yahia-SA/together

https://github.com/yahia-SA/together

Scanned on Mar 16, 2026

2 High

2 Medium

3 Low

Base 500+205 bonuses−13 penalties=692C

Bonuses earned

+205

Clean Security+70

Clean Secrets & Credentials+50

Clean Code Quality+30

Has quality README+15

Low complexity+15

Has lock file+10

No duplication+10

Has .gitignore+5

Clean Dependencies+40

Has tests+40

Has CI/CD+30

Has LICENSE+20

Has SECURITY.md+10

Has CODEOWNERS+5

Penalties

−13

dependenciesDependencies−11

bestpracticesBest Practices−2

Grade caps applied

Missing 5 best practicesCapped to C

AI Assessment

VERDICT

Based on automated scanner findings, this repository is not production-ready. Two high-severity CVEs in a direct dependency create an immediate security risk that must be resolved before deployment.

TOP RISKS

→ The scanner detected CVE-2023-39137 and CVE-2023-39139 in archive@3.1.6 listed in pubspec.lock. Both are flagged as high severity and represent known vulnerabilities in an active dependency.

→ No test suite was detected by the scanner, meaning there is no automated verification that the codebase functions as intended.

→ No LICENSE file is present, which creates legal ambiguity about usage rights and distribution permissions.

WHAT TO FIX FIRST

Update the archive dependency from version 3.1.6 to a patched version that resolves CVE-2023-39137 and CVE-2023-39139. This is in pubspec.lock and should be addressed immediately—both CVEs are rated high severity. Verify the actual impact against your code since some CVE severity ratings may not apply to all use cases, but the presence of known vulnerabilities in dependencies is a blocker for production use.

ADDITIONAL NOTES

The repository has no automated testing framework configured and lacks standard project documentation files (SECURITY.md, CODEOWNERS, LICENSE, and CI/CD configuration). While these are best-practice gaps rather than security issues, they indicate the project is in early stages. Security and secrets scanning returned clean results, which is positive. Address the dependency vulnerabilities first, then consider adding basic tests and documentation for production readiness.

fix-prompt.md

Category Breakdown

300/300

Security

200/200

Secrets & Credentials

109/150

Dependencies2 findings

100/100

Code Quality

87/100

Best Practices5 findings

Findings(7 in 7 groups)

Filename spoofing in archive | Fix available: 3.3.8 | Package: archive (pub) | https://avd.aquasec.com/nvd/cve-2023-39137

Affected files

pubspec.lock

Path traversal in Archive | Fix available: 3.3.8 | Package: archive (pub) | https://avd.aquasec.com/nvd/cve-2023-39139

Affected files

pubspec.lock

This repository has no LICENSE file. Without a license, the code is technically all-rights-reserved by default, which prevents others from using it.

Affected files

unknown

No test directory or test files were found. Automated tests are critical for maintaining code quality and preventing regressions.

Affected files

unknown

No CI/CD configuration was found (GitHub Actions, GitLab CI, CircleCI, etc.). Continuous integration helps catch issues before they reach production.

Affected files

unknown

This repository has no SECURITY.md file. A security policy helps users report vulnerabilities responsibly and shows that the project takes security seriously.

Affected files

unknown

This repository has no CODEOWNERS file. CODEOWNERS ensures that pull requests are automatically assigned to the right reviewers, improving code review coverage.

Affected files

unknown

Share your ShipScanner

Show the world your code quality. Your report has a beautiful preview image built in.

LinkedIn Twitter / X

Embed Trust Badge

Show your code quality score in your README. The badge updates automatically every time you re-scan.

README.md

[![ShipScanner: B 692](https://shipscanner.dev/api/badge/cmmt5z6x4000rkt04y8qbuupq)](https://shipscanner.dev/report/cmmt5z6x4000rkt04y8qbuupq)