by saturndec
首家工业级全流程 AI 影视生产平台。Industry-first professional AI Agent platform for controllable film & video production. From shorts to live-action with Hollywood-standard workflows.
# Add to your Claude Code skills
git clone https://github.com/saturndec/waoowaooLast scanned: 4/17/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@aws-sdk/xml-builder: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "@hono/node-server: @hono/node-server: Middleware bypass via repeated slashes in serveStatic",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@prisma/config: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@remotion/bundler: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "@remotion/cli: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "@remotion/studio-server: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "@vitest/coverage-v8: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@vitest/mocker: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@xmldom/xmldom: xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "ajv-formats: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "conf: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "cos-nodejs-sdk-v5: Vulnerability found",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "defu: defu: Prototype pollution via `__proto__` key in defaults argument",
"severity": "high"
},
{
"type": "npm-audit",
"message": "effect: Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC",
"severity": "high"
},
{
"type": "npm-audit",
"message": "esbuild: esbuild enables any website to send any requests to the development server and read the response",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "express-rate-limit: express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fast-xml-parser: fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "form-data: form-data uses unsafe random function in form-data for choosing boundary",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "glob: glob CLI: Command injection via -c/--cmd executes matches with shell:true",
"severity": "high"
},
{
"type": "npm-audit",
"message": "hono: Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "js-yaml: js-yaml has prototype pollution in merge (<<)",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "lodash: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"severity": "high"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "next: Next Server Actions Source Code Exposure ",
"severity": "high"
},
{
"type": "npm-audit",
"message": "next-auth: NextAuthjs Email misdelivery Vulnerability",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "next-intl: next-intl has an open redirect vulnerability",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "preact: Preact has JSON VNode Injection issue",
"severity": "high"
},
{
"type": "npm-audit",
"message": "prisma: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "qs: qs's arrayLimit bypass in comma parsing allows denial of service",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "request: Server-Side Request Forgery in Request",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "rollup: Rollup 4 has Arbitrary File Write via Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "serialize-javascript: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"severity": "high"
},
{
"type": "npm-audit",
"message": "tar: node-tar has a race condition leading to uninitialized memory exposure",
"severity": "high"
},
{
"type": "npm-audit",
"message": "terser-webpack-plugin: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "tough-cookie: tough-cookie Prototype Pollution vulnerability",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "underscore: Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack",
"severity": "high"
},
{
"type": "npm-audit",
"message": "undici: Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
"severity": "high"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vite-node: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vitest: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "webpack: webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior",
"severity": "low"
}
],
"status": "FAILED",
"scannedAt": "2026-04-17T06:06:20.585Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}[!IMPORTANT] ⚠️ 测试版声明:本项目目前处于测试初期阶段,由于暂时只有我一个人开发,存在部分 bug 和不完善之处。我们正在快速迭代更新中,欢迎进群反馈问题和需求,及时关注项目更新!目前更新会非常频繁,后续会增加大量新功能以及优化效果,我们的目标是成为行业最强AI工具!
前提条件:安装 Docker Desktop
无需克隆仓库,下载即用:
# 下载 docker-compose.yml
curl -O https://raw.githubusercontent.com/saturndec/waoowaoo/main/docker-compose.yml
# 启动所有服务
docker compose up -d
⚠️ 当前为测试版,版本间数据库不兼容。升级请先清除旧数据:
docker compose down -v
docker rmi ghcr.io/saturndec/waoowaoo:latest
curl -O https://raw.githubusercontent.com/saturndec/waoowaoo/main/docker-compose.yml
docker compose up -d
启动后请清空浏览器缓存并重新登录,避免旧版本缓存导致异常。
git clone https://github.com/saturndec/waoowaoo.git
cd waoowaoo
docker compose up -d
更新版本:
git pull
docker compose down && docker compose up -d --build
git clone https://github.com/saturndec/waoowaoo.git
cd waoowaoo
# 复制环境变量配置文件(必须在 npm install 之前完成)
cp .env.example .env
# ⚠️ 编辑 .env,填入你的 AI API Key(NEXTAUTH_URL 默认已是 http://localhost:3000,无需修改)
npm install
# 只启动基础设施
# 注意:docker-compose.yml 将服务映射到非标准端口,.env.example 已按此预设
mysql:13306 redis:16379 minio:19000
docker compose up mysql redis minio -d
# 初始化数据库表结构(首次必须执行,跳过会导致启动后报错)
npx prisma db push
# 启动开发服务器
npm run dev
No comments yet. Be the first to share your thoughts!
[!WARNING] 跳过
npx prisma db push会导致所有数据库表不存在,启动后报错The table 'tasks' does not exist。请务必先运行此命令再启动开发服务器。
访问 http://localhost:13000(方式一、二)或 http://localhost:3000(方式三)开始使用!
首次启动会自动完成数据库初始化,无需任何额外配置。
[!TIP] 如果遇到网页卡顿:HTTP 模式下浏览器可能限制并发连接。可安装 Caddy 启用 HTTPS:
caddy run --config Caddyfile
启动后进入设置中心配置 AI 服务的 API Key,内置配置教程。
💡 注意:目前仅推荐使用各服务商官方 API,第三方兼容格式(OpenAI Compatible)尚不完善,后续版本会持续优化。
本项目由核心团队独立维护。欢迎你通过以下方式参与:
Made with ❤️ by waoowaoo team