{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-g9mf-h72j-4rw9", "name": "undici: GHSA-g9mf-h72j-4rw9", "shortDescription": {"text": "undici: GHSA-g9mf-h72j-4rw9"}, "fullDescription": {"text": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c76h-2ccp-4975", "name": "undici: GHSA-c76h-2ccp-4975", "shortDescription": {"text": "undici: GHSA-c76h-2ccp-4975"}, "fullDescription": {"text": "Use of Insufficiently Random Values in undici"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4992-7rv2-5pvq", "name": "undici: GHSA-4992-7rv2-5pvq", "shortDescription": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "fullDescription": {"text": "Undici has CRLF Injection in undici via `upgrade` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2mjp-6q6p-2qxm", "name": "undici: GHSA-2mjp-6q6p-2qxm", "shortDescription": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "fullDescription": {"text": "Undici has an HTTP Request/Response Smuggling issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p36q-q72m-gchr", "name": "srvx: GHSA-p36q-q72m-gchr", "shortDescription": {"text": "srvx: GHSA-p36q-q72m-gchr"}, "fullDescription": {"text": "srvx is vulnerable to middleware bypass via absolute URI in request line "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v3rj-xjv7-4jmq", "name": "smol-toml: GHSA-v3rj-xjv7-4jmq", "shortDescription": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "fullDescription": {"text": "smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fm4j-4xhm-xpwx", "name": "sandbox: GHSA-fm4j-4xhm-xpwx", "shortDescription": {"text": "sandbox: GHSA-fm4j-4xhm-xpwx"}, "fullDescription": {"text": "Sandbox Breakout / Arbitrary Code Execution in sandbox"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-27v5-c462-wpq7", "name": "path-to-regexp: GHSA-27v5-c462-wpq7", "shortDescription": {"text": "path-to-regexp: GHSA-27v5-c462-wpq7"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `lint-staged` is 1 major version(s) behind (16.4.0 -> 17.0.7)", "shortDescription": {"text": "npm package `lint-staged` is 1 major version(s) behind (16.4.0 -> 17.0.7)"}, "fullDescription": {"text": "`lint-staged` is pinned/resolved at 16.4.0 but the latest stable release on the npm registry is 17.0.7 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-cxrh-j4jr-qwg3", "name": "undici: GHSA-cxrh-j4jr-qwg3", "shortDescription": {"text": "undici: GHSA-cxrh-j4jr-qwg3"}, "fullDescription": {"text": "undici Denial of Service attack via bad certificate data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vpq2-c234-7xj6", "name": "@tootallnate/once: GHSA-vpq2-c234-7xj6", "shortDescription": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "fullDescription": {"text": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-vrm6-8vpv-qv8q", "name": "undici: GHSA-vrm6-8vpv-qv8q", "shortDescription": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "fullDescription": {"text": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v9p9-hfj2-hcw8", "name": "undici: GHSA-v9p9-hfj2-hcw8", "shortDescription": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "fullDescription": {"text": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qffp-2rhf-9h96", "name": "tar: GHSA-qffp-2rhf-9h96", "shortDescription": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "fullDescription": {"text": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9ppj-qmqm-q256", "name": "tar: GHSA-9ppj-qmqm-q256", "shortDescription": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "fullDescription": {"text": "node-tar Symlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-83g3-92jg-28cx", "name": "tar: GHSA-83g3-92jg-28cx", "shortDescription": {"text": "tar: GHSA-83g3-92jg-28cx"}, "fullDescription": {"text": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j3q9-mxjg-w52f", "name": "path-to-regexp: GHSA-j3q9-mxjg-w52f", "shortDescription": {"text": "path-to-regexp: GHSA-j3q9-mxjg-w52f"}, "fullDescription": {"text": "path-to-regexp vulnerable to Denial of Service via sequential optional groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wv6-86v2-598j", "name": "path-to-regexp: GHSA-9wv6-86v2-598j", "shortDescription": {"text": "path-to-regexp: GHSA-9wv6-86v2-598j"}, "fullDescription": {"text": "path-to-regexp outputs backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `getsentry/action-prepare-release` pinned to mutable ref `@v1`", "shortDescription": {"text": "Action `getsentry/action-prepare-release` pinned to mutable ref `@v1`"}, "fullDescription": {"text": "`uses: getsentry/action-prepare-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `redis:7-alpine` unpinned", "shortDescription": {"text": "Workflow container/services image `redis:7-alpine` unpinned"}, "fullDescription": {"text": "`container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /api/webhooks/:platform has no auth", "shortDescription": {"text": "Express POST /api/webhooks/:platform has no auth"}, "fullDescription": {"text": "Express route POST /api/webhooks/:platform declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "GHSA-gc25-3vc5-2jf9", "name": "sandbox: GHSA-gc25-3vc5-2jf9", "shortDescription": {"text": "sandbox: GHSA-gc25-3vc5-2jf9"}, "fullDescription": {"text": "Sandbox Breakout / Arbitrary Code Execution in sandbox"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.VERCEL_OIDC_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.VERCEL_OIDC_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VERCEL_OIDC_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1065"}, "properties": {"repository": "getsentry/junior", "repoUrl": "https://github.com/getsentry/junior", "branch": "main"}, "results": [{"ruleId": "GHSA-g9mf-h72j-4rw9", "level": "warning", "message": {"text": "undici: GHSA-g9mf-h72j-4rw9"}, "properties": {"repobilityId": 104623, "scanner": "osv-scanner", "fingerprint": "783888cf99ccdd193a6bbf5808eb99a946b0897c275ba28a7321371df70feae9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-22036"], "package": "undici", "rule_id": "GHSA-g9mf-h72j-4rw9", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-22036|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c76h-2ccp-4975", "level": "warning", "message": {"text": "undici: GHSA-c76h-2ccp-4975"}, "properties": {"repobilityId": 104621, "scanner": "osv-scanner", "fingerprint": "631f5ffae457fa89987019c583ceec49a26f2d33619c300560f8175077b4c913", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-22150"], "package": "undici", "rule_id": "GHSA-c76h-2ccp-4975", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2025-22150|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4992-7rv2-5pvq", "level": "warning", "message": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "properties": {"repobilityId": 104620, "scanner": "osv-scanner", "fingerprint": "8115727bfcf9fb5c733f94951b6c76b53101eaf392c34bbf2e4981a84489f899", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1527"], "package": "undici", "rule_id": "GHSA-4992-7rv2-5pvq", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1527|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2mjp-6q6p-2qxm", "level": "warning", "message": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "properties": {"repobilityId": 104619, "scanner": "osv-scanner", "fingerprint": "27feada98ab5f326c7254750f715731608e011901400f45934a064cef0424d39", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1525"], "package": "undici", "rule_id": "GHSA-2mjp-6q6p-2qxm", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1525|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p36q-q72m-gchr", "level": "warning", "message": {"text": "srvx: GHSA-p36q-q72m-gchr"}, "properties": {"repobilityId": 104615, "scanner": "osv-scanner", "fingerprint": "d3f76db18fb17fd31740d94fc77d26f064ecb515a163cbc8d4ddb20b3ff1e427", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33732"], "package": "srvx", "rule_id": "GHSA-p36q-q72m-gchr", "scanner": "osv-scanner", "correlation_key": "vuln|srvx|CVE-2026-33732|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v3rj-xjv7-4jmq", "level": "warning", "message": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "properties": {"repobilityId": 104614, "scanner": "osv-scanner", "fingerprint": "cd040272d36f524e718de07acee7ce54502019f7f8a2101c74f4a12389702c8c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "smol-toml", "rule_id": "GHSA-v3rj-xjv7-4jmq", "scanner": "osv-scanner", "correlation_key": "vuln|smol-toml|GHSA-V3RJ-XJV7-4JMQ|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fm4j-4xhm-xpwx", "level": "warning", "message": {"text": "sandbox: GHSA-fm4j-4xhm-xpwx"}, "properties": {"repobilityId": 104612, "scanner": "osv-scanner", "fingerprint": "e551321a4b7389cb2f8dbf09997c9e0820d67fe1c4fef605bc8871bba6d11890", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "sandbox", "rule_id": "GHSA-fm4j-4xhm-xpwx", "scanner": "osv-scanner", "correlation_key": "vuln|sandbox|GHSA-FM4J-4XHM-XPWX|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-27v5-c462-wpq7", "level": "warning", "message": {"text": "path-to-regexp: GHSA-27v5-c462-wpq7"}, "properties": {"repobilityId": 104610, "scanner": "osv-scanner", "fingerprint": "5cf58924872fce28303cdda7647e6a181c0b46d2ba36332c6b52fa7cbbbf3169", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4923"], "package": "path-to-regexp", "rule_id": "GHSA-27v5-c462-wpq7", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4923|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 104605, "scanner": "osv-scanner", "fingerprint": "0b4075edd70eccc9e81ce84656b8a0c1040ecc83769ba1ed4fe7ce3796321c93", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 104580, "scanner": "repobility-threat-engine", "fingerprint": "313c224f074d7cb5be0734bf5019d08edebe7d6245fadf803b369ce7d910c40f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|308|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/capabilities/jr-rpc-command.ts"}, "region": {"startLine": 308}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 104579, "scanner": "repobility-threat-engine", "fingerprint": "cc4eefa57efd74a64257c6603d990046f59627ce229ed811f8a5806a77c0e8f1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|158|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/scripts/check-skills.mjs"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 104578, "scanner": "repobility-threat-engine", "fingerprint": "859c67a1dfb787ef663a8c826cfa61c5e155e1e64315e7c53d380e651a2da41d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|175|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/client/components/transcriptMarkdownLinks.ts"}, "region": {"startLine": 175}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 104561, "scanner": "repobility-agent-runtime", "fingerprint": "3b2840199587c0df87cb5e6106f19abd18bb3520f3ea0a7d2579850d8d046b40", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3b2840199587c0df87cb5e6106f19abd18bb3520f3ea0a7d2579850d8d046b40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/tools/web/network.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `lint-staged` is 1 major version(s) behind (16.4.0 -> 17.0.7)"}, "properties": {"repobilityId": 104537, "scanner": "repobility-dependency-currency", "fingerprint": "c8c09a56f6e0c3523c71e964fb69805d72202b9f7252b1d12e57fb4c6a85214c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "lint-staged", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.0.7", "correlation_key": "fp|c8c09a56f6e0c3523c71e964fb69805d72202b9f7252b1d12e57fb4c6a85214c", "current_version": "16.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cxrh-j4jr-qwg3", "level": "note", "message": {"text": "undici: GHSA-cxrh-j4jr-qwg3"}, "properties": {"repobilityId": 104622, "scanner": "osv-scanner", "fingerprint": "3cc07ade7eeffb287116e9b998809a062232a99bbf2fc80d37151f4e9e9b2b07", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-47279"], "package": "undici", "rule_id": "GHSA-cxrh-j4jr-qwg3", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2025-47279|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vpq2-c234-7xj6", "level": "note", "message": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "properties": {"repobilityId": 104604, "scanner": "osv-scanner", "fingerprint": "573ec4a58862875e8ce61f54e2504d06b2ca4d339b9ec7540be71ab58ff09e02", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3449"], "package": "@tootallnate/once", "rule_id": "GHSA-vpq2-c234-7xj6", "scanner": "osv-scanner", "correlation_key": "vuln|tootallnate/once|CVE-2026-3449|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `typedoc-plugin-markdown` is minor version(s) behind (^4.11.0 -> 4.12.0)"}, "properties": {"repobilityId": 104560, "scanner": "repobility-dependency-currency", "fingerprint": "60a79b45a84f8e8f553a36a1115c1e8669a74a646c069434601fa051986530dd", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "typedoc-plugin-markdown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.12.0", "correlation_key": "fp|60a79b45a84f8e8f553a36a1115c1e8669a74a646c069434601fa051986530dd", "current_version": "^4.11.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/docs/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `vitest-evals` is minor version(s) behind (0.11.0 -> 0.12.0)"}, "properties": {"repobilityId": 104558, "scanner": "repobility-dependency-currency", "fingerprint": "0c2b2babf38075ddfc49b910106e11e228eb2b4299f8360cd9e712c977a3dd19", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "vitest-evals", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.12.0", "correlation_key": "fp|0c2b2babf38075ddfc49b910106e11e228eb2b4299f8360cd9e712c977a3dd19", "current_version": "0.11.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-evals/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `chat` is minor version(s) behind (4.29.0 -> 4.30.0)"}, "properties": {"repobilityId": 104557, "scanner": "repobility-dependency-currency", "fingerprint": "e33095f2b52445cebe09904d791a9a826865998c616a03521b0d79d9306f5c3e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chat", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.30.0", "correlation_key": "fp|e33095f2b52445cebe09904d791a9a826865998c616a03521b0d79d9306f5c3e", "current_version": "4.29.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-evals/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `oxlint` is minor version(s) behind (^1.66.0 -> 1.68.0)"}, "properties": {"repobilityId": 104556, "scanner": "repobility-dependency-currency", "fingerprint": "b1d9adf63324f2d440d7bba7be28d811f154b48b13bb8b9eb3d5a1c97645bf0b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "oxlint", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.68.0", "correlation_key": "fp|b1d9adf63324f2d440d7bba7be28d811f154b48b13bb8b9eb3d5a1c97645bf0b", "current_version": "^1.66.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `chat` is minor version(s) behind (4.29.0 -> 4.30.0)"}, "properties": {"repobilityId": 104554, "scanner": "repobility-dependency-currency", "fingerprint": "610cdf7f6e78f6a3725ee0176f2a2d4c579614efc87d848469d85f8b45b81a1c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chat", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.30.0", "correlation_key": "fp|610cdf7f6e78f6a3725ee0176f2a2d4c579614efc87d848469d85f8b45b81a1c", "current_version": "4.29.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@vercel/sandbox` is minor version(s) behind (2.0.0 -> 2.1.1)"}, "properties": {"repobilityId": 104552, "scanner": "repobility-dependency-currency", "fingerprint": "e92cb5eb44125ba70c0a9b380716b4d62329407c857d4a9d114e86f29ac161a5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vercel/sandbox", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.1.1", "correlation_key": "fp|e92cb5eb44125ba70c0a9b380716b4d62329407c857d4a9d114e86f29ac161a5", "current_version": "2.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@vercel/queue` is minor version(s) behind (^0.2.0 -> 0.3.0)"}, "properties": {"repobilityId": 104551, "scanner": "repobility-dependency-currency", "fingerprint": "07e2185aba2b21494e9642f86ebf714c8f2cda12b34db23158a076dfc4bbeb26", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vercel/queue", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.3.0", "correlation_key": "fp|07e2185aba2b21494e9642f86ebf714c8f2cda12b34db23158a076dfc4bbeb26", "current_version": "^0.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@earendil-works/pi-ai` is minor version(s) behind (0.74.2 -> 0.78.1)"}, "properties": {"repobilityId": 104549, "scanner": "repobility-dependency-currency", "fingerprint": "caa0fbfcf4ab6037cfd2e76f9c0f31a5d229848e18c2ef9f9e5c5a09fc6f5ded", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@earendil-works/pi-ai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.78.1", "correlation_key": "fp|caa0fbfcf4ab6037cfd2e76f9c0f31a5d229848e18c2ef9f9e5c5a09fc6f5ded", "current_version": "0.74.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@earendil-works/pi-agent-core` is minor version(s) behind (0.74.2 -> 0.78.1)"}, "properties": {"repobilityId": 104548, "scanner": "repobility-dependency-currency", "fingerprint": "40b192973d4468a3f02c00360c2b3be00580d1b6db1bc51dc8499c6f8e4042a8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@earendil-works/pi-agent-core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.78.1", "correlation_key": "fp|40b192973d4468a3f02c00360c2b3be00580d1b6db1bc51dc8499c6f8e4042a8", "current_version": "0.74.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@chat-adapter/state-redis` is minor version(s) behind (4.29.0 -> 4.30.0)"}, "properties": {"repobilityId": 104547, "scanner": "repobility-dependency-currency", "fingerprint": "c301bd3f71a1ab4bb292ee24921995eaee0e570300a5543b4014cb026352c7f0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@chat-adapter/state-redis", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.30.0", "correlation_key": "fp|c301bd3f71a1ab4bb292ee24921995eaee0e570300a5543b4014cb026352c7f0", "current_version": "4.29.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@chat-adapter/state-memory` is minor version(s) behind (4.29.0 -> 4.30.0)"}, "properties": {"repobilityId": 104546, "scanner": "repobility-dependency-currency", "fingerprint": "c4c9ed3ba4b1b58b5e24983b48169743dd6f5ed22b06b98af1fa1ad5c15d7306", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@chat-adapter/state-memory", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.30.0", "correlation_key": "fp|c4c9ed3ba4b1b58b5e24983b48169743dd6f5ed22b06b98af1fa1ad5c15d7306", "current_version": "4.29.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@chat-adapter/slack` is minor version(s) behind (4.29.0 -> 4.30.0)"}, "properties": {"repobilityId": 104545, "scanner": "repobility-dependency-currency", "fingerprint": "3f04a5ac7301af1008c33745c19dbe4cbc76510ce8ca20c8052fa7ee1f000540", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@chat-adapter/slack", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.30.0", "correlation_key": "fp|3f04a5ac7301af1008c33745c19dbe4cbc76510ce8ca20c8052fa7ee1f000540", "current_version": "4.29.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `shiki` is minor version(s) behind (4.1.0 -> 4.2.0)"}, "properties": {"repobilityId": 104543, "scanner": "repobility-dependency-currency", "fingerprint": "fdd64649730ab12499db27d39e8b0f0816e139c403be06b73e9783dc6e3423c0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shiki", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.0", "correlation_key": "fp|fdd64649730ab12499db27d39e8b0f0816e139c403be06b73e9783dc6e3423c0", "current_version": "4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tanstack/react-query` is minor version(s) behind (^5.100.14 -> 5.101.0)"}, "properties": {"repobilityId": 104541, "scanner": "repobility-dependency-currency", "fingerprint": "ed445a792495423e0bccd39c8502bd54606e98dd9710bb74346fdd79908eeb8e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tanstack/react-query", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.101.0", "correlation_key": "fp|ed445a792495423e0bccd39c8502bd54606e98dd9710bb74346fdd79908eeb8e", "current_version": "^5.100.14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `oxlint` is minor version(s) behind (^1.66.0 -> 1.68.0)"}, "properties": {"repobilityId": 104540, "scanner": "repobility-dependency-currency", "fingerprint": "1bf1ee14cac13335b596399f7f5f254bb8132459834a2d6e6a01f69981407880", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "oxlint", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.68.0", "correlation_key": "fp|1bf1ee14cac13335b596399f7f5f254bb8132459834a2d6e6a01f69981407880", "current_version": "^1.66.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-plugin-api/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `agent-browser` is minor version(s) behind (0.26.0 -> 0.27.1)"}, "properties": {"repobilityId": 104536, "scanner": "repobility-dependency-currency", "fingerprint": "58da23df06d71b7e7456246363cbee08ca3dc2ecbd6fa2bc25d320570fee2ad2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "agent-browser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.27.1", "correlation_key": "fp|58da23df06d71b7e7456246363cbee08ca3dc2ecbd6fa2bc25d320570fee2ad2", "current_version": "0.26.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104508, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eed878b33d75913d62bbd55793d8d47fb1851bef3a2d950d0dda30e550f5a2a5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/junior-evals/vitest.evals.config.ts", "duplicate_line": 11, "correlation_key": "fp|eed878b33d75913d62bbd55793d8d47fb1851bef3a2d950d0dda30e550f5a2a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/vitest.config.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104507, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5065c22726f5877a4d19b8f5301979c387ff7289fe0cfb00c57b63f0a2cd0450", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/junior-testing/src/http/github.ts", "duplicate_line": 37, "correlation_key": "fp|5065c22726f5877a4d19b8f5301979c387ff7289fe0cfb00c57b63f0a2cd0450"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-testing/src/http/sentry.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104506, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8b19dc90ca933294924ef032381ecb5b68648cc4ef9829d0abe15671c196ec4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/junior-dashboard/src/app.ts", "duplicate_line": 119, "correlation_key": "fp|f8b19dc90ca933294924ef032381ecb5b68648cc4ef9829d0abe15671c196ec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/client/api.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 104598, "scanner": "repobility-threat-engine", "fingerprint": "123c2f665f024e9adc1eb4939161fdc7648ee1a8faf979d9f12f08e9e8abcc7c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|123c2f665f024e9adc1eb4939161fdc7648ee1a8faf979d9f12f08e9e8abcc7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/slack/mrkdwn.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 104595, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 104589, "scanner": "repobility-threat-engine", "fingerprint": "588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 104585, "scanner": "repobility-threat-engine", "fingerprint": "f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 104581, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 104577, "scanner": "repobility-threat-engine", "fingerprint": "54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 104573, "scanner": "repobility-threat-engine", "fingerprint": "7b9955cce91ffcb12c4e06efbf2883137a347c971a7add759e163e3c2ad21d1e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b9955cce91ffcb12c4e06efbf2883137a347c971a7add759e163e3c2ad21d1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/client/code.tsx"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 104572, "scanner": "repobility-threat-engine", "fingerprint": "34093312102110343fa5c965a87e8a4403f5786e41d0715b6f448654ba31f101", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34093312102110343fa5c965a87e8a4403f5786e41d0715b6f448654ba31f101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/client/components/TranscriptText.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 104571, "scanner": "repobility-threat-engine", "fingerprint": "fa5f6b486d79afd59b4c2f5af0a1a5d07c52836b5184088e034e8384f033ee17", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa5f6b486d79afd59b4c2f5af0a1a5d07c52836b5184088e034e8384f033ee17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/client/code.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 104570, "scanner": "repobility-threat-engine", "fingerprint": "55eeb0a9a7194b21f6ca02ef7c193b2459911684409e0c708c006743b2248894", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|55eeb0a9a7194b21f6ca02ef7c193b2459911684409e0c708c006743b2248894", "aggregated_count": 16}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 104569, "scanner": "repobility-threat-engine", "fingerprint": "2ead4712fe0abcde7fb51bb32335d30c3c9a7a66cc1732de769e112006a7df61", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ead4712fe0abcde7fb51bb32335d30c3c9a7a66cc1732de769e112006a7df61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/app.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 104568, "scanner": "repobility-threat-engine", "fingerprint": "c74b594c6d9ceddf61798300fac2a22696cb6b42d88e99a7f178cf1620960b5c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c74b594c6d9ceddf61798300fac2a22696cb6b42d88e99a7f178cf1620960b5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/config.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 104567, "scanner": "repobility-threat-engine", "fingerprint": "c2b13acd1adefa7845c420dc097ce7a3a835d3beb22c3d3aab8f9e4095f0266b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2b13acd1adefa7845c420dc097ce7a3a835d3beb22c3d3aab8f9e4095f0266b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/auth.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 104566, "scanner": "repobility-threat-engine", "fingerprint": "de39836e5ae18a683b60d2d648adadc9346a9c6836492aa0bb15f5795c80df7d", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "PASSWORD='<redacted>'", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|6|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-agent-browser/skills/agent-browser/templates/authenticated-session.sh"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 104565, "scanner": "repobility-threat-engine", "fingerprint": "67a27f5cf85eac044eca73e20fc23fb9d6a1a9f74728d143ec989b8f7cbb925d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|67a27f5cf85eac044eca73e20fc23fb9d6a1a9f74728d143ec989b8f7cbb925d", "aggregated_count": 4}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 104564, "scanner": "repobility-threat-engine", "fingerprint": "09989630b2c45a2ddc5e08bde8a96827c7c14b6cabe334230a31837624031157", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09989630b2c45a2ddc5e08bde8a96827c7c14b6cabe334230a31837624031157"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/cli/main.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 104563, "scanner": "repobility-threat-engine", "fingerprint": "1d0aa4e5ef5a94fbc945595cd32fc105d6e82ad9b365e77f32abf1bf9d60de45", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1d0aa4e5ef5a94fbc945595cd32fc105d6e82ad9b365e77f32abf1bf9d60de45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/scripts/check-skills.mjs"}, "region": {"startLine": 338}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 104562, "scanner": "repobility-threat-engine", "fingerprint": "1b5ad8b70ad3aaffba4a4f355fff2107a54e42dec0e748e6b6b337e644e36a76", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b5ad8b70ad3aaffba4a4f355fff2107a54e42dec0e748e6b6b337e644e36a76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/example/scripts/check-vercel-output.mjs"}, "region": {"startLine": 113}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@astrojs/starlight` is patch version(s) behind (^0.39.2 -> 0.39.3)"}, "properties": {"repobilityId": 104559, "scanner": "repobility-dependency-currency", "fingerprint": "66eff59152f8040f6ae3bc1f7db6a54acb4be242e30d3f5fe899362a5883372a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@astrojs/starlight", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.39.3", "correlation_key": "fp|66eff59152f8040f6ae3bc1f7db6a54acb4be242e30d3f5fe899362a5883372a", "current_version": "^0.39.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/docs/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `nitro` is patch version(s) behind (3.0.260522-beta -> 3.0.260603-beta)"}, "properties": {"repobilityId": 104555, "scanner": "repobility-dependency-currency", "fingerprint": "563784f288e40bf951c80dddfad64b3fc51ca8c69355fdd2ddc548f820c57a30", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nitro", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.260603-beta", "correlation_key": "fp|563784f288e40bf951c80dddfad64b3fc51ca8c69355fdd2ddc548f820c57a30", "current_version": "3.0.260522-beta"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `bash-tool` is patch version(s) behind (^1.3.16 -> 1.3.17)"}, "properties": {"repobilityId": 104553, "scanner": "repobility-dependency-currency", "fingerprint": "67d0f640be526f0f6b7ceee76f78182dc406d62513a47ce0f622af21ecdcb0c8", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "bash-tool", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.3.17", "correlation_key": "fp|67d0f640be526f0f6b7ceee76f78182dc406d62513a47ce0f622af21ecdcb0c8", "current_version": "^1.3.16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vercel/functions` is patch version(s) behind (^3.6.0 -> 3.6.2)"}, "properties": {"repobilityId": 104550, "scanner": "repobility-dependency-currency", "fingerprint": "9494c4b06d6a33cdbe6008900c326afb15f46ece0ea6f36e43b9f974457691bd", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vercel/functions", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.6.2", "correlation_key": "fp|9494c4b06d6a33cdbe6008900c326afb15f46ece0ea6f36e43b9f974457691bd", "current_version": "^3.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@ai-sdk/gateway` is patch version(s) behind (^3.0.119 -> 3.0.125)"}, "properties": {"repobilityId": 104544, "scanner": "repobility-dependency-currency", "fingerprint": "2a9c503e094d623d45b71b3f61666756c383d8fd1879170673bfe29f04966510", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@ai-sdk/gateway", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.125", "correlation_key": "fp|2a9c503e094d623d45b71b3f61666756c383d8fd1879170673bfe29f04966510", "current_version": "^3.0.119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `nitro` is patch version(s) behind (3.0.260522-beta -> 3.0.260603-beta)"}, "properties": {"repobilityId": 104542, "scanner": "repobility-dependency-currency", "fingerprint": "a15c6e36449257bb0fdce974948203db8dd0e242d7965c8af85cedef58da0ed3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nitro", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.260603-beta", "correlation_key": "fp|a15c6e36449257bb0fdce974948203db8dd0e242d7965c8af85cedef58da0ed3", "current_version": "3.0.260522-beta"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `nitro` is patch version(s) behind (3.0.260522-beta -> 3.0.260603-beta)"}, "properties": {"repobilityId": 104539, "scanner": "repobility-dependency-currency", "fingerprint": "24e663098abede15fd93ff735c1309a39b47bc52e1ccdd3d274f78e646318586", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nitro", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.260603-beta", "correlation_key": "fp|24e663098abede15fd93ff735c1309a39b47bc52e1ccdd3d274f78e646318586", "current_version": "3.0.260522-beta"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/example/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `tsx` is patch version(s) behind (4.22.3 -> 4.22.4)"}, "properties": {"repobilityId": 104538, "scanner": "repobility-dependency-currency", "fingerprint": "12a6189888451c002d020d24139798c0eea7d72eb8e0b5dd249ba420e8413566", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|12a6189888451c002d020d24139798c0eea7d72eb8e0b5dd249ba420e8413566", "current_version": "4.22.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vrm6-8vpv-qv8q", "level": "error", "message": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "properties": {"repobilityId": 104625, "scanner": "osv-scanner", "fingerprint": "c37ac9a11b75eab8367403efcb9dec6a75ce8df6e9fdc49ad7043ccc2438ed6d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1526"], "package": "undici", "rule_id": "GHSA-vrm6-8vpv-qv8q", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1526|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v9p9-hfj2-hcw8", "level": "error", "message": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "properties": {"repobilityId": 104624, "scanner": "osv-scanner", "fingerprint": "5fc7025df7e18a64b471bcd54c54cc98548e3ccc90563b6c7730d159bcc47e26", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2229"], "package": "undici", "rule_id": "GHSA-v9p9-hfj2-hcw8", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-2229|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qffp-2rhf-9h96", "level": "error", "message": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "properties": {"repobilityId": 104618, "scanner": "osv-scanner", "fingerprint": "f8fa987aa9acadbb491ed96885533ab55d2a0afc9f4623918e86fa3756ca851f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29786"], "package": "tar", "rule_id": "GHSA-qffp-2rhf-9h96", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-29786|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9ppj-qmqm-q256", "level": "error", "message": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "properties": {"repobilityId": 104617, "scanner": "osv-scanner", "fingerprint": "69b2c0b2d95567c9d3ec0e13212c39d24902dceb82922feb24047ba7dfb846b6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31802"], "package": "tar", "rule_id": "GHSA-9ppj-qmqm-q256", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-31802|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-83g3-92jg-28cx", "level": "error", "message": {"text": "tar: GHSA-83g3-92jg-28cx"}, "properties": {"repobilityId": 104616, "scanner": "osv-scanner", "fingerprint": "f024e3a8dade0f899aad4e013def341d786ed8b27d0ff31b6c56f7767e17e900", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26960"], "package": "tar", "rule_id": "GHSA-83g3-92jg-28cx", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-26960|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j3q9-mxjg-w52f", "level": "error", "message": {"text": "path-to-regexp: GHSA-j3q9-mxjg-w52f"}, "properties": {"repobilityId": 104611, "scanner": "osv-scanner", "fingerprint": "7430ad422b469928b240b563ae546401b374bbe16856d03d234e7895b9d8d7d3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4926"], "package": "path-to-regexp", "rule_id": "GHSA-j3q9-mxjg-w52f", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4926|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wv6-86v2-598j", "level": "error", "message": {"text": "path-to-regexp: GHSA-9wv6-86v2-598j"}, "properties": {"repobilityId": 104609, "scanner": "osv-scanner", "fingerprint": "0522c73bdfae6aee618b0df17a6e1cb3e439e9873d79943a7601d19eb2eaf200", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45296"], "package": "path-to-regexp", "rule_id": "GHSA-9wv6-86v2-598j", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2024-45296|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 104608, "scanner": "osv-scanner", "fingerprint": "c3482c8b051b710219b686b962c8edfcc83babb0e1e54a2b470ae7782dd0b574", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 104607, "scanner": "osv-scanner", "fingerprint": "2fd5e24a94dfd2116cfc5d9aeb4e4f584669c9b76d1795010331a7b69b3682a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 104606, "scanner": "osv-scanner", "fingerprint": "af7663e4c51288986bfb4927d06e33aa650fed364bb14d31804c3d4da5638193", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 104597, "scanner": "repobility-threat-engine", "fingerprint": "f5efbf3726594c1b97466cdcb5598bd9f08bc1de70af7133d0fa36d92c7c285b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f5efbf3726594c1b97466cdcb5598bd9f08bc1de70af7133d0fa36d92c7c285b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/tools/sandbox/grep.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 104596, "scanner": "repobility-threat-engine", "fingerprint": "f5bf07f0635b2d9782232831d1c773a2d37d6f143e8f6d08e090c3167c23e62b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n  String", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f5bf07f0635b2d9782232831d1c773a2d37d6f143e8f6d08e090c3167c23e62b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/services/provider-default-config.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 104594, "scanner": "repobility-threat-engine", "fingerprint": "02abc3deac0165065a4053f4330ea10c206dbf6e980f450f831e02c513503ae7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pendingTargets.delete(reply.ts);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|02abc3deac0165065a4053f4330ea10c206dbf6e980f450f831e02c513503ae7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/slack/channel.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 104593, "scanner": "repobility-threat-engine", "fingerprint": "49bf36e7e14c16be15a5a764037e4e04a97d9782542bacc08d3e7330228a7b1a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "jwksByIssuer.delete(issuer);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|49bf36e7e14c16be15a5a764037e4e04a97d9782542bacc08d3e7330228a7b1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/sandbox/egress-oidc.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 104592, "scanner": "repobility-threat-engine", "fingerprint": "1b0034000da805593c9de8dd237fba21d2990135816a4f1204034068f535de91", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "signer.update(signingInput);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1b0034000da805593c9de8dd237fba21d2990135816a4f1204034068f535de91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/plugins/auth/github-app-broker.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 104591, "scanner": "repobility-threat-engine", "fingerprint": "a49eda5c695882d32644fd59b34c1af3c8984739cd320ed7a97a1e7519c58f38", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open({ users: input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|110|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/oauth-flow.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 104590, "scanner": "repobility-threat-engine", "fingerprint": "4b797bcaeaa0f3cfdf1445f5696b315f548bdf563ec987250e8d976abc95f1fa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/api/internal/turn-resume\", (c) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4b797bcaeaa0f3cfdf1445f5696b315f548bdf563ec987250e8d976abc95f1fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/app.ts"}, "region": {"startLine": 340}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 104588, "scanner": "repobility-threat-engine", "fingerprint": "a46cd895d87ea9a84d8190911b1e66c9c1d71198e04187eded27c7edcb5e16ea", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => `[attachment] ${line}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a46cd895d87ea9a84d8190911b1e66c9c1d71198e04187eded27c7edcb5e16ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/slack/legacy-attachments.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 104587, "scanner": "repobility-threat-engine", "fingerprint": "b0bee5946e52e3c364787321c74c4936c286807e631f1059f795a1c64e62f2a0", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n    (skill) => `\u2022 *${skill.name}* \u2014 ${skill.description}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b0bee5946e52e3c364787321c74c4936c286807e631f1059f795a1c64e62f2a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/slack/app-home.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 104586, "scanner": "repobility-threat-engine", "fingerprint": "462aa6e1e7e09162dd61deb8ee41addd295c23757ab68033265f07e5c01cd070", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => `- ${line}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|462aa6e1e7e09162dd61deb8ee41addd295c23757ab68033265f07e5c01cd070"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/client/markdownExport.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 104584, "scanner": "repobility-threat-engine", "fingerprint": "80c89ee5607fb26f319e743f96055cd35e3629ff80ae83bef97df1db7bb2b06b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(normalized", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80c89ee5607fb26f319e743f96055cd35e3629ff80ae83bef97df1db7bb2b06b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/chat/capabilities/jr-rpc-command.ts"}, "region": {"startLine": 308}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 104583, "scanner": "repobility-threat-engine", "fingerprint": "e9eb9756991aa1da7155b2da21e5eb5f1bdf6a2823d9bf978abadb1ba0635f08", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(raw", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9eb9756991aa1da7155b2da21e5eb5f1bdf6a2823d9bf978abadb1ba0635f08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/scripts/check-skills.mjs"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 104582, "scanner": "repobility-threat-engine", "fingerprint": "5199f96c7d582b7edaca73ca0342687c0cf8a3e716086fe703243dc8cb16b615", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5199f96c7d582b7edaca73ca0342687c0cf8a3e716086fe703243dc8cb16b615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/client/components/transcriptMarkdownLinks.ts"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 104576, "scanner": "repobility-threat-engine", "fingerprint": "dcb01062396e3d836a202b23b7a08d30fac22ba37732321fd0bd770d723028a7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dcb01062396e3d836a202b23b7a08d30fac22ba37732321fd0bd770d723028a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-evals/evals/core/oauth-workflows.eval.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 104575, "scanner": "repobility-threat-engine", "fingerprint": "7c8ccf678ed88619dfda9ba6c35a8d2a7f4a31d12777564e5715366f00b210d3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(\n  c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c8ccf678ed88619dfda9ba6c35a8d2a7f4a31d12777564e5715366f00b210d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/url.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 104574, "scanner": "repobility-threat-engine", "fingerprint": "72c41806b8d8dd1b1f4674da456de32fe6749f92f944be4e0402115dad6a451e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72c41806b8d8dd1b1f4674da456de32fe6749f92f944be4e0402115dad6a451e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/src/client/components/transcriptMarkdownLinks.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `getsentry/action-prepare-release` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 104535, "scanner": "repobility-supply-chain", "fingerprint": "d225f9658d725026ab87df74944a35ebe833cb739dfd08f45f492d27c8ba2f48", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d225f9658d725026ab87df74944a35ebe833cb739dfd08f45f492d27c8ba2f48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104534, "scanner": "repobility-supply-chain", "fingerprint": "1234cea296baf662d25181577a8cf1a02a94992616f1d4a830a2dd36d7c701e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1234cea296baf662d25181577a8cf1a02a94992616f1d4a830a2dd36d7c701e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104533, "scanner": "repobility-supply-chain", "fingerprint": "d2adfdb19aa78a0b23383abcd5ee8ebfb288891d57682b1bec6bd009e8c783fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2adfdb19aa78a0b23383abcd5ee8ebfb288891d57682b1bec6bd009e8c783fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redis:7-alpine` unpinned"}, "properties": {"repobilityId": 104532, "scanner": "repobility-supply-chain", "fingerprint": "76e44f9444da47954bf3029166558240a84efb9a58c7bb64f09876c9602f25b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76e44f9444da47954bf3029166558240a84efb9a58c7bb64f09876c9602f25b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104531, "scanner": "repobility-supply-chain", "fingerprint": "2c97c13c63216c52f7cb14c59ed98883a5e09b86429c5eef32e2c5db5ed7c14c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c97c13c63216c52f7cb14c59ed98883a5e09b86429c5eef32e2c5db5ed7c14c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104530, "scanner": "repobility-supply-chain", "fingerprint": "4deff384e0dac0c2231871faf6d1d6fdeeeff7d0ebe5ded116e6b822502ea06b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4deff384e0dac0c2231871faf6d1d6fdeeeff7d0ebe5ded116e6b822502ea06b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104529, "scanner": "repobility-supply-chain", "fingerprint": "e4b7a0ac54cd4b712f6ce3cb4f10866ca7fc877adb0b16bca28deb920b39e75d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4b7a0ac54cd4b712f6ce3cb4f10866ca7fc877adb0b16bca28deb920b39e75d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104528, "scanner": "repobility-supply-chain", "fingerprint": "355b0ddc656b234b35d6fd11c6698a3b2d7a96161fe182bbecc621993a32f1a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|355b0ddc656b234b35d6fd11c6698a3b2d7a96161fe182bbecc621993a32f1a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redis:7-alpine` unpinned"}, "properties": {"repobilityId": 104527, "scanner": "repobility-supply-chain", "fingerprint": "01a73254d091fbc1404f4182fc563a65b3d1dda996534fbffb30c1878c0f5b39", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01a73254d091fbc1404f4182fc563a65b3d1dda996534fbffb30c1878c0f5b39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104516, "scanner": "repobility-supply-chain", "fingerprint": "12eb6a9958cee127424b984042850335a1cbdc02fb9727be89a75c6e4011e02f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12eb6a9958cee127424b984042850335a1cbdc02fb9727be89a75c6e4011e02f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104515, "scanner": "repobility-supply-chain", "fingerprint": "0d4be00823c9edd72ac0195c72d42c9c54c017299d7f2ae45e81a941364f55d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d4be00823c9edd72ac0195c72d42c9c54c017299d7f2ae45e81a941364f55d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104514, "scanner": "repobility-supply-chain", "fingerprint": "8129957bf92cdb2fe99fbd0b50fbac48e71963843e4fcee07f95d60c021e11a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8129957bf92cdb2fe99fbd0b50fbac48e71963843e4fcee07f95d60c021e11a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104513, "scanner": "repobility-supply-chain", "fingerprint": "038aee49ede3535f97cbd22ffb3a3a7b340c0f534c1d2c10f0902f41188f75de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|038aee49ede3535f97cbd22ffb3a3a7b340c0f534c1d2c10f0902f41188f75de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/webhooks/:platform has no auth"}, "properties": {"repobilityId": 104512, "scanner": "repobility-route-auth", "fingerprint": "e125198c8d4a0cd64f73d60ea6f42e662ca73e3e7306cdcdf41923a98eb5c184", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e125198c8d4a0cd64f73d60ea6f42e662ca73e3e7306cdcdf41923a98eb5c184"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/app.ts"}, "region": {"startLine": 362}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/internal/agent/continue has no auth"}, "properties": {"repobilityId": 104511, "scanner": "repobility-route-auth", "fingerprint": "921dac40029ab8ab7398f5623b57ce6857aa9af9c66a6ec4d070b88d5d6ae1cd", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|921dac40029ab8ab7398f5623b57ce6857aa9af9c66a6ec4d070b88d5d6ae1cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/app.ts"}, "region": {"startLine": 351}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/internal/agent-dispatch has no auth"}, "properties": {"repobilityId": 104510, "scanner": "repobility-route-auth", "fingerprint": "d418ae776e0bd94e5ea26c179031546ac79f4cba8156970206537e64ed60f35b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d418ae776e0bd94e5ea26c179031546ac79f4cba8156970206537e64ed60f35b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/app.ts"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/internal/turn-resume has no auth"}, "properties": {"repobilityId": 104509, "scanner": "repobility-route-auth", "fingerprint": "fa5a908ec836cffe98b928a6abdc0588f59d2466d8d3c2c5f8d01d496c47f4f9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|fa5a908ec836cffe98b928a6abdc0588f59d2466d8d3c2c5f8d01d496c47f4f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/src/app.ts"}, "region": {"startLine": 340}}}]}, {"ruleId": "GHSA-gc25-3vc5-2jf9", "level": "error", "message": {"text": "sandbox: GHSA-gc25-3vc5-2jf9"}, "properties": {"repobilityId": 104613, "scanner": "osv-scanner", "fingerprint": "ea3ad028852fe389558f770debb508d0461060af761e59139e18f014d7b595f7", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "sandbox", "rule_id": "GHSA-gc25-3vc5-2jf9", "scanner": "osv-scanner", "correlation_key": "vuln|sandbox|GHSA-GC25-3VC5-2JF9|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 104603, "scanner": "gitleaks", "fingerprint": "c28af4bb279e948044388093ea3ef20d1a42c8dc7cca33ff2ccdf5b26577459f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "secret: \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|114|secret: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/tests/dashboard-routes.test.ts"}, "region": {"startLine": 1141}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 104602, "scanner": "gitleaks", "fingerprint": "114c387c1c96944693edcc164d06021211b4e3c81ccf600296660d531c66cc14", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "cacheKey\": \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token / hex .json|1|cachekey : redacted", "duplicate_count": 2, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["114c387c1c96944693edcc164d06021211b4e3c81ccf600296660d531c66cc14", "b695a792f4bf522d7138a416d50a216f78a379a9541d964cf8407acdf6c4743f", "bcd96582393040fcd3cfd73c67ac36b105303be2e4af11d51e696f8e92f142c2"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-evals/.vitest-evals/recordings/webFetch/1e892c4d6991f468213d21aac1e9a40688ea15889e99c2fa133a97455b543aa6.json"}, "region": {"startLine": 18}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 104601, "scanner": "gitleaks", "fingerprint": "e218f011a9f4f156f1189e04da07b26bd4d2edd84f34576ce4fb0b18cf37ae6a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "cacheKey\": \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token / hex .json|3|cachekey : redacted", "duplicate_count": 2, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["4000cb95ae8819cef6210072d54c87fdc26945d03772a12c2751a8735f64c73d", "d37f24c758ac8a840ec002c62a3f6fef8f771c936099a7c8e0439e4078625f13", "e218f011a9f4f156f1189e04da07b26bd4d2edd84f34576ce4fb0b18cf37ae6a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-evals/.vitest-evals/recordings/webSearch/d8bc2b07098873330dc800d856f6b0afb17e928265a930c6f7007b2e77cff072.json"}, "region": {"startLine": 32}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 104600, "scanner": "gitleaks", "fingerprint": "427906fe3990ccc0734b701775408ce386fd26696d0653c85d37cf7eefc17f25", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "secret: \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|3|secret: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior-dashboard/tests/auth-config.test.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 104599, "scanner": "gitleaks", "fingerprint": "d42c343883d33a2411b421941a95dc9ae2f31d93abf50a66fae962895a5bb3a4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/junior/tests/unit/logging/serialize-gen-ai-attribute.test.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.VERCEL_OIDC_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 104526, "scanner": "repobility-supply-chain", "fingerprint": "d3d02a88dba7569c80b5a0678c8a175990f43f0de69367453d324c383e155aaa", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3d02a88dba7569c80b5a0678c8a175990f43f0de69367453d324c383e155aaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.VERCEL_PROJECT_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 104525, "scanner": "repobility-supply-chain", "fingerprint": "4916ed47df1294c765d411da0ffe5a6f88a44ea24ff51e1acbb524821df72f7e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4916ed47df1294c765d411da0ffe5a6f88a44ea24ff51e1acbb524821df72f7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.VERCEL_TEAM_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 104524, "scanner": "repobility-supply-chain", "fingerprint": "e98c9841c7246a8674508bd101c75d02f2a3a7cc4c5fa1baeec0d3f4399a9ebc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e98c9841c7246a8674508bd101c75d02f2a3a7cc4c5fa1baeec0d3f4399a9ebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.VERCEL_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 104523, "scanner": "repobility-supply-chain", "fingerprint": "45d636bcfe8fa23ca4141b112a5dbac5819750a3bac9e0f70e794355e0a04b43", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45d636bcfe8fa23ca4141b112a5dbac5819750a3bac9e0f70e794355e0a04b43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AI_GATEWAY_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 104522, "scanner": "repobility-supply-chain", "fingerprint": "0669d08ae09fa019c84fe9105cd408065831621e88d34e38c22589591e54f976", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0669d08ae09fa019c84fe9105cd408065831621e88d34e38c22589591e54f976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.VERCEL_PROJECT_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 104521, "scanner": "repobility-supply-chain", "fingerprint": "a23378a8cf5db91e203d9c4bde0b01b5d27647ca1db2e5c446c26f5c06c50c70", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a23378a8cf5db91e203d9c4bde0b01b5d27647ca1db2e5c446c26f5c06c50c70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.VERCEL_TEAM_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 104520, "scanner": "repobility-supply-chain", "fingerprint": "466482c62f7b8a0d15952d93f68b8e6c4c59e9fac48d501943fe14e705c703f7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|466482c62f7b8a0d15952d93f68b8e6c4c59e9fac48d501943fe14e705c703f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.VERCEL_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 104519, "scanner": "repobility-supply-chain", "fingerprint": "34599b9341f095d02caad68b56637524459f5f030eed47b0b9acebeb0c91963e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34599b9341f095d02caad68b56637524459f5f030eed47b0b9acebeb0c91963e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.VERCEL_OIDC_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 104518, "scanner": "repobility-supply-chain", "fingerprint": "e33155a5ad868a84a6b75d05e2955a17b87ff0fd381f94996e6d9042f5e1ba22", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e33155a5ad868a84a6b75d05e2955a17b87ff0fd381f94996e6d9042f5e1ba22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AI_GATEWAY_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 104517, "scanner": "repobility-supply-chain", "fingerprint": "fbf4c3f98dcb3ce699c777d19727014718eb432df326d64a4c87d18b4f0f9a64", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbf4c3f98dcb3ce699c777d19727014718eb432df326d64a4c87d18b4f0f9a64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 63}}}]}]}]}