Home/duet-gpt/Trust report

Trust and health report

duet-gpt - trust report

Sourced, dated trust signals - maintenance label posture, repository provenance, and security scan status. Not a composite safety grade.

GraphCanon updated today · GitHub synced today

Maintenance

Recency and activity heuristics from public GitHub metadata (maintenance label, momentum); methodology: github_public_v1.

Dormant18% signal

last push 1117d ago

Provenance

Repository identity and fork provenance (github_public_v1).

  • GitHub repo id: 645245078
  • Not a fork
  • Personal account
  • Computed today

Security scan

Dependency advisory security scan when a lockfile is present. Not a full code audit.

Status
49 low
Last scan
today
Scanner
osv@v1

Findings

GHSA-f886-m6hf-6m8v
brace-expansion@2.0.1 · package-lock.json
GHSA-v6h2-p8h4-qcjw
brace-expansion@2.0.1 · package-lock.json
GHSA-23c5-xmqv-rm74
minimatch@5.1.6 · package-lock.json
GHSA-3ppc-4f35-3m26
minimatch@5.1.6 · package-lock.json
GHSA-7r86-cg39-jmmj
minimatch@5.1.6 · package-lock.json
GHSA-35jp-ww65-95wh
axios@1.4.0 · package-lock.json
GHSA-3g43-6gmg-66jw
axios@1.4.0 · package-lock.json
GHSA-3p68-rc4w-qgx5
axios@1.4.0 · package-lock.json
GHSA-3w6x-2g7m-8v23
axios@1.4.0 · package-lock.json
GHSA-43fc-jf86-j433
axios@1.4.0 · package-lock.json
GHSA-445q-vr5w-6q77
axios@1.4.0 · package-lock.json
GHSA-4hjh-wcwx-xvwj
axios@1.4.0 · package-lock.json
GHSA-5c9x-8gcm-mpgx
axios@1.4.0 · package-lock.json
GHSA-62hf-57xw-28j9
axios@1.4.0 · package-lock.json
GHSA-6chq-wfr3-2hj9
axios@1.4.0 · package-lock.json
GHSA-898c-q2cr-xwhg
axios@1.4.0 · package-lock.json
GHSA-8hc4-vh64-cxmj
axios@1.4.0 · package-lock.json
GHSA-fvcv-3m26-pcqx
axios@1.4.0 · package-lock.json
GHSA-hfxv-24rg-xrqf
axios@1.4.0 · package-lock.json
GHSA-j5f8-grm9-p9fc
axios@1.4.0 · package-lock.json
GHSA-jr5f-v2jv-69x6
axios@1.4.0 · package-lock.json
GHSA-m7pr-hjqh-92cm
axios@1.4.0 · package-lock.json
GHSA-p92q-9vqr-4j8v
axios@1.4.0 · package-lock.json
GHSA-pf86-5x62-jrwf
axios@1.4.0 · package-lock.json
GHSA-pmwg-cvhr-8vh7
axios@1.4.0 · package-lock.json
GHSA-q8qp-cvcw-x6jj
axios@1.4.0 · package-lock.json
GHSA-vf2m-468p-8v99
axios@1.4.0 · package-lock.json
GHSA-w9j2-pvgh-6h63
axios@1.4.0 · package-lock.json
GHSA-wf5p-g6vw-rhxx
axios@1.4.0 · package-lock.json
GHSA-xhjh-pmcv-23jw
axios@1.4.0 · package-lock.json
GHSA-xx6v-rp6x-q39c
axios@1.4.0 · package-lock.json
GHSA-3xgq-45jj-v275
cross-spawn@7.0.3 · package-lock.json
GHSA-73rr-hh4g-fpgx
diff@5.1.0 · package-lock.json
GHSA-4gmj-3p3h-gm8h
es5-ext@0.10.62 · package-lock.json
GHSA-67mh-4wv8-2f99
esbuild@0.17.19 · package-lock.json
GHSA-cxjh-pqwp-8mfp
follow-redirects@1.15.2 · package-lock.json
GHSA-jchw-25xp-jwwc
follow-redirects@1.15.2 · package-lock.json
GHSA-r4q5-vmmm-2653
follow-redirects@1.15.2 · package-lock.json
GHSA-fjxv-7rqg-78g4
form-data@4.0.0 · package-lock.json
GHSA-hmw2-7cc7-3qxx
form-data@4.0.0 · package-lock.json
GHSA-22p9-wv53-3rq4
linkify-it@4.0.1 · package-lock.json
GHSA-f23m-r3pf-42rh
lodash@4.17.21 · package-lock.json
GHSA-r5fr-rjxr-66jc
lodash@4.17.21 · package-lock.json
GHSA-xxjr-mmjv-4gpg
lodash@4.17.21 · package-lock.json
GHSA-pjwm-pj3p-43mv
axios@0.26.1 · package-lock.json
GHSA-3v7f-55p6-f55p
picomatch@2.3.1 · package-lock.json
GHSA-c2c7-rcm5-vvqj
picomatch@2.3.1 · package-lock.json
GHSA-gcx4-mw62-g8wm
rollup@2.79.1 · package-lock.json
GHSA-mw96-cpmx-2vgc
rollup@2.79.1 · package-lock.json

Method and caveats:these are sourced, dated heuristics from public GitHub data and optional dependency scans. A status like "no criticals found on 2026-07-11" is not a guarantee of safety. Read the full trust methodology · JSON report at /api/graphcanon/tools/kristoferlund-duet-gpt/trust.

Common questions

Is duet-gpt maintained?
GraphCanon rates duet-gpt "Dormant" (18% maintenance signal from public GitHub metadata, computed today). Last push was 1117 days ago. This is a recency heuristic, not a guarantee the project will stay maintained.
Is duet-gpt safe to use?
Last scanned today (deps profile). Status: 49 low - 49 low finding(s) in the latest scan. GraphCanon does not claim the project is safe or vulnerability-free; review findings on the trust report. GraphCanon does not certify duet-gpt as safe - review maintenance, provenance, and scan findings on this page before adopting.
Is duet-gpt a fork?
No. duet-gpt is not flagged as a fork in GitHub metadata at the time of the last refresh.
Does duet-gpt have known security vulnerabilities?
Last scanned today (deps profile). Status: 49 low - 49 low finding(s) in the latest scan. GraphCanon does not claim the project is safe or vulnerability-free; review findings on the trust report.
How often is the duet-gpt trust report updated?
Trust signals refresh on GitHub ingest/refresh cycles and optional dependency/MCP scans. This report was computed today (methodology github_public_v1).
What does GraphCanon never claim about duet-gpt?
We never publish a composite safety grade, pen-test endorsement, or "verified secure" label for duet-gpt. Signals are sourced heuristics with explicit limits - see trust methodology.
How does GraphCanon assess trust for duet-gpt?
Signals are sourced from public GitHub metadata and optional dependency/MCP manifest scans, each tagged with methodology version and computed date. GraphCanon does not publish a composite safety grade. Read trust methodology for full scope and limits.