Skip to content

security: 5 Critical/High panic-attack findings need human triage (Track C) #29

Open
Open
security: 5 Critical/High panic-attack findings need human triage (Track C)#29
@hyperpolymath

Description

@hyperpolymath
hyperpolymath
opened on May 26, 2026

panic-attack estate sweep — Track C tracking issue

panic-attack assail flagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).

PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list. Findings already suppressed in audits/assail-classifications.a2ml are also excluded.

Estate tracker: hyperpolymath/panic-attack#32.

DynamicCodeExecution (3 findings)

file:line list 
Critical  extension/lib/rescript/DevTools.res.js:?  eval() usage in extension/lib/rescript/DevTools.res.js
High  extension/lib/dom-utils.js:?  DOM manipulation (innerHTML/document.write) in extension/lib/dom-utils.js
### `HardcodedSecret` (1 findings)
file:line list
### `SupplyChain` (1 findings)
file:line list

🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions