AI Assessment
VERDICT
This repository is not production-ready. Automated scanners flagged 2 critical dependency vulnerabilities and 22 high-severity CVEs across the dependency tree, plus substantial code quality issues including 1396 violations. The vulnerability count alone creates significant risk.
TOP RISKS
→ CVE-2025-7783 in form-data@4.0.0 and CVE-2025-9288 in sha.js@2.4.11 are flagged as critical in package-lock.json. These require immediate dependency updates.
→ Multiple high-severity CVEs detected in multer@1.4.4-lts.1 (7 separate vulnerabilities flagged in package-lock.json), a file upload middleware. The scanner flagged CVE-2025-47935, CVE-2025-47944, CVE-2025-48997, CVE-2026-2359, CVE-2026-3304, CVE-2026-3520 here.
→ 10 instances of 57-line duplicated code blocks were flagged across src/database/queries/task-answer.query.ts and src/question/checkQuery.ts, indicating maintenance risk.
→ High complexity functions flagged in createCheckQuery (complexity rating 17) in src/user/checkQuery.ts, src/quiz/checkQuery.ts, and src/task/checkQuery.ts suggest refactoring needed.
→ 88 medium-severity code quality violations for double-equals usage and 118 medium-severity issues overall indicate systematic style drift.
WHAT TO FIX FIRST
Update multer dependency version in package-lock.json. The scanner flagged 7 separate CVEs against version 1.4.4-lts.1. This single change addresses multiple high-severity findings and is likely the highest-impact fix available.
Note: Verify these findings against your actual code, as some dependency CVEs may not affect your specific usage patterns.
Category Breakdown
Findings(2872 in 54 groups)
form-data: Unsafe random function in form-data | Fix available: 2.5.4, 3.0.4, 4.0.4 | Package: form-data (npm) | https://avd.aquasec.com/nvd/cve-2025-7783
Affected files
sha.js: Missing type checks leading to hash rewind and passing on crafted data | Fix available: 2.4.12 | Package: sha.js (npm) | https://avd.aquasec.com/nvd/cve-2025-9288
Affected files
Duplicate found between src/database/queries/task-answer.query.ts:103 and src/database/queries/task.query.ts:34. Consider extracting shared logic into a reusable function or module.
Affected files
body-parser: Denial of Service Vulnerability in body-parser | Fix available: 1.20.3 | Package: body-parser (npm) | https://avd.aquasec.com/nvd/cve-2024-45590
Affected files
node-jws: auth0/node-jws: Improper signature verification in HS256 algorithm | Fix available: 3.2.3, 4.0.1 | Package: jws (npm) | https://avd.aquasec.com/nvd/cve-2025-65945
Affected files
path-to-regexp: Backtracking regular expressions cause ReDoS | Fix available: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 | Package: path-to-regexp (npm) | https://avd.aquasec.com/nvd/cve-2024-45296
Affected files
nodejs-ws: denial of service when handling a request with many HTTP headers | Fix available: 5.2.4, 6.2.3, 7.5.10, 8.17.1 | Package: ws (npm) | https://avd.aquasec.com/nvd/cve-2024-37890
Affected files
Apollo Serve vulnerable to Denial of Service with `startStandaloneServer` | Fix available: 4.13.0, 5.4.0 | Package: @apollo/server (npm) | https://avd.aquasec.com/nvd/cve-2026-23897
Affected files
braces: fails to limit the number of characters it can handle | Fix available: 3.0.3 | Package: braces (npm) | https://avd.aquasec.com/nvd/cve-2024-4068
Affected files
dicer: nodejs service crash by sending a crafted payload | Package: dicer (npm) | https://avd.aquasec.com/nvd/cve-2022-24434
Affected files
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmmxd19650001jv04ecucwbpn)