I do deep commit-level analysis on actively maintained open source projects โ looking for behavioral contract changes that slip past code review: silent return value mutations, exception scope widening, broken caller assumptions, wrong entity types in API calls.
When I find something real, I report it with a reproducible description and a suggested fix.
Full writeups with code โ oss-findings
| Date | Repo | What | Severity | Status |
|---|---|---|---|---|
| Jun 18 | affaan-m/ECC โญ 217K | #2291 + PR #2292 โ find -exec rm bypass via compound commands (&& ; | ||) in gateguard security hook โ triggered maintainer's GHSA-4v57 security advisory |
๐ด High | โ Merged |
| Jun 18 | penpot/penpot | #10279 โ Stale MCP token shown after regeneration โ old token persisted in client state after server-side deletion | ๐ก Medium | โ Merged in v2.17.0 |
| Jun 16 | magento/magento2 | #40882 โ NoSuchEntityException race in InvalidSkuProcessor bulk price API |
๐ด High | โณ PR #40883 |
| Jun 5 | codeceptjs/CodeceptJS | PR #5639 โ --shuffle flag silently ignored after commit #5438 |
๐ด High | โ Merged |
| Jun 14 | midjourney-api | #294 โ ChannelId used as ServerId in guild API |
๐ด High | โณ Open |
| Jun 14 | midjourney-api | #295 โ Dead code in cacheCommand(), cache never populated |
๐ก Medium | โณ Open |
| Jun 14 | bagisto/bagisto | #11338 โ getClientOriginalName() path traversal in RMAImageRepository โ incomplete security fix |
๐ด Critical | โณ Open |
| Jun 14 | bagisto/bagisto | #11339 โ v-html XSS in Shop views โ product_name + datagrid columns unescaped |
๐ด High | โณ Open |
| Jun 13 | MoneyPrinterTurbo | PR #1033 โ CLI local source validation fix | ๐ก Medium | โ Merged |
| Jun 10 | MoneyPrinterTurbo | #1013 โ Groq model unvalidated on list-fetch failure | ๐ก Medium | โ Fixed PR #1014 |
| Jun 4 | medusajs/medusa | Discussion #15550 โ Race condition in compensatePaymentIfNeededStep |
๐ด High | ๐ Watching |
| Jun 4 | MoneyPrinterTurbo | #985 โ >= comparison risk in duration check |
๐ก Medium | ๐ Community PR expected |
| Jun 4 | MoneyPrinterTurbo | #984 โ Qwen empty choices[] โ unhandled crash |
๐ด High | โ Fixed PR #994 |
| Jun 4 | Understand-Anything | Discussion โ commit analysis findings | ๐ก Medium | ๐ Watching |
| Repository | Language | Stars | Finding |
|---|---|---|---|
| affaan-m/ECC | JavaScript | 217K+ | Security bypass in gateguard hook โ find -exec rm via &&/;/|/|| โ merged โ
|
| penpot/penpot | ClojureScript | 50K+ | Stale MCP token state โ merged in v2.17.0 โ |
| harry0703/MoneyPrinterTurbo | Python | 89K+ | 3 bugs found, 3 fixed |
| medusajs/medusa | TypeScript | 28K+ | Race condition in async workflow step |
| erictik/midjourney-api | TypeScript | 1.8K | 2 bugs found |
| apify/crawlee-python | Python | 9K+ | Silent URL filtering behavior change |
| tox-dev/tox | Python | 4K+ | Config override namespace risk |
| gptme/gptme | Python | 4K+ | LLM routing logic analysis |
| Lum1104/Understand-Anything | Python | โ | Commit analysis findings |
| acacode/swagger-typescript-api | TypeScript | 4K+ | Analyzed โ no actionable findings |
| bagisto/bagisto | PHP | 9.1K+ | 2 security bugs found |
| aws/aws-sam-cli | Python | 6.7K | Analyzed โ no actionable findings |
| codeceptjs/CodeceptJS | JavaScript | 10K+ | shuffle regression โ PR #5639 merged โ |
| magento/magento2 | PHP | 14K+ | NoSuchEntityException race condition in bulk price API |
Issues Opened โโโโโโโโโโ 12
PRs Submitted โโโโโโโโโโ 5
PRs Merged โโโโโโโโโโ 6 โ accepted by maintainers
Discussions โโโโโโโโโโ 2
Repos Analyzed โโโโโโโโโโ 14
Confirmed Bugs โโโโโโโโโโ 8