AhmedAliAbdAlMowla/simple-api
https://github.com/AhmedAliAbdAlMowla/simple-apiScanned on Mar 29, 2026
AI Assessment
VERDICT
Based on automated scanner analysis, this project is not currently production-ready. While security and secrets handling scored perfectly, 45 unresolved dependency vulnerabilities—including 1 critical and 27 high-severity CVEs—represent a significant deployment risk that must be addressed before production use.
TOP RISKS
→ CVE-2025-9288 in sha.js@2.4.11 flagged as CRITICAL in package-lock.json. The scanner detected a severe vulnerability in this dependency.
→ Multiple HIGH severity CVEs in multer@1.4.4-lts.1 detected in package-lock.json (CVE-2025-47935, CVE-2025-47944, CVE-2025-48997, CVE-2025-7338, CVE-2026-2359, CVE-2026-3304, CVE-2026-3520). Eight separate vulnerabilities were flagged for this single file upload package.
→ Multiple HIGH severity CVEs in minimatch@3.1.2 flagged in package-lock.json (CVE-2026-26996, CVE-2026-27903, CVE-2026-27904). Pattern matching library shows three high-risk issues.
→ HIGH severity CVEs in path-to-regexp@0.1.7 and tar@6.2.0 detected in package-lock.json. Six separate high-severity vulnerabilities across these utilities.
→ 138 low-to-medium code quality issues detected, primarily formatting (35 instances), parsing (34 instances), and import organization (18 instances) across the codebase.
WHAT TO FIX FIRST
Update or replace the vulnerable version of multer@1.4.4-lts.1 in package-lock.json. This single dependency carries eight flagged CVEs and would eliminate the largest cluster of HIGH-severity vulnerabilities with one action. Verify findings against your actual dependencies before updating.
Category Breakdown
Findings(189 in 56 groups)
Tip: 153 low-severity findings are style suggestions, not security risks.
A package your app depends on (sha.js) has a known security hole. Hackers are actively exploiting this vulnerability in the wild. You need to update it.
The dependency sha.js in package-lock.json has a known vulnerability (CVE-2025-9288: sha.js@2.4.11). Update it to a patched version: 1. Run: npm update sha.js (or yarn upgrade sha.js) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (body-parser) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency body-parser in package-lock.json has a known vulnerability (CVE-2024-45590: body-parser@1.20.1). Update it to a patched version: 1. Run: npm update body-parser (or yarn upgrade body-parser) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (minimatch) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency minimatch in package-lock.json has a known vulnerability (CVE-2026-26996: minimatch@3.1.2). Update it to a patched version: 1. Run: npm update minimatch (or yarn upgrade minimatch) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (minimatch) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency minimatch in package-lock.json has a known vulnerability (CVE-2026-27903: minimatch@3.1.2). Update it to a patched version: 1. Run: npm update minimatch (or yarn upgrade minimatch) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (minimatch) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency minimatch in package-lock.json has a known vulnerability (CVE-2026-27904: minimatch@3.1.2). Update it to a patched version: 1. Run: npm update minimatch (or yarn upgrade minimatch) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (path-to-regexp) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency path-to-regexp in package-lock.json has a known vulnerability (CVE-2024-45296: path-to-regexp@0.1.7). Update it to a patched version: 1. Run: npm update path-to-regexp (or yarn upgrade path-to-regexp) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (jws) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency jws in package-lock.json has a known vulnerability (CVE-2025-65945: jws@3.2.2). Update it to a patched version: 1. Run: npm update jws (or yarn upgrade jws) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (multer) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency multer in package-lock.json has a known vulnerability (CVE-2025-47935: multer@1.4.4-lts.1). Update it to a patched version: 1. Run: npm update multer (or yarn upgrade multer) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (multer) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency multer in package-lock.json has a known vulnerability (CVE-2025-47944: multer@1.4.4-lts.1). Update it to a patched version: 1. Run: npm update multer (or yarn upgrade multer) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (multer) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency multer in package-lock.json has a known vulnerability (CVE-2025-48997: multer@1.4.4-lts.1). Update it to a patched version: 1. Run: npm update multer (or yarn upgrade multer) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmnbds6fn000dif049y6q5r4m)