 warning no-unused-vars 'MINIMUM_MTBR_MS' is assigned a value but never used.
src/durable-objects/contest-record.js:11 warning no-unused-vars 'request' is defined but never used. Allowed unused args must match /^_/u.
src/durable-objects/message-thread.js:11 warning no-unused-vars 'request' is defined but never used. Allowed unused args must match /^_/u.
src/durable-objects/user-profile.js:760 warning jsdoc/require-param-description Missing JSDoc @param "keyId" description.
src/durable-objects/user-profile.js:761 warning jsdoc/require-param-description Missing JSDoc @param "request" description.
src/index.js:311 warning jsdoc/tag-lines Expected only 0 line after block description
src/index.js:558 warning no-unused-vars 'env' is defined but never used. Allowed unused args must match /^_/u.
src/index.js:685 error no-useless-escape Unnecessary escape character: /.
src/index.js:764 error no-useless-escape Unnecessary escape character: /.
src/index.js:771 error no-useless-escape Unnecessary escape character: /.
src/integration/content-lifecycle.test.js:6 warning no-unused-vars 'beforeEach' is defined but never used.
src/integration/content-lifecycle.test.js:37 warning security/detect-non-literal-regexp Found non-literal argument to RegExp Constructor
src/integration/content-lifecycle.test.js:95 warning no-unused-vars 'id' is defined but never used. Allowed unused args must match /^_/u.
src/integration/content-lifecycle.test.js:150 warning no-unused-vars 'hash' is defined but never used. Allowed unused args must match /^_/u.
src/services/content-deletion.js:8 warning jsdoc/tag-lines Expected only 0 line after block description
src/services/content-deletion.js:107 warning jsdoc/tag-lines Expected only 0 line after block description
src/services/content-deletion.test.js:6 warning no-unused-vars 'beforeEach' is defined but never used.
src/services/content-deletion.test.js:41 warning no-unused-vars 'id' is defined but never used. Allowed unused args must match /^_/u.
src/services/content-deletion.test.js:61 warning no-unused-vars 'id' is defined but never used. Allowed unused args must match /^_/u.
src/services/content-deletion.test.js:72 warning no-unused-vars 'key' is defined but never used. Allowed unused args must match /^_/u.
src/utils/supplier-fallback.js:10 warning no-unused-vars 'ROLLING_WINDOW_SIZE' is assigned a value but never used.