{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-phc3-fgpg-7m6h", "name": "undici: GHSA-phc3-fgpg-7m6h", "shortDescription": {"text": "undici: GHSA-phc3-fgpg-7m6h"}, "fullDescription": {"text": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4992-7rv2-5pvq", "name": "undici: GHSA-4992-7rv2-5pvq", "shortDescription": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "fullDescription": {"text": "Undici has CRLF Injection in undici via `upgrade` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2mjp-6q6p-2qxm", "name": "undici: GHSA-2mjp-6q6p-2qxm", "shortDescription": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "fullDescription": {"text": "Undici has an HTTP Request/Response Smuggling issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `jsdom` is 1 major version(s) behind (^28.0.0 -> 29.1.1)", "shortDescription": {"text": "npm package `jsdom` is 1 major version(s) behind (^28.0.0 -> 29.1.1)"}, "fullDescription": {"text": "`jsdom` is pinned/resolved at ^28.0.0 but the latest stable release on the npm registry is 29.1.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `oven-sh/setup-bun@v2` is minor version(s) behind (latest v2.2.0)", "shortDescription": {"text": "GitHub Action `oven-sh/setup-bun@v2` is minor version(s) behind (latest v2.2.0)"}, "fullDescription": {"text": "`uses: oven-sh/setup-bun@v2` is minor version(s) behind the latest published release v2.2.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "GHSA-vrm6-8vpv-qv8q", "name": "undici: GHSA-vrm6-8vpv-qv8q", "shortDescription": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "fullDescription": {"text": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v9p9-hfj2-hcw8", "name": "undici: GHSA-v9p9-hfj2-hcw8", "shortDescription": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "fullDescription": {"text": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f269-vfmq-vjvj", "name": "undici: GHSA-f269-vfmq-vjvj", "shortDescription": {"text": "undici: GHSA-f269-vfmq-vjvj"}, "fullDescription": {"text": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1165"}, "properties": {"repository": "wenxig/dongtai-sub", "repoUrl": "https://github.com/wenxig/dongtai-sub", "branch": "main"}, "results": [{"ruleId": "GHSA-phc3-fgpg-7m6h", "level": "warning", "message": {"text": "undici: GHSA-phc3-fgpg-7m6h"}, "properties": {"repobilityId": 116758, "scanner": "osv-scanner", "fingerprint": "481f03d4850eb8d3bdbc65429944067fb2eee557dcc43cd83ffaf82b6c81cff3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2581"], "package": "undici", "rule_id": "GHSA-phc3-fgpg-7m6h", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-2581|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4992-7rv2-5pvq", "level": "warning", "message": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "properties": {"repobilityId": 116756, "scanner": "osv-scanner", "fingerprint": "9a0201b6bfc0ba4c50144f28af8fea219ce587f576c86472c59cd7afd3cf3c62", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1527"], "package": "undici", "rule_id": "GHSA-4992-7rv2-5pvq", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1527|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2mjp-6q6p-2qxm", "level": "warning", "message": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "properties": {"repobilityId": 116755, "scanner": "osv-scanner", "fingerprint": "c9432977f2bc8e1ba10e4de7540db8a8d4fc6a492a7f255f0e30cf060ed5a486", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1525"], "package": "undici", "rule_id": "GHSA-2mjp-6q6p-2qxm", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1525|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `jsdom` is 1 major version(s) behind (^28.0.0 -> 29.1.1)"}, "properties": {"repobilityId": 116743, "scanner": "repobility-dependency-currency", "fingerprint": "dcbc68f352be9b2e761720dca5c317d863c2a9099f82e00727f8f6ada9dd5300", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsdom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "29.1.1", "correlation_key": "fp|dcbc68f352be9b2e761720dca5c317d863c2a9099f82e00727f8f6ada9dd5300", "current_version": "^28.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `oven-sh/setup-bun@v2` is minor version(s) behind (latest v2.2.0)"}, "properties": {"repobilityId": 116749, "scanner": "repobility-dependency-currency", "fingerprint": "ea8c46f8b2c7d5de132de950faec997f2257f29a89e54acc1999a918e074cd1e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "oven-sh/setup-bun", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v2.2.0", "correlation_key": "fp|ea8c46f8b2c7d5de132de950faec997f2257f29a89e54acc1999a918e074cd1e", "current_version": "v2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hourly-write.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `oxlint` is minor version(s) behind (^1.51.0 -> 1.68.0)"}, "properties": {"repobilityId": 116747, "scanner": "repobility-dependency-currency", "fingerprint": "289672465f077065c48dd3569f645f50a8b50878fc1ac341e722ac41432dbe3b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "oxlint", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.68.0", "correlation_key": "fp|289672465f077065c48dd3569f645f50a8b50878fc1ac341e722ac41432dbe3b", "current_version": "^1.51.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `oxfmt` is minor version(s) behind (^0.36.0 -> 0.53.0)"}, "properties": {"repobilityId": 116746, "scanner": "repobility-dependency-currency", "fingerprint": "17debb7cd18f4063e0698d1ca132886cb2782c3a104a42a7133a7b80bd22979f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "oxfmt", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.53.0", "correlation_key": "fp|17debb7cd18f4063e0698d1ca132886cb2782c3a104a42a7133a7b80bd22979f", "current_version": "^0.36.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 116740, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 116754, "scanner": "repobility-threat-engine", "fingerprint": "03038c36e89ae9f7955e8e27ec30f2d5a9bf0b7bace00794dc835cb148d22615", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03038c36e89ae9f7955e8e27ec30f2d5a9bf0b7bace00794dc835cb148d22615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/output/mihomo.ts"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 116753, "scanner": "repobility-threat-engine", "fingerprint": "270a5cb7328fa898691fcf3d6a6317e07b5f1b9b68c336c0be06750644775f77", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|270a5cb7328fa898691fcf3d6a6317e07b5f1b9b68c336c0be06750644775f77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/output/mihomo.ts"}, "region": {"startLine": 222}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 116751, "scanner": "repobility-threat-engine", "fingerprint": "9f938e8ad4ab4fe4862f77daaa8a423d58d3a67cca3a27edabcdcc36d28a2d03", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.then\\s*\\(' detected on same line", "evidence": {"match": "Promise.all(", "reason": "Safe pattern '\\.then\\s*\\(' detected on same line", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|9f938e8ad4ab4fe4862f77daaa8a423d58d3a67cca3a27edabcdcc36d28a2d03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sources/index.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 116748, "scanner": "repobility-dependency-currency", "fingerprint": "b4a6e2dde800d90ddfa5e438d07732e64e671097432f35a3aa0c8bf79f499370", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|b4a6e2dde800d90ddfa5e438d07732e64e671097432f35a3aa0c8bf79f499370", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hourly-write.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/jsdom` is patch version(s) behind (^28.0.0 -> 28.0.3)"}, "properties": {"repobilityId": 116745, "scanner": "repobility-dependency-currency", "fingerprint": "f631163b4ebe7c0265ceb97da1b38574a7b5ce23efddcd4759b7116cc3142c9e", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/jsdom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "28.0.3", "correlation_key": "fp|f631163b4ebe7c0265ceb97da1b38574a7b5ce23efddcd4759b7116cc3142c9e", "current_version": "^28.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/bun` is patch version(s) behind (^1.3.9 -> 1.3.14)"}, "properties": {"repobilityId": 116744, "scanner": "repobility-dependency-currency", "fingerprint": "ddcf8b7d89283b0b905a2c2beeced6c6cff7cbe6b379d61ead3fc95f1454a8ae", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/bun", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.3.14", "correlation_key": "fp|ddcf8b7d89283b0b905a2c2beeced6c6cff7cbe6b379d61ead3fc95f1454a8ae", "current_version": "^1.3.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vrm6-8vpv-qv8q", "level": "error", "message": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "properties": {"repobilityId": 116760, "scanner": "osv-scanner", "fingerprint": "40ae4e8e065255fbafeccf1d593788284c79b15227ff7bad635a59030f2774c5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1526"], "package": "undici", "rule_id": "GHSA-vrm6-8vpv-qv8q", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1526|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v9p9-hfj2-hcw8", "level": "error", "message": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "properties": {"repobilityId": 116759, "scanner": "osv-scanner", "fingerprint": "ac72576076554347bd0353820e78fbc3f3de0976cc634291030eb09f3ff6e64b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2229"], "package": "undici", "rule_id": "GHSA-v9p9-hfj2-hcw8", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-2229|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f269-vfmq-vjvj", "level": "error", "message": {"text": "undici: GHSA-f269-vfmq-vjvj"}, "properties": {"repobilityId": 116757, "scanner": "osv-scanner", "fingerprint": "4a3fb696df2c0388c2aa7077f554bdcd20fa7b4e714234d2f9b68c476105ae09", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1528"], "package": "undici", "rule_id": "GHSA-f269-vfmq-vjvj", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1528|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 116752, "scanner": "repobility-threat-engine", "fingerprint": "54d5c19e87e1fb300dcf6d57a6ef0c1b1de7b2a1e0a6304795c3885c1440820a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|54d5c19e87e1fb300dcf6d57a6ef0c1b1de7b2a1e0a6304795c3885c1440820a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/output/mihomo.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 116750, "scanner": "repobility-threat-engine", "fingerprint": "ace974578e03a6e8a76c3c3868c032e274e4c76fd7c5f98d66d96e69725e8196", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ace974578e03a6e8a76c3c3868c032e274e4c76fd7c5f98d66d96e69725e8196"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/output/index.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 116742, "scanner": "repobility-supply-chain", "fingerprint": "6b16ea79172132b5f106c059c610791ff1e0aa11b08c64083f9741f30dcad0a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b16ea79172132b5f106c059c610791ff1e0aa11b08c64083f9741f30dcad0a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hourly-write.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 116741, "scanner": "repobility-supply-chain", "fingerprint": "695eacaf555ce4ceb593c32f496ee58b6e15929792680d995fb287c37d3104ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|695eacaf555ce4ceb593c32f496ee58b6e15929792680d995fb287c37d3104ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hourly-write.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 116739, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}]}]}