AI Assessment
VERDICT
Not production-ready. The scanner detected 4 critical CVEs in core build dependencies and 37 high-severity vulnerabilities in the dependency tree, with nearly half of the total score lost to unpatched packages. While security scanning and secrets detection passed, the dependency risk is severe.
TOP RISKS
→ CVE-2023-45133 in @babel/traverse@7.18.11 (package-lock.json) — critical severity flagged in build toolchain
→ CVE-2025-7783 in form-data@3.0.1 (package-lock.json) — critical severity, could affect request handling
→ CVE-2023-28154 in webpack@5.74.0 (package-lock.json) — critical severity in primary bundler
→ Multiple HIGH CVEs in minimatch@3.0.4 across package-lock.json (3 separate CVEs: 2026-26996, 2026-27903, 2026-27904)
→ Widespread vulnerabilities in loader-utils@2.0.2, node-forge@1.3.1, and path-to-regexp@0.1.7
WHAT TO FIX FIRST
Upgrade all dependencies listed in package-lock.json, starting with the 4 critical CVEs. The single highest-impact action is updating @babel/traverse, form-data, webpack, and loader-utils to patched versions. This alone would eliminate 80+ findings and likely improve the score significantly. Verify these CVEs against your actual code to confirm exposure.
Code quality issues (77 findings) are secondary — focus dependency updates first. Missing LICENSE, tests, and CI/CD configuration are low-priority best-practice gaps that won't affect runtime security.
Category Breakdown
Findings(162 in 77 groups)
babel: arbitrary code execution | Fix available: 7.23.2, 8.0.0-alpha.4 | Package: @babel/traverse (npm) | https://avd.aquasec.com/nvd/cve-2023-45133
Affected files
form-data: Unsafe random function in form-data | Fix available: 2.5.4, 3.0.4, 4.0.4 | Package: form-data (npm) | https://avd.aquasec.com/nvd/cve-2025-7783
Affected files
loader-utils: prototype pollution in function parseQuery in parseQuery.js | Fix available: 2.0.3, 1.4.1 | Package: loader-utils (npm) | https://avd.aquasec.com/nvd/cve-2022-37601
Affected files
webpack: avoid cross-realm objects | Fix available: 5.76.0 | Package: webpack (npm) | https://avd.aquasec.com/nvd/cve-2023-28154
Affected files
minimatch: minimatch: Denial of Service via specially crafted glob patterns | Fix available: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | Package: minimatch (npm) | https://avd.aquasec.com/nvd/cve-2026-26996
Affected files
minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns | Fix available: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | Package: minimatch (npm) | https://avd.aquasec.com/nvd/cve-2026-27903
Affected files
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions | Fix available: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | Package: minimatch (npm) | https://avd.aquasec.com/nvd/cve-2026-27904
Affected files
nodejs-semver: Regular expression denial of service | Fix available: 7.5.2, 6.3.1, 5.7.2 | Package: semver (npm) | https://avd.aquasec.com/nvd/cve-2022-25883
Affected files
json5: Prototype Pollution in JSON5 via Parse Method | Fix available: 2.2.2, 1.0.2 | Package: json5 (npm) | https://avd.aquasec.com/nvd/cve-2022-46175
Affected files
loader-utils: regular expression denial of service in interpolateName.js | Fix available: 1.4.2, 2.0.4, 3.2.1 | Package: loader-utils (npm) | https://avd.aquasec.com/nvd/cve-2022-37599
Affected files
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmmt5z6hc000lkt04ru88yes3)