{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-378v-28hj-76wf", "name": "bn.js: GHSA-378v-28hj-76wf", "shortDescription": {"text": "bn.js: GHSA-378v-28hj-76wf"}, "fullDescription": {"text": "bn.js affected by an infinite loop"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-968p-4wvh-cqc8", "name": "@babel/runtime: GHSA-968p-4wvh-cqc8", "shortDescription": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "fullDescription": {"text": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `dotenv` is 1 major version(s) behind (^16.3.1 -> 17.4.2)", "shortDescription": {"text": "npm package `dotenv` is 1 major version(s) behind (^16.3.1 -> 17.4.2)"}, "fullDescription": {"text": "`dotenv` is pinned/resolved at ^16.3.1 but the latest stable release on the npm registry is 17.4.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED127", "name": "Cryptominer signature: `ethermine.org`", "shortDescription": {"text": "Cryptominer signature: `ethermine.org`"}, "fullDescription": {"text": "Source contains a known cryptominer signature (`ethermine.org`). Could be a deliberate malicious payload, a compromised dependency, or a copy-paste from a tutorial \u2014 but it warrants immediate investigation. Mining pool URLs in production code are almost never legitimate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1322"}, "properties": {"repository": "MetaMask/eth-phishing-detect", "repoUrl": "https://github.com/MetaMask/eth-phishing-detect", "branch": "main"}, "results": [{"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 134922, "scanner": "osv-scanner", "fingerprint": "43ffcb0a2ce37f02f11229414b326bf3461eff0a2313382f704b9797828a6315", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 134918, "scanner": "osv-scanner", "fingerprint": "54c08a518d22f2dcff43496ac5e2baf059a246eae9afe32e408e694d3ea3cbe3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 134916, "scanner": "osv-scanner", "fingerprint": "d4b419a31e0e9347bcfafa58b7ad490de2bf201d666b0f13dc4b2518b663d57c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-378v-28hj-76wf", "level": "warning", "message": {"text": "bn.js: GHSA-378v-28hj-76wf"}, "properties": {"repobilityId": 134915, "scanner": "osv-scanner", "fingerprint": "987d296c279b08929c83e894489d320c08d32503f9a4f8c573286bda28474c52", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2739"], "package": "bn.js", "rule_id": "GHSA-378v-28hj-76wf", "scanner": "osv-scanner", "correlation_key": "vuln|bn.js|CVE-2026-2739|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 134914, "scanner": "osv-scanner", "fingerprint": "51f589bb23167d7f3187da2b247ac3c84f30fe6965633ac81e12b7c3bf7d3f84", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/runtime", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/runtime|CVE-2025-27789|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `dotenv` is 1 major version(s) behind (^16.3.1 -> 17.4.2)"}, "properties": {"repobilityId": 134908, "scanner": "repobility-dependency-currency", "fingerprint": "48d82cc9747d07ea070cab195f76aaff20138329cd3f1011b5b67ef1cc5ae160", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dotenv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.4.2", "correlation_key": "fp|48d82cc9747d07ea070cab195f76aaff20138329cd3f1011b5b67ef1cc5ae160", "current_version": "^16.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `csv-parse` is 1 major version(s) behind (^5.3.6 -> 6.2.1)"}, "properties": {"repobilityId": 134907, "scanner": "repobility-dependency-currency", "fingerprint": "d04e04aaab20be86f3bda28314a41a105a661b440ce51de2170035c92c004634", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "csv-parse", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.2.1", "correlation_key": "fp|d04e04aaab20be86f3bda28314a41a105a661b440ce51de2170035c92c004634", "current_version": "^5.3.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@metamask/phishing-controller` is 5 major version(s) behind (^12.0.2 -> 17.2.0)"}, "properties": {"repobilityId": 134905, "scanner": "repobility-dependency-currency", "fingerprint": "3aac7a4658080c2ba4b9bc361be310bb077a2933d28a5d0877579b9f8776b869", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "5 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@metamask/phishing-controller", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.2.0", "correlation_key": "fp|3aac7a4658080c2ba4b9bc361be310bb077a2933d28a5d0877579b9f8776b869", "current_version": "^12.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 134917, "scanner": "osv-scanner", "fingerprint": "1854d9dd5eb370302d7119641e8b8517081a2f7d14cd0cb0730993d4c09eb4d6", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tsx` is minor version(s) behind (^4.19.0 -> 4.22.4)"}, "properties": {"repobilityId": 134913, "scanner": "repobility-dependency-currency", "fingerprint": "07f8872282da258073a6d262613e95ef624fba49147c5a89f2b0d9319c4e8547", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|07f8872282da258073a6d262613e95ef624fba49147c5a89f2b0d9319c4e8547", "current_version": "^4.19.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tape` is minor version(s) behind (^5.6.3 -> 5.9.0)"}, "properties": {"repobilityId": 134912, "scanner": "repobility-dependency-currency", "fingerprint": "f63b0aec68f9758f208d4c47411ef9542642d862b5379f2851608aa04cc1e6e9", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tape", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.9.0", "correlation_key": "fp|f63b0aec68f9758f208d4c47411ef9542642d862b5379f2851608aa04cc1e6e9", "current_version": "^5.6.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `simple-git-hooks` is minor version(s) behind (^2.8.1 -> 2.13.1)"}, "properties": {"repobilityId": 134911, "scanner": "repobility-dependency-currency", "fingerprint": "2a18ae7958ed44d9ebfda1d3daaaa8b08c0d544940db1bb94fc4db1ca1ce6016", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "simple-git-hooks", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.13.1", "correlation_key": "fp|2a18ae7958ed44d9ebfda1d3daaaa8b08c0d544940db1bb94fc4db1ca1ce6016", "current_version": "^2.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `prettier` is minor version(s) behind (^3.3.3 -> 3.8.3)"}, "properties": {"repobilityId": 134909, "scanner": "repobility-dependency-currency", "fingerprint": "624c80bc62c288a046c90c89372cb1f9ecc8fb49819bacf536e089a6ed25a7b1", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|624c80bc62c288a046c90c89372cb1f9ecc8fb49819bacf536e089a6ed25a7b1", "current_version": "^3.3.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/tape` is minor version(s) behind (^5.6.4 -> 5.8.1)"}, "properties": {"repobilityId": 134906, "scanner": "repobility-dependency-currency", "fingerprint": "cb4b6a2db7b9e698deb492576c7733a54347c4dc5c9b88a1878c67172c410c7e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/tape", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.8.1", "correlation_key": "fp|cb4b6a2db7b9e698deb492576c7733a54347c4dc5c9b88a1878c67172c410c7e", "current_version": "^5.6.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `punycode` is patch version(s) behind (^2.3.0 -> 2.3.1)"}, "properties": {"repobilityId": 134910, "scanner": "repobility-dependency-currency", "fingerprint": "076a7082ca25180571e8086adb032f597993ddef2c7370495d0950ca351dfd40", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "punycode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.3.1", "correlation_key": "fp|076a7082ca25180571e8086adb032f597993ddef2c7370495d0950ca351dfd40", "current_version": "^2.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 134921, "scanner": "osv-scanner", "fingerprint": "155d5f86682d4cca28cde02dfe1b84c1837cf98c6feba6adf8f141619cbe7278", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 134920, "scanner": "osv-scanner", "fingerprint": "09e3156d77e314926a52fbc6f5aec96b0f979198ea66c485cce13e20587eb10d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 134919, "scanner": "osv-scanner", "fingerprint": "221b16994c1c62dd68d3c52e72deae94054e851fa81062e507d061a803f51227", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 134903, "scanner": "repobility-supply-chain", "fingerprint": "12d6ebef9a2e8eb46f2cdcf6366f9c27a274707a268da504e81b280905e0ee44", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12d6ebef9a2e8eb46f2cdcf6366f9c27a274707a268da504e81b280905e0ee44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 134902, "scanner": "repobility-supply-chain", "fingerprint": "68d228328d883f3026416a81ea4663e01cf4c908ec953994f40ae5ef9d4b3ab9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|68d228328d883f3026416a81ea4663e01cf4c908ec953994f40ae5ef9d4b3ab9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED127", "level": "error", "message": {"text": "Cryptominer signature: `ethermine.org`"}, "properties": {"repobilityId": 134904, "scanner": "repobility-supply-chain", "fingerprint": "16d25dcd8db6828572006a6dd502281713a6987a435df784b7dec3495dc8fd3c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "cryptominer-signature", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16d25dcd8db6828572006a6dd502281713a6987a435df784b7dec3495dc8fd3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-config.ts"}, "region": {"startLine": 80}}}]}]}]}