Last weekend I ran a static analysis sweep across 50 popular TypeScript and JavaScript repositories — all with 9,000+ GitHub stars. The results surprised me. The Numbers Out of 50 repositories (9,000–10,000 stars each): Finding Repos Percentage Total Credentials in public code 14 28% 157 Security-relevant patterns 25 50% 335 Unresolved TODO/FIXME 35 70% 1,015 Fully clean 19 38% — Only 38% of popular projects were fully clean. Who Was Scanned microsoft/vscode-copilot-chat (9,859 stars) — 5 credentials in code, 33 security patterns (12 high-severity), 194 TODOs. A single file pythonCookbookData.ts contains 7 eval() calls and 2 os.system() calls. bluesky-social/atproto (9,336 stars) — 68 credentials. Leader. Default passwords for self-hosted deployment: PASSWORD=\"admin\" , PASSWORD=\"changeme\" , PASSWORD=\"root\" . aws-amplify/amplify-js (9,581 stars) — 16 credentials, 13 security patterns, 106 TODOs. Amazon's project with significant technical debt. DouyinFE/semi-design (9,837 stars) — 63 security patterns.…