AI Assessment
VERDICT
Not production-ready. The scanner flagged 2 critical dependency vulnerabilities, 21 high-severity CVEs concentrated in dependency versions, and 1374 code quality issues. While no direct security or credential issues were detected, the dependency risk profile requires immediate remediation before deployment.
TOP RISKS
→ CVE-2025-7783 and CVE-2025-9288 in package-lock.json: Two critical vulnerabilities in form-data@4.0.0 and sha.js@2.4.11 require immediate dependency updates.
→ CVE-2025-47935 through CVE-2026-3520 in package-lock.json: Seven high-severity vulnerabilities flagged in multer@1.4.4-lts.1 across multiple CVE IDs indicate this transitive dependency version has significant security gaps.
→ Duplicated code blocks (57 lines) flagged in src/database/queries/task-answer.query.ts and src/question/checkQuery.ts: High-severity code quality duplication suggests maintenance and testing risk.
→ 88 medium-severity "No Double Equals" findings: Widespread use of loose equality operators throughout the codebase creates type coercion bugs.
→ Missing governance files: No LICENSE, SECURITY.md, CODEOWNERS, or CI/CD configuration detected; no automated safeguards in place.
WHAT TO FIX FIRST
Update package-lock.json to resolve the two critical CVEs in form-data@4.0.0 and sha.js@2.4.11, plus upgrade multer from 1.4.4-lts.1 to a patched version. This addresses dependency security immediately. Verify these are actual vulnerabilities in your runtime dependency tree—some scanner CVE IDs may be false positives.
Category Breakdown
Findings(1436 in 54 groups)
Tip: 1294 low-severity findings are style suggestions, not security risks.
A package your app depends on (form-data) has a known security hole. Hackers are actively exploiting this vulnerability in the wild. You need to update it.
The dependency form-data in package-lock.json has a known vulnerability (CVE-2025-7783: form-data@4.0.0). Update it to a patched version: 1. Run: npm update form-data (or yarn upgrade form-data) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (sha.js) has a known security hole. Hackers are actively exploiting this vulnerability in the wild. You need to update it.
The dependency sha.js in package-lock.json has a known vulnerability (CVE-2025-9288: sha.js@2.4.11). Update it to a patched version: 1. Run: npm update sha.js (or yarn upgrade sha.js) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
The same code is copied in multiple places. If there's a bug in one copy, all the other copies still have it. This makes fixing bugs much harder.
In src/database/queries/task-answer.query.ts at line 103, duplicated code was detected. Refactor it: 1. Identify the repeated code block 2. Extract it into a shared function with a descriptive name 3. Replace all multiple copies with calls to the new function 4. If the copies differ slightly, add parameters to the function to handle the differences 5. Make sure all existing behavior is preserved after the refactor
A package your app depends on (body-parser) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency body-parser in package-lock.json has a known vulnerability (CVE-2024-45590: body-parser@1.20.1). Update it to a patched version: 1. Run: npm update body-parser (or yarn upgrade body-parser) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (jws) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency jws in package-lock.json has a known vulnerability (CVE-2025-65945: jws@3.2.2). Update it to a patched version: 1. Run: npm update jws (or yarn upgrade jws) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (path-to-regexp) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency path-to-regexp in package-lock.json has a known vulnerability (CVE-2024-45296: path-to-regexp@0.1.7). Update it to a patched version: 1. Run: npm update path-to-regexp (or yarn upgrade path-to-regexp) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (ws) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency ws in package-lock.json has a known vulnerability (CVE-2024-37890: ws@7.5.9). Update it to a patched version: 1. Run: npm update ws (or yarn upgrade ws) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (@apollo/server) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency @apollo/server in package-lock.json has a known vulnerability (CVE-2026-23897: @apollo/server@4.10.0). Update it to a patched version: 1. Run: npm update @apollo/server (or yarn upgrade @apollo/server) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (braces) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency braces in package-lock.json has a known vulnerability (CVE-2024-4068: braces@3.0.2). Update it to a patched version: 1. Run: npm update braces (or yarn upgrade braces) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (dicer) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency dicer in package-lock.json has a known vulnerability (CVE-2022-24434: dicer@0.3.0). Update it to a patched version: 1. Run: npm update dicer (or yarn upgrade dicer) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmnbds62g0003if048ty825og)