Gathering detailed insights and metrics for uppy
Gathering detailed insights and metrics for uppy
The next open source file uploader for web browsers 🐶
Installations
npm install uppyDeveloper Guide
BETA
Typescript
No
Module System
ESM
Releases
139
Languages
10
TypeScript
JavaScript
SCSS
Svelte
HTML
Shell
CSS
Makefile
Dockerfile
Vue
TypeScript (73.54%)
JavaScript (20.58%)
SCSS (4.7%)
Svelte (0.54%)
HTML (0.24%)
Shell (0.17%)
CSS (0.07%)
Makefile (0.06%)
Dockerfile (0.05%)
Vue (0.05%)
Developer
Download Statistics
Total Downloads
8,731,131
Last Day
467
Last Week
14,168
Last Month
64,503
Last Year
1,132,096
GitHub Statistics
MIT License
29,931 Stars
10,217 Commits
2,069 Forks
321 Watchers
85 Branches
437 Contributors
Updated on Jul 05, 2025
Bundle Size
524.20 kB
Minified
152.28 kB
Minified + Gzipped
Maintainers
6
Package Meta Information
Latest Version
4.18.0
Package Id
uppy@4.18.0
Unpacked Size
5.36 MB
Size
1.37 MB
File Count
25
Published on
Jun 30, 2025
Total Downloads
Cumulative downloads
Total Downloads
8,731,131
Last Day
-20.6%
467
Compared to previous day
Last Week
-15.5%
14,168
Compared to previous week
Last Month
-17%
64,503
Compared to previous month
Last Year
-21.2%
1,132,096
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
38
@uppy/audio@uppy/aws-s3@uppy/box@uppy/companion-client@uppy/compressor@uppy/core@uppy/dashboard@uppy/drag-drop@uppy/drop-target@uppy/dropbox@uppy/facebook@uppy/file-input@uppy/form@uppy/golden-retriever@uppy/google-drive@uppy/google-drive-picker@uppy/google-photos-picker@uppy/image-editor@uppy/informer@uppy/instagram@uppy/onedrive@uppy/progress-bar@uppy/provider-views@uppy/redux-dev-tools@uppy/remote-sources@uppy/screen-capture@uppy/status-bar@uppy/store-default@uppy/store-redux@uppy/thumbnail-generator@uppy/transloadit@uppy/tus@uppy/unsplash@uppy/url@uppy/webcam@uppy/webdav@uppy/xhr-upload@uppy/zoom
Uppy 
Uppy is a sleek, modular JavaScript file uploader that integrates seamlessly with any application. It’s fast, has a comprehensible API and lets you worry about more important problems than building a file uploader.
- Fetch files from local disk, remote URLs, Google Drive, Dropbox, Box, Instagram or snap and record selfies with a camera
- Preview and edit metadata with a nice interface
- Upload to the final destination, optionally process/encode
Uppy is being developed by the folks at Transloadit, a versatile API to handle any file in your app.
| Tests |  |  |  |
|---|---|---|---|
| Deploys |  |  |  |
Example
Code used in the above example:
1import Uppy from '@uppy/core' 2import Dashboard from '@uppy/dashboard' 3import RemoteSources from '@uppy/remote-sources' 4import ImageEditor from '@uppy/image-editor' 5import Webcam from '@uppy/webcam' 6import Tus from '@uppy/tus' 7 8const uppy = new Uppy() 9 .use(Dashboard, { trigger: '#select-files' }) 10 .use(RemoteSources, { companionUrl: 'https://companion.uppy.io' }) 11 .use(Webcam) 12 .use(ImageEditor) 13 .use(Tus, { endpoint: 'https://tusd.tusdemo.net/files/' }) 14 .on('complete', (result) => { 15 console.log('Upload result:', result) 16 })
Try it online or read the docs for more details on how to use Uppy and its plugins.
Features
- Lightweight, modular plugin-based architecture, light on dependencies :zap:
- Resumable file uploads via the open tus standard, so large uploads survive network hiccups
- Supports picking files from: Webcam, Dropbox, Box, Google Drive, Instagram, bypassing the user’s device where possible, syncing between servers directly via @uppy/companion
- Works great with file encoding and processing backends, such as Transloadit, works great without (all you need is to roll your own Apache/Nginx/Node/FFmpeg/etc backend)
- Sleek user interface :sparkles:
- Optional file recovery (after a browser crash) with Golden Retriever
- Speaks several languages (i18n) :earth_africa:
- Built with accessibility in mind
- Free for the world, forever (as in beer 🍺, pizza 🍕, and liberty 🗽)
- Cute as a puppy, also accepts cat pictures :dog:
Installation
1npm install @uppy/core @uppy/dashboard @uppy/tus
Add CSS
uppy.min.css,
either to your HTML page’s <head> or include in JS, if your bundler of choice
supports it.
Alternatively, you can also use a pre-built bundle from Transloadit’s CDN: Smart
CDN. In that case Uppy will attach itself to the global window.Uppy object.
⚠️ The bundle consists of most Uppy plugins, so this method is not recommended for production, as your users will have to download all plugins when you are likely using only a few.
1<!-- 1. Add CSS to `<head>` --> 2<link 3 href="https://releases.transloadit.com/uppy/v4.18.0/uppy.min.css" 4 rel="stylesheet" 5/> 6 7<!-- 2. Initialize --> 8<div id="files-drag-drop"></div> 9<script type="module"> 10 import { 11 Uppy, 12 Dashboard, 13 Tus, 14 } from 'https://releases.transloadit.com/uppy/v4.18.0/uppy.min.mjs' 15 16 const uppy = new Uppy() 17 uppy.use(Dashboard, { target: '#files-drag-drop' }) 18 uppy.use(Tus, { endpoint: 'https://tusd.tusdemo.net/files/' }) 19</script>
Documentation
- Uppy — full list of options, methods and events
- Companion — setting up and running a Companion instance, which adds support for Instagram, Dropbox, Box, Google Drive and remote URLs
- React — components to integrate Uppy UI plugins with React apps
- Architecture & Writing a Plugin — how to write a plugin for Uppy
Plugins
UI Elements
Dashboard— universal UI with previews, progress bars, metadata editor and all the cool stuff. Required for most UI plugins like Webcam and InstagramProgress Bar— minimal progress bar that fills itself when upload progressesStatus Bar— more detailed progress, pause/resume/cancel buttons, percentage, speed, uploaded/total sizes (included by default withDashboard)Informer— send notifications like “smile” before taking a selfie or “upload failed” when all is lost (also included by default withDashboard)
Sources
Drag & Drop— plain drag and drop areaFile Input— even plainer “select files” buttonWebcam— snap and record those selfies 📷- ⓒ
Google Drive— import files from Google Drive - ⓒ
Dropbox— import files from Dropbox - ⓒ
Box— import files from Box - ⓒ
Instagram— import images and videos from Instagram - ⓒ
Facebook— import images and videos from Facebook - ⓒ
OneDrive— import files from Microsoft OneDrive - ⓒ
Import From URL— import direct URLs from anywhere on the web
The ⓒ mark means that @uppy/companion, a
server-side component, is needed for a plugin to work.
Destinations
Tus— resumable uploads via the open tus standardXHR Upload— regular uploads for any backend out there (like Apache, Nginx)AWS S3— plain upload to AWS S3 or compatible servicesAWS S3 Multipart— S3-style “Multipart” upload to AWS or compatible services
File Processing
Transloadit— support for Transloadit’s robust file uploading and encoding backend
Miscellaneous
Golden Retriever— restores files after a browser crash, like it’s nothingThumbnail Generator— generates image previews (included by default withDashboard)Form— collects metadata from<form>right before an Uppy upload, then optionally appends results back to the formRedux— for your emerging time traveling needs
React
- React — components to integrate Uppy UI plugins with React apps
- React Native — basic Uppy component for React Native with Expo
Browser Support
We aim to support recent versions of Chrome, Firefox, and Safari.
FAQ
Why not use <input type="file">?
Having no JavaScript beats having a lot of it, so that’s a fair question! Running an uploading & encoding business for ten years though we found that in cases, the file input leaves some to be desired:
- We received complaints about broken uploads and found that resumable uploads are important, especially for big files and to be inclusive towards people on poorer connections (we also launched tus.io to attack that problem). Uppy uploads can survive network outages and browser crashes or accidental navigate-aways.
- Uppy supports editing meta information before uploading.
- Uppy allows cropping images before uploading.
- There’s the situation where people are using their mobile devices and want to upload on the go, but they have their picture on Instagram, files in Dropbox or a plain file URL from anywhere on the open web. Uppy allows to pick files from those and push it to the destination without downloading it to your mobile device first.
- Accurate upload progress reporting is an issue on many platforms.
- Some file validation — size, type, number of files — can be done on the client with Uppy.
- Uppy integrates webcam support, in case your users want to upload a picture/video/audio that does not exist yet :)
- A larger drag and drop surface can be pleasant to work with. Some people also like that you can control the styling, language, etc.
- Uppy is aware of encoding backends. Often after an upload, the server needs to rotate, detect faces, optimize for iPad, or what have you. Uppy can track progress of this and report back to the user in different ways.
- Sometimes you might want your uploads to happen while you continue to interact on the same single page.
Not all apps need all these features. An <input type="file"> is fine in many
situations. But these were a few things that our customers hit / asked about
enough to spark us to develop Uppy.
Why is all this goodness free?
Transloadit’s team is small and we have a shared ambition to make a living from open source. By giving away projects like tus.io and Uppy, we’re hoping to advance the state of the art, make life a tiny little bit better for everyone and in doing so have rewarding jobs and get some eyes on our commercial service: a content ingestion & processing platform.
Our thinking is that if only a fraction of our open source userbase can see the appeal of hosted versions straight from the source, that could already be enough to sustain our work. So far this is working out! We’re able to dedicate 80% of our time to open source and haven’t gone bankrupt yet. :D
Does Uppy support S3 uploads?
Yes, please check out the docs for more information.
Can I use Uppy with Rails/Node.js/Go/PHP?
Yes, whatever you want on the backend will work with @uppy/xhr-upload plugin,
since it only does a POST or PUT request. Here’s a
PHP backend example.
If you want resumability with the Tus plugin, use one of the tus server implementations 👌🏼
And you’ll need @uppy/companion if you’d
like your users to be able to pick files from Instagram, Google Drive, Dropbox
or via direct URLs (with more services coming).
Contributions are welcome
- Contributor’s guide in
.github/CONTRIBUTING.md - Changelog to track our release progress (we aim to roll out a release every
month):
CHANGELOG.md
Used by
Uppy is used by: Photobox, Issuu, Law Insider, Cool Tabs, Soundoff, Scrumi, Crive and others.
Use Uppy in your project? Let us know!
Contributors
License
The MIT License.
High
8.2/10
Summary
uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF)
Affected Versions
< 2.3.3
Patched Versions
2.3.3
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
no binaries found in the repo
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/companion-deploy.yml:41
Reason
Found 16/26 approved changesets -- score normalized to 6
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundlers.yml:171: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/bundlers.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundlers.yml:201: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/bundlers.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundlers.yml:226: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/bundlers.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundlers.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/bundlers.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundlers.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/bundlers.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundlers.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/bundlers.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundlers.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/bundlers.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundlers.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/bundlers.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundlers.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/bundlers.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/companion-deploy.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/companion-deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/companion-deploy.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/companion-deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/companion-deploy.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/companion-deploy.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/companion-deploy.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/companion-deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/companion-deploy.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/companion-deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/companion.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/companion.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/companion.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/companion.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/companion.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/companion.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/e2e.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:134: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:145: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:150: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:187: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linters.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/linters.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linters.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/linters.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lockfile_check.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/lockfile_check.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lockfile_check.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/lockfile_check.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lockfile_check.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/lockfile_check.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/manual-cdn.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/manual-cdn.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/manual-cdn.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/manual-cdn.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/manual-cdn.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/manual-cdn.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-candidate.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/release-candidate.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-candidate.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/release-candidate.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-candidate.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/release-candidate.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:146: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:158: update your workflow using https://app.stepsecurity.io/secureworkflow/transloadit/uppy/release.yml/main?enable=pin
- Warn: containerImage not pinned by hash: Dockerfile:1
- Warn: containerImage not pinned by hash: Dockerfile:20: pin your Docker image by updating node:18.17.1-alpine to node:18.17.1-alpine@sha256:3482a20c97e401b56ac50ba8920cc7b5b2022bfc6aa7d4e4c231755770cf892f
- Warn: npmCommand not pinned by hash: .github/workflows/bundlers.yml:234
- Warn: npmCommand not pinned by hash: .github/workflows/bundlers.yml:99
- Warn: npmCommand not pinned by hash: .github/workflows/bundlers.yml:137
- Warn: npmCommand not pinned by hash: .github/workflows/bundlers.yml:188
- Warn: npmCommand not pinned by hash: .github/workflows/bundlers.yml:209
- Warn: downloadThenRun not pinned by hash: .github/workflows/companion-deploy.yml:87
- Warn: downloadThenRun not pinned by hash: .github/workflows/e2e.yml:89
- Info: 0 out of 45 GitHub-owned GitHubAction dependencies pinned
- Info: 10 out of 13 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 containerImage dependencies pinned
- Info: 0 out of 5 npmCommand dependencies pinned
- Info: 0 out of 2 downloadThenRun dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/bundlers.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/companion-deploy.yml:1
- Warn: no topLevel permission defined: .github/workflows/companion.yml:1
- Warn: no topLevel permission defined: .github/workflows/linters.yml:1
- Warn: no topLevel permission defined: .github/workflows/lockfile_check.yml:1
- Warn: no topLevel permission defined: .github/workflows/manual-cdn.yml:1
- Warn: no topLevel permission defined: .github/workflows/release-candidate.yml:1
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Info: no jobLevel write permissions found
Reason
dangerous workflow patterns detected
Details
- Warn: untrusted code checkout '${{ github.event.pull_request && format('refs/pull/{0}/merge', github.event.pull_request.number) || github.sha }}': .github/workflows/e2e.yml:40
- Warn: untrusted code checkout '${{ github.event.pull_request.head.sha || github.sha }}': .github/workflows/e2e.yml:125
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 23 are checked with a SAST tool
Reason
83 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: PYSEC-2018-66 / GHSA-562c-5r94-xh97
- Warn: Project is vulnerable to: PYSEC-2019-179 / GHSA-5wv5-4vpf-pj6m
- Warn: Project is vulnerable to: PYSEC-2023-62 / GHSA-m2qf-hxjv-5gpq
- Warn: Project is vulnerable to: GHSA-43qf-4rqw-9q2g
- Warn: Project is vulnerable to: GHSA-7rxf-gvfg-47g4
- Warn: Project is vulnerable to: GHSA-84pr-m4jr-85g5
- Warn: Project is vulnerable to: GHSA-8vgw-p6qm-5gr7
- Warn: Project is vulnerable to: PYSEC-2024-71 / GHSA-hxwh-jpp2-84pm
- Warn: Project is vulnerable to: PYSEC-2020-43 / GHSA-xc3p-ff3m-f46v
- Warn: Project is vulnerable to: GHSA-2g68-c3qc-8985
- Warn: Project is vulnerable to: PYSEC-2020-157 / GHSA-3p3h-qghp-hvh2
- Warn: Project is vulnerable to: GHSA-f9vj-2wh5-fj8j
- Warn: Project is vulnerable to: PYSEC-2019-140 / GHSA-gq9m-qvpx-68hc
- Warn: Project is vulnerable to: PYSEC-2017-43 / GHSA-h2fp-xgx6-xh6f
- Warn: Project is vulnerable to: PYSEC-2023-221 / GHSA-hrfv-mqp8-q5rw
- Warn: Project is vulnerable to: GHSA-j544-7q9p-6xp8
- Warn: Project is vulnerable to: PYSEC-2023-57 / GHSA-px8h-6qxv-m22q
- Warn: Project is vulnerable to: GHSA-q34m-jh98-gwm2
- Warn: Project is vulnerable to: PYSEC-2023-58 / GHSA-xg9f-g7g7-2323
- Warn: Project is vulnerable to: PYSEC-2022-203
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-mm7r-265w-jv6f
- Warn: Project is vulnerable to: GHSA-9m4x-8w29-r78g
- Warn: Project is vulnerable to: GHSA-q24h-5rq3-63j9
- Warn: Project is vulnerable to: GHSA-r5fx-8r73-v86c
- Warn: Project is vulnerable to: GHSA-28hp-fgcr-2r4h
- Warn: Project is vulnerable to: GHSA-89mq-4x47-5v83
- Warn: Project is vulnerable to: GHSA-5cp4-xmrw-59wf
- Warn: Project is vulnerable to: GHSA-mhp6-pxh8-r675
- Warn: Project is vulnerable to: GHSA-2qqx-w9hr-q5gx
- Warn: Project is vulnerable to: GHSA-2vrf-hf26-jrp5
- Warn: Project is vulnerable to: GHSA-j58c-ww9w-pwp5
- Warn: Project is vulnerable to: GHSA-mqm9-c95h-x2p6
- Warn: Project is vulnerable to: GHSA-prc3-vjfx-vhm9
- Warn: Project is vulnerable to: GHSA-qwqh-hm9m-p5hr
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-wm7h-9275-46v2
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-75v8-2h7p-7m2m
- Warn: Project is vulnerable to: GHSA-mph8-6787-r8hw
- Warn: Project is vulnerable to: GHSA-7mhc-prgv-r3q4
- Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
- Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
- Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-5v2h-r2cx-5xgj
- Warn: Project is vulnerable to: GHSA-rrrm-qjm4-v8hf
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-44fp-w29j-9vj5
- Warn: Project is vulnerable to: GHSA-4pg4-qvpc-4q3h
- Warn: Project is vulnerable to: GHSA-g5hg-p3ph-g8qg
- Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-g4rg-993r-mgx7
- Warn: Project is vulnerable to: GHSA-3g92-w8c5-73pq
- Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975
- Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3
- Warn: Project is vulnerable to: GHSA-x8rq-rc7x-5fg5
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986 / GHSA-64vr-g452-qvp3
- Warn: Project is vulnerable to: GHSA-9cwx-2883-4wfx
- Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6
- Warn: Project is vulnerable to: GHSA-x574-m823-4x7w
- Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8
- Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x
- Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
- Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
- Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h
- Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
Score
4.3
/10
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More