viktorkubica/n8n-webhook-app

21/100
// latest public scan, scanned 2026-05-10 · classified as web app · stack: React · react-scripts · axios · nginx · Docker · Google Cloud Run
// this URL always shows the latest public scan for this repo. permanent permalink to this specific scan: www.codeclanker.com/scan/id/aL080FF9

Nine dimensions

DevOps
22
Dockerfile and nginx.conf present for Cloud Run, but no CI workflow in .github/workflows; no automated build gate; Docker image never scanned for CVEs.
Security
5
axios@1.10.0 carries 17 CVEs including GHSA-3p68-rc4w-qgx5, GHSA-3w6x-2g7m-8v23, GHSA-43fc-jf86-j433 with no mitigation; public endpoints with no visible rate limiting.
Cost & infra
40
Single-container nginx deployment keeps infra costs minimal; unknown license is a compliance risk if this becomes commercial.
QA & testing
8
Single boilerplate App.test.js present; zero custom tests; no CI workflow, so tests are never verified in automation.
Performance
28
No caching layer, no performance tests, no Lighthouse CI, no bundle budget enforcement; react-markdown may cause render jank at scale.
Architecture
38
Single-page React app with no visible backend abstraction; no database migrations or backup strategy needed for static frontend but n8n integration surface is undocumented.
Code quality
18
CRA boilerplate only; no custom architecture, patterns, or type safety; App_origos.js is uncommented dead code.
Observability
8
No error tracking service (Sentry/DataDog/other); no structured logging; reportWebVitals.js exists but is not wired to any backend.
Maintainability
20
README.md is the default CRA template with no project description; license is unknown; no architecture or integration docs.

Deterministic findings

high

1 dependency with known CVEs (OSV.dev)

axios@1.10.0 — 17 vulns (GHSA-3p68-rc4w-qgx5, GHSA-3w6x-2g7m-8v23, GHSA-43fc-jf86-j433)

Top findings (AI)

critical

axios@1.10.0 has 17 unmitigated CVEs including three with active exploits

package.json declares axios@^1.10.0 and the OSV scan confirms 17 CVEs: GHSA-3p68-rc4w-qgx5, GHSA-3w6x-2g7m-8v23, GHSA-43fc-jf86-j433 are visible in the fetch results. This is a runtime dependency used for n8n webhook calls in src/. Any customer-facing traffic is vulnerable to SSRF or credential-leak attacks. Upgrading to axios@1.11.0+ is required before any deployment.

critical

Zero production-grade tests and no CI pipeline

src/App.test.js is the only test file and it is the default CRA boilerplate with no assertions against custom app logic; .github/workflows is absent, so there is no automated test execution. Any code change is deployed blind.

critical

No error tracking or structured observability

No Sentry, DataDog, or equivalent instrumentation is installed; reportWebVitals.js exists in src/ but nothing sends those signals to a backend; unhandled React errors in production will silently fail for users with no trace.

high

Default README with unknown license creates legal exposure

README.md is the verbatim CRA starter with no project-specific description; license field is 'unknown'. If this is shipped to paying customers, the IP posture is indefensible in a due-diligence review.

high

No build-time security gate for dependencies

Dockerfile runs npm ci but never runs npm audit or a container vuln scan; the axios CVEs would be present in every built image unless manually patched before each build.

medium

App_origos.js is unmaintained dead code in the tree

src/App_origos.js exists alongside src/App.js with no clear purpose; this file increases attack surface for zero benefit and suggests a disorganized development workflow.

Scan your own repo

Free 60-second scan. No signup.

Run a free scan →