AI Assessment
VERDICT
Not production-ready. The scanner detected 3 critical CVEs in dependencies and 41 high-severity vulnerabilities concentrated in outdated packages like urllib3, aiohttp, and authlib. While code quality issues exist, the dependency risk profile is the blocking factor.
TOP RISKS
→ CVE-2025-43859 in h11@0.14.0 flagged in docs/Pipfile.lock — critical severity, no mitigation noted
→ CVE-2026-27962 in authlib@1.6.0 flagged in uv.lock — critical severity with 4 additional high-severity CVEs in same package
→ CVE-2025-68664 in langchain-core@1.0.4 flagged in uv.lock — critical severity, plus 2 additional CVEs detected in this dependency
→ urllib3@1.26.6 flagged for 9 separate CVEs (high and medium severity) across docs/Pipfile.lock, docs/requirements.txt, and uv.lock — indicates severely outdated version
→ High cyclomatic complexity (CCN 74) detected in dspy/teleprompt/grpo.py, dspy/teleprompt/simba.py, and dspy/teleprompt/gepa/gepa_utils.py — 15 instances flagged for maintenance risk
WHAT TO FIX FIRST
Update urllib3 from 1.26.6 to current version across all lock files (docs/Pipfile.lock, docs/requirements.txt, uv.lock). This single action removes 9 flagged vulnerabilities and reduces high-severity findings substantially. The scanner detected this package is 3+ versions behind current releases.
Note: Verify these CVE findings against your actual dependencies—automated scanners sometimes flag transitive dependencies that may be safely isolated or already patched in your runtime environment.
Category Breakdown
Findings(179 in 72 groups)
Tip: 73 low-severity findings are style suggestions, not security risks.
A package your app depends on (h11) has a known security hole. Hackers are actively exploiting this vulnerability in the wild. You need to update it.
The dependency h11 in docs/Pipfile.lock has a known vulnerability (CVE-2025-43859: h11@0.14.0). Update it to a patched version: 1. Run: npm update h11 (or yarn upgrade h11) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (authlib) has a known security hole. Hackers are actively exploiting this vulnerability in the wild. You need to update it.
The dependency authlib in uv.lock has a known vulnerability (CVE-2026-27962: authlib@1.6.0). Update it to a patched version: 1. Run: npm update authlib (or yarn upgrade authlib) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (langchain-core) has a known security hole. Hackers are actively exploiting this vulnerability in the wild. You need to update it.
The dependency langchain-core in uv.lock has a known vulnerability (CVE-2025-68664: langchain-core@1.0.4). Update it to a patched version: 1. Run: npm update langchain-core (or yarn upgrade langchain-core) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
This function is extremely complex (complexity score: 74). It likely has hidden bugs that are hard to find, and AI coding tools will struggle to modify it correctly.
In dspy/teleprompt/grpo.py, there's a function with cyclomatic complexity of 74 (should be under 15). Break it down: 1. Identify the different things this function does (each if/else branch, each loop) 2. Extract each logical step into its own smaller function with a clear name 3. The main function should read like a high-level description of the process 4. Each new function should do ONE thing and be easy to understand on its own 5. Aim for functions with complexity under 10
A package your app depends on (urllib3) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency urllib3 in docs/Pipfile.lock has a known vulnerability (CVE-2025-66418: urllib3@1.26.6). Update it to a patched version: 1. Run: npm update urllib3 (or yarn upgrade urllib3) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (urllib3) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency urllib3 in docs/Pipfile.lock has a known vulnerability (CVE-2025-66471: urllib3@1.26.6). Update it to a patched version: 1. Run: npm update urllib3 (or yarn upgrade urllib3) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (urllib3) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency urllib3 in docs/Pipfile.lock has a known vulnerability (CVE-2026-21441: urllib3@1.26.6). Update it to a patched version: 1. Run: npm update urllib3 (or yarn upgrade urllib3) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (aiohttp) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency aiohttp in docs/Pipfile.lock has a known vulnerability (CVE-2025-69223: aiohttp@3.11.14). Update it to a patched version: 1. Run: npm update aiohttp (or yarn upgrade aiohttp) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (pillow) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency pillow in docs/Pipfile.lock has a known vulnerability (CVE-2026-25990: pillow@10.4.0). Update it to a patched version: 1. Run: npm update pillow (or yarn upgrade pillow) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (urllib3) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency urllib3 in docs/Pipfile.lock has a known vulnerability (CVE-2023-43804: urllib3@1.26.6). Update it to a patched version: 1. Run: npm update urllib3 (or yarn upgrade urllib3) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmn73gnku0013ic04xvjh9626)