AI Assessment
VERDICT
Based on automated analysis, this repository is reasonably production-ready with a B grade (729/850), but has significant code quality debt that should be addressed before major releases. Security and dependency scanning show no critical issues, but complexity and style violations dominate the findings.
TOP RISKS
→ High cyclomatic complexity (CCN 206) in src/grammar/tag.js:508 and related files in validator.ts and parser.ts. The scanner flagged $buildError function as extremely complex with 13 instances of this pattern across the codebase, indicating potential maintainability and testability concerns.
→ Global eval detected (9 instances, quality). The scanner flagged use of eval or eval-adjacent patterns in the codebase, which poses execution and security risks even if not exploitable in current context.
→ Control characters in regex patterns (9 instances, quality). The scanner detected unescaped or problematic control characters in regular expressions that may cause unexpected matching behavior.
→ Dependency vulnerability CVE-2026-24001 in spec/marktest/package-lock.json. The scanner flagged diff@4.0.2 as vulnerable, though this appears to be a test/spec dependency rather than production code.
WHAT TO FIX FIRST
Refactor the $buildError function in src/grammar/tag.js:508 to reduce cyclomatic complexity. This single high-complexity function (CCN 206) represents the largest maintainability risk. Breaking it into smaller, testable functions would have immediate impact on code quality score.
Note: Verify the global eval findings and regex patterns against actual code behavior, as context matters for determining true risk versus false positives from automated analysis.
Category Breakdown
Findings(628 in 28 groups)
Tip: 585 low-severity findings are style suggestions, not security risks.
This function is extremely complex (complexity score: 206). It likely has hidden bugs that are hard to find, and AI coding tools will struggle to modify it correctly.
In src/grammar/tag.js at line 508, there's a function with cyclomatic complexity of 206 (should be under 15). Break it down: 1. Identify the different things this function does (each if/else branch, each loop) 2. Extract each logical step into its own smaller function with a clear name 3. The main function should read like a high-level description of the process 4. Each new function should do ONE thing and be easy to understand on its own 5. Aim for functions with complexity under 10
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "No Shadow Restricted Names". Please review and fix this according to best practices. The linter rule lint/suspicious/noShadowRestrictedNames this as a problem — look up the rule for guidance on the correct fix.
Using eval() is extremely dangerous — it lets attackers run any code they want on your server or in your users' browsers.
In your project, eval() is being used. This is a serious security risk. Remove it: 1. If parsing JSON, use JSON.parse() instead of eval() 2. If computing math expressions, use a safe math parser library 3. If dynamically running code, consider a sandboxed approach 4. There is almost never a good reason to use eval() — find the alternative
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "No Control Characters In Regex". Please review and fix this according to best practices. The linter rule lint/suspicious/noControlCharactersInRegex this as a problem — look up the rule for guidance on the correct fix.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "No Double Equals". Please review and fix this according to best practices. The linter rule lint/suspicious/noDoubleEquals this as a problem — look up the rule for guidance on the correct fix.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "No Implicit Any Let". Please review and fix this according to best practices. The linter rule lint/suspicious/noImplicitAnyLet this as a problem — look up the rule for guidance on the correct fix.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "Use Arrow Function". Please review and fix this according to best practices. The linter rule lint/complexity/useArrowFunction this as a problem — look up the rule for guidance on the correct fix.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "Format". Please review and fix this according to best practices. The linter rule format this as a problem — look up the rule for guidance on the correct fix.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "No Explicit Any". Please review and fix this according to best practices. The linter rule lint/suspicious/noExplicitAny this as a problem — look up the rule for guidance on the correct fix.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "Organize Imports". Please review and fix this according to best practices. The linter rule assist/source/organizeImports this as a problem — look up the rule for guidance on the correct fix.
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmn0d7voh0001jr047myrk7jx)