{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h9rv-jmmf-4pgx", "name": "serialize-javascript: GHSA-h9rv-jmmf-4pgx", "shortDescription": {"text": "serialize-javascript: GHSA-h9rv-jmmf-4pgx"}, "fullDescription": {"text": "Cross-Site Scripting in serialize-javascript"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `api` image uses the latest tag", "shortDescription": {"text": "Compose service `api` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `tzdata` is 1 major version(s) behind (2025.1 -> 2026.2)", "shortDescription": {"text": "Python package `tzdata` is 1 major version(s) behind (2025.1 -> 2026.2)"}, "fullDescription": {"text": "poetry.lock pins `tzdata` at 2025.1 but the latest stable release on PyPI is 2026.2 (1 major version(s) behind)."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `globals` is minor version(s) behind (^17.4.0 -> 17.6.0)", "shortDescription": {"text": "npm package `globals` is minor version(s) behind (^17.4.0 -> 17.6.0)"}, "fullDescription": {"text": "`globals` is pinned/resolved at ^17.4.0 but the latest stable release on the npm registry is 17.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-hxcc-f52p-wc94", "name": "serialize-javascript: GHSA-hxcc-f52p-wc94", "shortDescription": {"text": "serialize-javascript: GHSA-hxcc-f52p-wc94"}, "fullDescription": {"text": "Insecure serialization leading to RCE in serialize-javascript"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37ch-88jc-xwx2", "name": "path-to-regexp: GHSA-37ch-88jc-xwx2", "shortDescription": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:25-alpine3.22` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:25-alpine3.22` not pinned by digest"}, "fullDescription": {"text": "`FROM node:25-alpine3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/python-poetry/poetry` pinned to mutable rev `1.8.0`", "shortDescription": {"text": "pre-commit hook `https://github.com/python-poetry/poetry` pinned to mutable rev `1.8.0`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/python-poetry/poetry` at `rev: 1.8.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_query_address_ipv6", "shortDescription": {"text": "Phantom test coverage: test_query_address_ipv6"}, "fullDescription": {"text": "Test function `test_query_address_ipv6` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1381"}, "properties": {"repository": "dsgnr/portchecker.io", "repoUrl": "https://github.com/dsgnr/portchecker.io", "branch": "devel"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 141266, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 141264, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 141263, "scanner": "osv-scanner", "fingerprint": "e9cfc7059e1b36edf350972ec87f9023c8fd1c0d932cbdad68d8fe539318723a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 141262, "scanner": "osv-scanner", "fingerprint": "8641bfb71c62f888103fe9fed9e41d410cdc48c0a6128bd8c53c3a4aa28d7d3e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h9rv-jmmf-4pgx", "level": "warning", "message": {"text": "serialize-javascript: GHSA-h9rv-jmmf-4pgx"}, "properties": {"repobilityId": 141260, "scanner": "osv-scanner", "fingerprint": "3e1d36000896edaf1ee27c3623b06753d6d8d57c82c983678bfe65ad1dd5d784", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2019-16769"], "package": "serialize-javascript", "rule_id": "GHSA-h9rv-jmmf-4pgx", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2019-16769|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 141258, "scanner": "osv-scanner", "fingerprint": "42d2d7cd529a721fae5180f935546732fd39a7cf9c5dcab1b24921cf044aa9db", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 141256, "scanner": "osv-scanner", "fingerprint": "769750a9553bed83183e3bb8cfbd68443f1f42c1dd1f20029b7fe42a0bf445a8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 141251, "scanner": "osv-scanner", "fingerprint": "d36860c61ac4081693eb3effdecbf3b561f0c60c289b6655e5fe4de2985f513e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 141250, "scanner": "osv-scanner", "fingerprint": "7d4ea678e77c1a196b3dd5a3152df389f20a048873da19f9be4f7531fb6f2f5c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `api` image uses the latest tag"}, "properties": {"repobilityId": 141247, "scanner": "repobility-docker", "fingerprint": "b81a45f912f0ebc90bd24c4eb88558beb4b39c4678f46a52c94bc2c8df1a8b96", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/dsgnr/portcheckerio-api:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b81a45f912f0ebc90bd24c4eb88558beb4b39c4678f46a52c94bc2c8df1a8b96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `web` image uses the latest tag"}, "properties": {"repobilityId": 141244, "scanner": "repobility-docker", "fingerprint": "e6e3b51ae8c57081ebc4f1f04ebd46ab51f85ab2179d9264758b8cbbbf5819b8", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/dsgnr/portcheckerio-web:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e6e3b51ae8c57081ebc4f1f04ebd46ab51f85ab2179d9264758b8cbbbf5819b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 141243, "scanner": "repobility-docker", "fingerprint": "ddc16ece261268f71738a77567e1997f1833363fea45b4b4fa4d70a8e980a463", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:25-alpine3.22", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ddc16ece261268f71738a77567e1997f1833363fea45b4b4fa4d70a8e980a463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/Dockerfile.dev"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 141242, "scanner": "repobility-docker", "fingerprint": "57a329f88626cca831a4cf1bbdfc16190a023368cded904f756221edd5ff8973", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:stable-alpine-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|57a329f88626cca831a4cf1bbdfc16190a023368cded904f756221edd5ff8973"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 141241, "scanner": "repobility-docker", "fingerprint": "d11cc957d1c0e5f9c30b2bb3108843ddbb53fa8bebdee257a87cff7128e9b7a3", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.13-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d11cc957d1c0e5f9c30b2bb3108843ddbb53fa8bebdee257a87cff7128e9b7a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/Dockerfile.dev"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 141240, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 141239, "scanner": "repobility-docker", "fingerprint": "d58bb53e91e45ac1daad6b01d2487818df7270c49d510f5038be2e4321df7438", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.13-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d58bb53e91e45ac1daad6b01d2487818df7270c49d510f5038be2e4321df7438"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `tzdata` is 1 major version(s) behind (2025.1 -> 2026.2)"}, "properties": {"repobilityId": 141228, "scanner": "repobility-dependency-currency", "fingerprint": "e201bb3204cb7111a4736fe152fd4e04e54adf7786af44e4b6ebd9b3ed8faffd", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tzdata", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2026.2", "correlation_key": "fp|e201bb3204cb7111a4736fe152fd4e04e54adf7786af44e4b6ebd9b3ed8faffd", "current_version": "2025.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `rich` is 2 major version(s) behind (13.9.4 -> 15.0.0)"}, "properties": {"repobilityId": 141225, "scanner": "repobility-dependency-currency", "fingerprint": "bcb7f30d2a61f6324424ebcd847f76c6b783baa7766c82593e9313fa6e28f7b5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "rich", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "15.0.0", "correlation_key": "fp|bcb7f30d2a61f6324424ebcd847f76c6b783baa7766c82593e9313fa6e28f7b5", "current_version": "13.9.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `polyfactory` is 1 major version(s) behind (2.19.0 -> 3.3.0)"}, "properties": {"repobilityId": 141221, "scanner": "repobility-dependency-currency", "fingerprint": "127ad50595277d044e98098123dbde3d292f87f3d9923aa8fd47744fe2a3fa3f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "polyfactory", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.3.0", "correlation_key": "fp|127ad50595277d044e98098123dbde3d292f87f3d9923aa8fd47744fe2a3fa3f", "current_version": "2.19.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `packaging` is 2 major version(s) behind (24.2 -> 26.2)"}, "properties": {"repobilityId": 141218, "scanner": "repobility-dependency-currency", "fingerprint": "626769092d47b599bcc4a9e832b0fb346aa37615f996df859dec779e56d75d68", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "packaging", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "26.2", "correlation_key": "fp|626769092d47b599bcc4a9e832b0fb346aa37615f996df859dec779e56d75d68", "current_version": "24.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `markdown-it-py` is 1 major version(s) behind (3.0.0 -> 4.2.0)"}, "properties": {"repobilityId": 141215, "scanner": "repobility-dependency-currency", "fingerprint": "0ddf2d745bfe2ae48f718f82486f442044414f377025a61db2fd3dbf3c70a2fa", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "markdown-it-py", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "4.2.0", "correlation_key": "fp|0ddf2d745bfe2ae48f718f82486f442044414f377025a61db2fd3dbf3c70a2fa", "current_version": "3.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `faker` is 3 major version(s) behind (37.0.1 -> 40.21.0)"}, "properties": {"repobilityId": 141210, "scanner": "repobility-dependency-currency", "fingerprint": "2debee7c0bc3a4565ee6ecc379a02ebd0490aed883a51dd24d5399cf42cf649b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "faker", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "40.21.0", "correlation_key": "fp|2debee7c0bc3a4565ee6ecc379a02ebd0490aed883a51dd24d5399cf42cf649b", "current_version": "37.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `certifi` is 1 major version(s) behind (2025.1.31 -> 2026.5.20)"}, "properties": {"repobilityId": 141207, "scanner": "repobility-dependency-currency", "fingerprint": "e8f1b4fb0c3520825c477dceda7e5346f536828c812958352b5546cb60d6d2a1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "certifi", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2026.5.20", "correlation_key": "fp|e8f1b4fb0c3520825c477dceda7e5346f536828c812958352b5546cb60d6d2a1", "current_version": "2025.1.31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 141265, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 141249, "scanner": "repobility-docker", "fingerprint": "7182cc491df4593669d0d78a00fb910b19a9ed29d037d9fdc24cc507ef2e291b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7182cc491df4593669d0d78a00fb910b19a9ed29d037d9fdc24cc507ef2e291b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 141248, "scanner": "repobility-docker", "fingerprint": "7b13b229b4a10fb67971aac197601c8c2bc2f1ea03714476604e7dd76377fcbe", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7b13b229b4a10fb67971aac197601c8c2bc2f1ea03714476604e7dd76377fcbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 141246, "scanner": "repobility-docker", "fingerprint": "b475622bc6c7ce56787d76ba73adf53e45403f7a8f2512d3760503f86cb3db5f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "web", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b475622bc6c7ce56787d76ba73adf53e45403f7a8f2512d3760503f86cb3db5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 141245, "scanner": "repobility-docker", "fingerprint": "97dfa280054fe91053c0b8faca2031f5a1f0c150e6a81ab204ad66cc0a0e6cca", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "web", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|97dfa280054fe91053c0b8faca2031f5a1f0c150e6a81ab204ad66cc0a0e6cca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 141236, "scanner": "repobility-threat-engine", "fingerprint": "eacdf3a6fc4856ec8e1894ba2c08bcc4eabb602cdcb8fb70a068072a221dad53", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|220|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/src/js/index.js"}, "region": {"startLine": 220}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `globals` is minor version(s) behind (^17.4.0 -> 17.6.0)"}, "properties": {"repobilityId": 141229, "scanner": "repobility-dependency-currency", "fingerprint": "fd53f44ea0e59a8be281ecfa5d6228fec9cca2e121571ca80cdfc61ba150ecaa", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "globals", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.6.0", "correlation_key": "fp|fd53f44ea0e59a8be281ecfa5d6228fec9cca2e121571ca80cdfc61ba150ecaa", "current_version": "^17.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `tomlkit` is minor version(s) behind (0.13.2 -> 0.15.0)"}, "properties": {"repobilityId": 141227, "scanner": "repobility-dependency-currency", "fingerprint": "3ab303a7a63b7e2090819ecbb5fa86d33e7663f614e6f0ae23b9ab519af8cda0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tomlkit", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.15.0", "correlation_key": "fp|3ab303a7a63b7e2090819ecbb5fa86d33e7663f614e6f0ae23b9ab519af8cda0", "current_version": "0.13.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `rich-click` is minor version(s) behind (1.8.8 -> 1.9.8)"}, "properties": {"repobilityId": 141226, "scanner": "repobility-dependency-currency", "fingerprint": "172b5ec6f13d70d7b4bf762dbef21505cb55edfd4410a1e730bdd62448fc60dd", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "rich-click", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.9.8", "correlation_key": "fp|172b5ec6f13d70d7b4bf762dbef21505cb55edfd4410a1e730bdd62448fc60dd", "current_version": "1.8.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `prometheus-client` is minor version(s) behind (0.21.1 -> 0.25.0)"}, "properties": {"repobilityId": 141222, "scanner": "repobility-dependency-currency", "fingerprint": "a0f94bed7917a474c7d76c6abdb38a2c43a558d0b8832371536e7a1a0837b315", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prometheus-client", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.25.0", "correlation_key": "fp|a0f94bed7917a474c7d76c6abdb38a2c43a558d0b8832371536e7a1a0837b315", "current_version": "0.21.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `pluggy` is minor version(s) behind (1.5.0 -> 1.6.0)"}, "properties": {"repobilityId": 141220, "scanner": "repobility-dependency-currency", "fingerprint": "b0510d84e3e12df31735b33a865043322306ca33b3e22a35d153add63e5c9665", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pluggy", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.6.0", "correlation_key": "fp|b0510d84e3e12df31735b33a865043322306ca33b3e22a35d153add63e5c9665", "current_version": "1.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `platformdirs` is minor version(s) behind (4.3.6 -> 4.10.0)"}, "properties": {"repobilityId": 141219, "scanner": "repobility-dependency-currency", "fingerprint": "5f260c3c1e7770b267f0282f79abd2a3aa386d8ead1988fd34fb3adbfc713b07", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "platformdirs", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "4.10.0", "correlation_key": "fp|5f260c3c1e7770b267f0282f79abd2a3aa386d8ead1988fd34fb3adbfc713b07", "current_version": "4.3.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `multipart` is minor version(s) behind (1.2.2 -> 1.3.1)"}, "properties": {"repobilityId": 141217, "scanner": "repobility-dependency-currency", "fingerprint": "756d295d3edd5c0c2a694f7ba44cf5d62f75e40b6746dee9c12c9b98aeefd7aa", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "multipart", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.3.1", "correlation_key": "fp|756d295d3edd5c0c2a694f7ba44cf5d62f75e40b6746dee9c12c9b98aeefd7aa", "current_version": "1.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `msgspec` is minor version(s) behind (0.19.0 -> 0.21.1)"}, "properties": {"repobilityId": 141216, "scanner": "repobility-dependency-currency", "fingerprint": "a4929d651f6f29c9027caeed309ea28ca6325a36ee9136c451cc70806cad7309", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "msgspec", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.21.1", "correlation_key": "fp|a4929d651f6f29c9027caeed309ea28ca6325a36ee9136c451cc70806cad7309", "current_version": "0.19.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `litestar-htmx` is minor version(s) behind (0.4.1 -> 0.5.0)"}, "properties": {"repobilityId": 141214, "scanner": "repobility-dependency-currency", "fingerprint": "4eb746f68ac0431933560125b231936b60a897fe08a614eeea77dd700cdc9b01", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "litestar-htmx", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.5.0", "correlation_key": "fp|4eb746f68ac0431933560125b231936b60a897fe08a614eeea77dd700cdc9b01", "current_version": "0.4.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `iniconfig` is minor version(s) behind (2.0.0 -> 2.3.0)"}, "properties": {"repobilityId": 141213, "scanner": "repobility-dependency-currency", "fingerprint": "b0386f01f6804a8c70eb959f22a2d8a968e1dc4d2bd4253ce3f86f7b95777f44", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "iniconfig", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.3.0", "correlation_key": "fp|b0386f01f6804a8c70eb959f22a2d8a968e1dc4d2bd4253ce3f86f7b95777f44", "current_version": "2.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `idna` is minor version(s) behind (3.15 -> 3.18)"}, "properties": {"repobilityId": 141212, "scanner": "repobility-dependency-currency", "fingerprint": "e15b5a36a86bdd026562481f0688380e0887831db4ae9d760b634fc91a67ecca", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "idna", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.18", "correlation_key": "fp|e15b5a36a86bdd026562481f0688380e0887831db4ae9d760b634fc91a67ecca", "current_version": "3.15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `httpx` is minor version(s) behind (0.25.1 -> 0.28.1)"}, "properties": {"repobilityId": 141211, "scanner": "repobility-dependency-currency", "fingerprint": "6d8b0d525341921b28ca8b264feb436ecccd4f36faa4f2a6d5d022e2703a0d93", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "httpx", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.28.1", "correlation_key": "fp|6d8b0d525341921b28ca8b264feb436ecccd4f36faa4f2a6d5d022e2703a0d93", "current_version": "0.25.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `dill` is minor version(s) behind (0.3.9 -> 0.4.1)"}, "properties": {"repobilityId": 141209, "scanner": "repobility-dependency-currency", "fingerprint": "59591609342db81b2843a14fb07335a8803184c02202aa3c384784559a2564f6", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dill", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.4.1", "correlation_key": "fp|59591609342db81b2843a14fb07335a8803184c02202aa3c384784559a2564f6", "current_version": "0.3.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `click` is minor version(s) behind (8.1.8 -> 8.4.1)"}, "properties": {"repobilityId": 141208, "scanner": "repobility-dependency-currency", "fingerprint": "76d9711e0759165854505efad35ffca8fbe3826d1fec10f121730337c1975100", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "click", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "8.4.1", "correlation_key": "fp|76d9711e0759165854505efad35ffca8fbe3826d1fec10f121730337c1975100", "current_version": "8.1.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `astroid` is minor version(s) behind (4.0.2 -> 4.1.2)"}, "properties": {"repobilityId": 141206, "scanner": "repobility-dependency-currency", "fingerprint": "c5c076bc3fb27b9891e07eca1181c1efce9070783af0bf85888f24fcab22f2e0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "astroid", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "4.1.2", "correlation_key": "fp|c5c076bc3fb27b9891e07eca1181c1efce9070783af0bf85888f24fcab22f2e0", "current_version": "4.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `anyio` is minor version(s) behind (4.9.0 -> 4.13.0)"}, "properties": {"repobilityId": 141205, "scanner": "repobility-dependency-currency", "fingerprint": "aad4d30e3e66cf9cbe47fe58ee2b98c4a49bca2825e7ef41abd989729d5e2057", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "anyio", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "4.13.0", "correlation_key": "fp|aad4d30e3e66cf9cbe47fe58ee2b98c4a49bca2825e7ef41abd989729d5e2057", "current_version": "4.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141172, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7bca3a87c4b7d26ed8a641e4508da320f902c483c9d4a575ea5032a833d4ffd1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/api/app/routes/v1.py", "duplicate_line": 18, "correlation_key": "fp|7bca3a87c4b7d26ed8a641e4508da320f902c483c9d4a575ea5032a833d4ffd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/api/app/routes/v2.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 141238, "scanner": "repobility-threat-engine", "fingerprint": "095ad003eff3665630d1b9db114267568ef95d78ba5e12afc83782e5ebb3b3bc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|095ad003eff3665630d1b9db114267568ef95d78ba5e12afc83782e5ebb3b3bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/src/js/index.js"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 141235, "scanner": "repobility-threat-engine", "fingerprint": "d20a6d7cf9912d5c006a12cd6a6e624b38e4dd1735065f780ebfdb5f83cbc567", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d20a6d7cf9912d5c006a12cd6a6e624b38e4dd1735065f780ebfdb5f83cbc567"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/entrypoint.sh"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 141234, "scanner": "repobility-threat-engine", "fingerprint": "362d3bf68ebadf07bd7e80a13ef7ff5089efe43b5b1efae2aadc2ef87efd8789", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|362d3bf68ebadf07bd7e80a13ef7ff5089efe43b5b1efae2aadc2ef87efd8789"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `webpack-cli` is patch version(s) behind (^7.0.2 -> 7.0.3)"}, "properties": {"repobilityId": 141233, "scanner": "repobility-dependency-currency", "fingerprint": "2f0ca3f287d24bce1752b4853fa2240a2ef66f0b937b8ec743e5630035d9568a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "webpack-cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.0.3", "correlation_key": "fp|2f0ca3f287d24bce1752b4853fa2240a2ef66f0b937b8ec743e5630035d9568a", "current_version": "^7.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `prettier` is patch version(s) behind (^3.8.1 -> 3.8.3)"}, "properties": {"repobilityId": 141232, "scanner": "repobility-dependency-currency", "fingerprint": "fd5151644209109d341dde8b1f18106761338a8162ceddd3b2a3b1c19c6dbb55", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|fd5151644209109d341dde8b1f18106761338a8162ceddd3b2a3b1c19c6dbb55", "current_version": "^3.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `mini-css-extract-plugin` is patch version(s) behind (^2.10.0 -> 2.10.2)"}, "properties": {"repobilityId": 141231, "scanner": "repobility-dependency-currency", "fingerprint": "49f27437dea3404f068b10609cf4a2fc194bf647437c742303749e441f3bd7a9", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "mini-css-extract-plugin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.10.2", "correlation_key": "fp|49f27437dea3404f068b10609cf4a2fc194bf647437c742303749e441f3bd7a9", "current_version": "^2.10.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `html-webpack-plugin` is patch version(s) behind (^5.6.6 -> 5.6.7)"}, "properties": {"repobilityId": 141230, "scanner": "repobility-dependency-currency", "fingerprint": "65460bb92cc42092cd6e05e1428765c371ed1c9e0333877e0049c3de5775df59", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "html-webpack-plugin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.6.7", "correlation_key": "fp|65460bb92cc42092cd6e05e1428765c371ed1c9e0333877e0049c3de5775df59", "current_version": "^5.6.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `pyyaml` is patch version(s) behind (6.0.2 -> 6.0.3)"}, "properties": {"repobilityId": 141224, "scanner": "repobility-dependency-currency", "fingerprint": "285d139a4bbdd2fb7be5d01979a2a9e53bc0d829455326fddd57556cba8152c3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pyyaml", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "6.0.3", "correlation_key": "fp|285d139a4bbdd2fb7be5d01979a2a9e53bc0d829455326fddd57556cba8152c3", "current_version": "6.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `pydantic` is patch version(s) behind (2.13.3 -> 2.13.4)"}, "properties": {"repobilityId": 141223, "scanner": "repobility-dependency-currency", "fingerprint": "978d995b050a36a9f1f88e8d2c2413cdb93cd5df502e8c7e9eb80bd5284ff4f0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pydantic", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.13.4", "correlation_key": "fp|978d995b050a36a9f1f88e8d2c2413cdb93cd5df502e8c7e9eb80bd5284ff4f0", "current_version": "2.13.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hxcc-f52p-wc94", "level": "error", "message": {"text": "serialize-javascript: GHSA-hxcc-f52p-wc94"}, "properties": {"repobilityId": 141261, "scanner": "osv-scanner", "fingerprint": "70b102e4d1744e64078fdf89ff350563d3af03c66e66f901761868bc7fa06073", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2020-7660"], "package": "serialize-javascript", "rule_id": "GHSA-hxcc-f52p-wc94", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2020-7660|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 141259, "scanner": "osv-scanner", "fingerprint": "1384a7f5a6a3436c3fcded830a244394774f4ada24d711556fc01344923ac199", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 141257, "scanner": "osv-scanner", "fingerprint": "b086f1072e6426983f77232470007d194cdc11ddd27953ab154b690f4a8cd435", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37ch-88jc-xwx2", "level": "error", "message": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "properties": {"repobilityId": 141255, "scanner": "osv-scanner", "fingerprint": "425a1d5e081a83954a4cd54a374a1bd5ea96b02c54819e6d68d27c8c984dbfcc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4867"], "package": "path-to-regexp", "rule_id": "GHSA-37ch-88jc-xwx2", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4867|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 141254, "scanner": "osv-scanner", "fingerprint": "6d316b7f646fe6aa0af91627d36c50c4af4d58da2e033aca5dfce69a8e4af8d8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 141253, "scanner": "osv-scanner", "fingerprint": "51e30a28a1f5d1250a1ceb35d8802e8f7a16ae230aa0180926aef927d1687de8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 141252, "scanner": "osv-scanner", "fingerprint": "12ab69aba85c49bdcc9812652c32d5d21bf6f90de342cc4fb2a96d2b75113cec", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|frontend/web/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/web/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any