secnull
systems nominal feed · live 14:23 UTC
8
audits
0
open cve
archiveaudits
8 published · updated apr 22 · 08:14 utc
— the archive

Every audit we've published, graded and searchable.

We read the code. We rerun the test corpus. We publish what we find — and we update the grade when the code changes. Filter by beat, grade, or ecosystem. Every article ships with an Ed25519 signature you can verify against the integrity manifest.

— grade distribution · 8 audits tamper-evident: signed
A 2 pass, cleanly B 3 with notes C 1 use with care D 1 serious concerns F 1 do not use
beat
grade
ecosystem
search
pkg / verdict beat grade score findings published
C passport-openidconnect
The silent privilege-creep in three popular OIDC libraries — and why your staging cluster already leaked.
iam
C
64/100
3 high 6 med 5 low
apr 22 · 2026
A zitadel/oidc
A careful implementation that earns its reputation.
iam
A
94/100
1 med 4 low
apr 21 · 2026
D express-session@1.17.3
Default configuration still leaks session fixation vectors in 2026.
web
D
41/100
3 high 4 med 6 low
apr 19 · 2026
B age-encryption/age
The quiet, correct answer to 'how do I encrypt this file?'
crypto
B
82/100
2 med 3 low
apr 17 · 2026
F node-jsonwebtoken <9.0.1
Still present in 42% of npm dependency trees we crawl. Stop shipping it.
iam
F
12/100
5 high 2 med 1 low
apr 14 · 2026
B lucia-auth@3.2
Session handling sharpened since 3.0.
iam
B
87/100
1 med 5 low
apr 12 · 2026
A rustls
As close to 'no notes' as this beat gets. Read the code.
crypto
A
96/100
1 low
mar 30 · 2026
B sigstore/cosign
The defaults are finally correct. Your CI pipeline has no excuse.
supply
B
84/100
2 med 4 low
mar 28 · 2026
showing 8 of 8
rss feed