security: 29 Critical/High panic-attack findings need human triage (Track C)

## panic-attack estate sweep — Track C tracking issue

`panic-attack assail` flagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).

PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list. Findings already suppressed in `audits/assail-classifications.a2ml` are also excluded.

Estate tracker: hyperpolymath/panic-attack#32.
### `DynamicCodeExecution` (28 findings)

<details><summary>file:line list</summary>

```High  scripts/src/scripts/content/DarkMode.res.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/content/DarkMode.res.mjs
High  scripts/src/scripts/content/DarkMode.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/content/DarkMode.mjs
High  scripts/src/scripts/aibdp/AibdpChecker.res.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/aibdp/AibdpChecker.res.mjs
High  scripts/src/scripts/aibdp/AibdpChecker.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/aibdp/AibdpChecker.mjs
High  scripts/src/scripts/license/GrimLicenseChecker.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/license/GrimLicenseChecker.mjs
High  scripts/src/scripts/license/GrimLicenseChecker.res.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/license/GrimLicenseChecker.res.mjs
High  scripts/src/scripts/code/GitlabEnhanced.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/code/GitlabEnhanced.mjs
High  scripts/src/scripts/code/GitlabEnhanced.res.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/code/GitlabEnhanced.res.mjs
High  scripts/src/scripts/template/GrimTemplateEngine.res.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/template/GrimTemplateEngine.res.mjs
High  scripts/src/scripts/template/GrimTemplateEngine.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/template/GrimTemplateEngine.mjs
High  scripts/src/scripts/ci/GrimCIValidator.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/ci/GrimCIValidator.mjs
High  scripts/src/scripts/ci/GrimCIValidator.res.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/ci/GrimCIValidator.res.mjs
High  scripts/src/scripts/a11y/A11yOverlay.res.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/a11y/A11yOverlay.res.mjs
High  scripts/src/scripts/a11y/A11yOverlay.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/a11y/A11yOverlay.mjs
Critical  scripts/src/scripts/security/GrimSecurityScanner.res.mjs:?  eval() usage in scripts/src/scripts/security/GrimSecurityScanner.res.mjs
High  scripts/src/scripts/security/GrimSecurityScanner.res.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/security/GrimSecurityScanner.res.mjs
High  scripts/src/scripts/security/GrimSecurityScanner.res.mjs:?  dangerouslySetInnerHTML (XSS risk) in scripts/src/scripts/security/GrimSecurityScanner.res.mjs
Critical  scripts/src/scripts/security/GrimSecurityScanner.mjs:?  eval() usage in scripts/src/scripts/security/GrimSecurityScanner.mjs
High  scripts/src/scripts/security/GrimSecurityScanner.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/scripts/security/GrimSecurityScanner.mjs
High  scripts/src/scripts/security/GrimSecurityScanner.mjs:?  dangerouslySetInnerHTML (XSS risk) in scripts/src/scripts/security/GrimSecurityScanner.mjs
High  scripts/src/core/GrimCore.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/core/GrimCore.mjs
High  scripts/src/core/GrimCore.res.mjs:?  DOM manipulation (innerHTML/document.write) in scripts/src/core/GrimCore.res.mjs
High  scripts/userscripts/GrimLicenseChecker.user.js:?  DOM manipulation (innerHTML/document.write) in scripts/userscripts/GrimLicenseChecker.user.js
Critical  scripts/userscripts/GrimSecurityScanner.user.js:?  eval() usage in scripts/userscripts/GrimSecurityScanner.user.js
High  scripts/userscripts/GrimSecurityScanner.user.js:?  DOM manipulation (innerHTML/document.write) in scripts/userscripts/GrimSecurityScanner.user.js
High  scripts/userscripts/GrimSecurityScanner.user.js:?  dangerouslySetInnerHTML (XSS risk) in scripts/userscripts/GrimSecurityScanner.user.js
High  scripts/userscripts/GrimTemplateEngine.user.js:?  DOM manipulation (innerHTML/document.write) in scripts/userscripts/GrimTemplateEngine.user.js
High  scripts/userscripts/GrimCIValidator.user.js:?  DOM manipulation (innerHTML/document.write) in scripts/userscripts/GrimCIValidator.user.js
```
</details>
### `SupplyChain` (1 findings)

<details><summary>file:line list</summary>

```High  flake.nix:?  flake.nix declares inputs without narHash, rev pinning, or sibling flake.lock — dependency revision is unpinned in flake.nix
```
</details>

---

🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

security: 29 Critical/High panic-attack findings need human triage (Track C) #22

panic-attack estate sweep — Track C tracking issue

`DynamicCodeExecution` (28 findings)

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

security: 29 Critical/High panic-attack findings need human triage (Track C) #22

Description

panic-attack estate sweep — Track C tracking issue

DynamicCodeExecution (28 findings)

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

`DynamicCodeExecution` (28 findings)