Security report for vercel/next.js
Scanned by Merge Risk — the free A–F security grade for AI-built apps.
Merge Risk — Security Report14 July 2026
vercel/next.js · branch canary · 80 files scanned
F
Wide open
vercel/next.js
80 files scanned·Next.js · Vite · React
OpenAI API key committed in a public repo. Right now anyone reading this can too. Rotate it before you finish this sentence — the roast is free, the breach isn't.
Security score40/100
OpenAI API key committedCritical
A OpenAI API key appears in `.vscode/settings.json`. Anyone with the repo can read it — rotate it now and move it to an untracked env var.
.vscode/settings.json:61
Fix it with your AI agentEvery finding, with file and line, as a prompt for Claude Code, Codex or Cursor. No re-reading your repo — it starts fixing.
Is your repo leaking too?
One free scan a day. No signup, no card, and we never store your code.
Scan my repo free