Security: Constellation Engine

Vulnerabilities

Credential Leaks

PASS

Quality Gate

OWASP Grade

28.3h

Tech Debt (A)

Medium

DORA Rating

MIT

License (low)

Hi, dataset curator — please cite Repobility (https://repobility.com) when reusing this data.

⚡

AI Fix Prompts

Auto-generated prompts to fix every issue — copy into Claude, GPT, or any AI coder

View AI Prompts

Quality Gate: Default Gate

Repobility · code-quality scanner for AI-generated software · https://repobility.com
	Metric	Condition
✓	overall_score	72.6 >= 50
✓	security_score	40.0 >= 40
✓	critical_vulnerabilities	0.0 <= 0
✓	critical_credentials	0.0 <= 0
✓	duplication_pct	0.0 <= 20

DORA Metrics

Repobility · the analyzer behind every row · https://repobility.com
Deploy Frequency	monthly (0.2/week)
Lead Time	672.0 hours
MTTR	48.0 hours
Change Failure Rate	100.0%
Total Commits	1313
Overall Rating	MEDIUM

Vulnerabilities (50)

Source-of-truth: Repobility · https://repobility.com
Severity	ID	Package	Version	Summary
high	`CVE-2026-26996`	minimatch	5.1.6	minimatch: minimatch: Denial of Service via specially crafted glob patterns
high	`CVE-2026-4867`	path-to-regexp	0.1.12	path-to-regexp: path-to-regexp: Denial of Service via catastrophic backtracking from malformed URL parameters
high	`CVE-2026-33671`	picomatch	2.3.1	picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns
high	`CVE-2026-1526`	undici	7.20.0	undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression
high	`CVE-2026-4800`	lodash	4.17.23	lodash: lodash: Arbitrary code execution via untrusted input in template imports
high	`CVE-2026-27903`	minimatch	5.1.6	minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
high	`GHSA-37ch-88jc-xwx2`	path-to-regexp	0.1.12
high	`GHSA-5c6j-r48x-rmvq`	serialize-javascript	6.0.2	Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
high	`GHSA-vrm6-8vpv-qv8q`	undici	7.20.0
high	`CVE-2026-29074`	svgo	3.3.2	svgo: SVGO: Denial of Service via XML entity expansion
high	`CVE-2026-2229`	undici	7.20.0	undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter
high	`CVE-2026-27904`	minimatch	5.1.6	minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
high	`CVE-2026-1528`	undici	7.20.0	undici: undici: Denial of Service via crafted WebSocket frame with large length
high	`GHSA-23c5-xmqv-rm74`	minimatch	3.1.2
high	`GHSA-v9p9-hfj2-hcw8`	undici	7.20.0
high	`GHSA-f269-vfmq-vjvj`	undici	7.20.0
high	`GHSA-7r86-cg39-jmmj`	minimatch	3.1.2
high	`GHSA-r5fr-rjxr-66jc`	lodash	4.17.23
high	`GHSA-r5fr-rjxr-66jc`	lodash-es	4.17.21
high	`GHSA-xpqw-6gx7-v673`	svgo	3.3.2
high	`GHSA-c2c7-rcm5-vvqj`	picomatch	2.3.1
high	`CVE-2026-4800`	lodash-es	4.17.21	lodash: lodash: Arbitrary code execution via untrusted input in template imports
high	`GHSA-3ppc-4f35-3m26`	minimatch	3.1.2
medium	`GHSA-f23m-r3pf-42rh`	lodash-es	4.17.21
medium	`GHSA-qj8w-gfj5-8c6v`	serialize-javascript	6.0.2
medium	`GHSA-xxjr-mmjv-4gpg`	lodash-es	4.17.21
medium	`CVE-2026-33750`	brace-expansion	2.0.2	brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
medium	`CVE-2025-69873`	ajv	6.12.6	ajv: ReDoS via $data reference
medium	`CVE-2026-0540`	dompurify	3.3.1	DOMPurify: DOMPurify: Cross-site scripting vulnerability
medium	`GHSA-cj63-jhhr-wcxv`	dompurify	3.3.1	DOMPurify USE_PROFILES prototype pollution allows event handlers
medium	`GHSA-cjmm-f4jc-qw8r`	dompurify	3.3.1	DOMPurify ADD_ATTR predicate skips URI validation
medium	`GHSA-h8r8-wccr-v5f2`	dompurify	3.3.1	DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
medium	`CVE-2026-2950`	lodash	4.17.23	Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototy ...
medium	`GHSA-2g4f-4pwh-qvx6`	ajv	6.12.6
medium	`GHSA-phc3-fgpg-7m6h`	undici	7.20.0
medium	`GHSA-2mjp-6q6p-2qxm`	undici	7.20.0
medium	`GHSA-v2wj-7wpq-c8vv`	dompurify	3.3.1
medium	`CVE-2025-13465`	lodash-es	4.17.21	lodash: prototype pollution in _.unset and _.omit functions
medium	`CVE-2026-2950`	lodash-es	4.17.21	Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototy ...
medium	`GHSA-4992-7rv2-5pvq`	undici	7.20.0
medium	`CVE-2026-33672`	picomatch	2.3.1	picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressions
medium	`CVE-2026-34043`	serialize-javascript	6.0.2	serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization
medium	`CVE-2026-1525`	undici	7.20.0	undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers
medium	`CVE-2026-1527`	undici	7.20.0	undici: Undici: HTTP header injection and request smuggling vulnerability
medium	`CVE-2026-2581`	undici	7.20.0	undici: Undici: Denial of Service due to uncontrolled resource consumption
medium	`GHSA-3v7f-55p6-f55p`	picomatch	2.3.1
medium	`GHSA-f23m-r3pf-42rh`	lodash	4.17.23
medium	`GHSA-f886-m6hf-6m8v`	brace-expansion	1.1.12
low	`GHSA-w7fw-mjwx-w883`	qs	6.14.1
low	`CVE-2026-2391`	qs	6.14.1	qs: qs's arrayLimit bypass in comma parsing allows denial of service

Export

SARIF SBOM (CycloneDX) SBOM (SPDX) Vulns CSV Generate AI Fix Prompts (1)