First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
3
Score
75/100
Findings (3)
Text combines credential access with network transmission
Errors prevented: 15 documented issues with exact solutions
Key value: API Keys beta, Next.js 16 proxy.ts (with March 2025 CVE context), clerkMiddleware() options, webhooks, component reference, API 2...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Detects references to raw.githubusercontent.com on mutable branches like main/master
github.com/clerk/javascript/blob/main/packages/backend/CHANGELOG.mdReplace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.
Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.
Detects references to raw.githubusercontent.com on mutable branches like main/master
github.com/clerk/javascript/blob/main/packages/nextjs/CHANGELOG.md#6320)Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.
Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.