{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `googleapis/release-please-action` pinned to mutable ref `@v5`: `uses: googleapis/release-please-actio", "shortDescription": {"text": "[MINED115] Action `googleapis/release-please-action` pinned to mutable ref `@v5`: `uses: googleapis/release-please-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/ch"}, "fullDescription": {"text": "Replace with: `uses: googleapis/release-please-action@<40-char-sha>  # v5` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.ALGOLIA_CRAWLER_ID` on a `pull_request` trigger: This workflow triggers on `pull_reque", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.ALGOLIA_CRAWLER_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ALGOLIA_CRAWLER_ID }` lets a PR from any fork exfiltrate "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/775"}, "properties": {"repository": "puppeteer/puppeteer", "repoUrl": "https://github.com/puppeteer/puppeteer", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 65353, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 65341, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65339, "scanner": "repobility-threat-engine", "fingerprint": "878ec896f03d560f0e2414aecfcd7fb2653293c0af4c07477a003761d35fda06", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new Function(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|20|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/util/Function.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 65352, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 65351, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 65350, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 65349, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65348, "scanner": "repobility-ai-code-hygiene", "fingerprint": "087615d0f4522e4e756bc90ef89df436d1177753e2e2d96b88f020c307bf1dbd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/browsers/src/launch.ts", "duplicate_line": 408, "correlation_key": "fp|087615d0f4522e4e756bc90ef89df436d1177753e2e2d96b88f020c307bf1dbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/util/ErrorLike.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65347, "scanner": "repobility-ai-code-hygiene", "fingerprint": "28939d428b7936f65833eeb7fbde275a228262b76ea60b5cf0ea5579469435dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/puppeteer-core/src/common/BrowserWebSocketTransport.ts", "duplicate_line": 16, "correlation_key": "fp|28939d428b7936f65833eeb7fbde275a228262b76ea60b5cf0ea5579469435dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/node/NodeWebSocketTransport.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65346, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23783724c0303909f4f7f9713931385d00a92dbf0e9785f06848a39e57ff2e7d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/puppeteer-core/src/bidi/util.ts", "duplicate_line": 89, "correlation_key": "fp|23783724c0303909f4f7f9713931385d00a92dbf0e9785f06848a39e57ff2e7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/cdp/utils.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65345, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6fe1321b94086a26786cc254f0dd22296ce445fb446e44dae085c468f1db398", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/puppeteer-core/src/bidi/Realm.ts", "duplicate_line": 96, "correlation_key": "fp|f6fe1321b94086a26786cc254f0dd22296ce445fb446e44dae085c468f1db398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/cdp/ExecutionContext.ts"}, "region": {"startLine": 210}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65344, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a3b438a6c7bab745292498cad9807760c25178bd90d195014fdd24acf07edc4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/puppeteer-core/src/cdp/CdpSession.ts", "duplicate_line": 85, "correlation_key": "fp|0a3b438a6c7bab745292498cad9807760c25178bd90d195014fdd24acf07edc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/cdp/Connection.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65343, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e776932bbff59989b659f6941b79a1d6fa19bbfedf3ebc5048c2b14fbd20dccc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/browsers/src/browser-data/chrome-headless-shell.ts", "duplicate_line": 1, "correlation_key": "fp|e776932bbff59989b659f6941b79a1d6fa19bbfedf3ebc5048c2b14fbd20dccc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browsers/src/browser-data/chromedriver.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65342, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16e5cd8c7ebd228f76a11d6f3769a12ab78d5ef300c70acc328656701a141b80", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/browsers/src/browser-data/chrome-headless-shell.ts", "duplicate_line": 3, "correlation_key": "fp|16e5cd8c7ebd228f76a11d6f3769a12ab78d5ef300c70acc328656701a141b80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browsers/src/browser-data/chrome.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 65337, "scanner": "repobility-threat-engine", "fingerprint": "90e362140b3866d3dde8a0b6f82265c37c04ba196167c3d2b3ae3d096ee15566", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|90e362140b3866d3dde8a0b6f82265c37c04ba196167c3d2b3ae3d096ee15566", "aggregated_count": 7}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 65336, "scanner": "repobility-threat-engine", "fingerprint": "60d99f5199036dfa2d21bf83d138dc04ae2427e0babe47842c0cde05412e1c28", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60d99f5199036dfa2d21bf83d138dc04ae2427e0babe47842c0cde05412e1c28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/bidi/Deserializer.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 65335, "scanner": "repobility-threat-engine", "fingerprint": "947ab4ca69a427de571c4a5f045b86189f20e4731f54337017806a2434bce18e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|947ab4ca69a427de571c4a5f045b86189f20e4731f54337017806a2434bce18e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/api/JSHandle.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 65334, "scanner": "repobility-threat-engine", "fingerprint": "1ba177f88ef4096c0ccb045749d58ac7a317243644a073930b27f0e00d6d8ad5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ba177f88ef4096c0ccb045749d58ac7a317243644a073930b27f0e00d6d8ad5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ng-schematics/src/schematics/utils/packages.ts"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 65333, "scanner": "repobility-threat-engine", "fingerprint": "57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "aggregated_count": 2}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 65332, "scanner": "repobility-threat-engine", "fingerprint": "e0ae9ce94b246c40eaa90defb5ac7758315bc7bbce3b46b955b193c5d4167110", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0ae9ce94b246c40eaa90defb5ac7758315bc7bbce3b46b955b193c5d4167110"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/cdp/CdpSession.ts"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 65331, "scanner": "repobility-threat-engine", "fingerprint": "092418e1c2d76c64a005bdb6a6a006a5660aa11a87c1a00bb0bce61ad3b59dbf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|092418e1c2d76c64a005bdb6a6a006a5660aa11a87c1a00bb0bce61ad3b59dbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/bidi/BidiOverCdp.ts"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 65330, "scanner": "repobility-threat-engine", "fingerprint": "fdbc3dff1a74a97da97396d893537699eb28c480f7e7960e587c4aa38e781a11", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fdbc3dff1a74a97da97396d893537699eb28c480f7e7960e587c4aa38e781a11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browsers/src/fileUtil.ts"}, "region": {"startLine": 234}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 65329, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 65325, "scanner": "repobility-threat-engine", "fingerprint": "d7c4aed36fcf8742e3f317ea547da7c0a8acc22c2285e75e640f48ef6fe8d9a7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d7c4aed36fcf8742e3f317ea547da7c0a8acc22c2285e75e640f48ef6fe8d9a7", "aggregated_count": 14}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 65324, "scanner": "repobility-threat-engine", "fingerprint": "8c299dbcc4274c7c6dd922f7eba8ac6ccc88a9e7675fd041b57f4fa984a21824", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c299dbcc4274c7c6dd922f7eba8ac6ccc88a9e7675fd041b57f4fa984a21824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/bidi/BrowserConnector.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 65323, "scanner": "repobility-threat-engine", "fingerprint": "57745a08dd8113a69eccdcea6b7c75af214f929c9182c6e72f2655f08c90cda3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|57745a08dd8113a69eccdcea6b7c75af214f929c9182c6e72f2655f08c90cda3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browsers/src/httpUtil.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 65322, "scanner": "repobility-threat-engine", "fingerprint": "fdadc1ea8a20d119b82346d97cb8cf2e0be1519319fc4c9b3085dfaba264f470", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fdadc1ea8a20d119b82346d97cb8cf2e0be1519319fc4c9b3085dfaba264f470"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browsers/src/ProgressBar.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 65321, "scanner": "repobility-threat-engine", "fingerprint": "a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 65317, "scanner": "repobility-threat-engine", "fingerprint": "f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "aggregated_count": 8}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65316, "scanner": "repobility-threat-engine", "fingerprint": "5c0211ec6747eec18a4fde15ba3b855a05ac6e94892f592cffd2a6c7095b9c3b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5c0211ec6747eec18a4fde15ba3b855a05ac6e94892f592cffd2a6c7095b9c3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/detect-sniff.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65315, "scanner": "repobility-threat-engine", "fingerprint": "ed118f6ea2bb585e54cdb4aae7b388f59edbda415de5140c248c4ff7f70ffd34", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed118f6ea2bb585e54cdb4aae7b388f59edbda415de5140c248c4ff7f70ffd34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/custom-event.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65314, "scanner": "repobility-threat-engine", "fingerprint": "e49d95e2ae83ad308568db6db900f08b1f26caa4a2c4a595dc2918caba4ec6c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e49d95e2ae83ad308568db6db900f08b1f26caa4a2c4a595dc2918caba4ec6c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cross-browser.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `googleapis/release-please-action` pinned to mutable ref `@v5`: `uses: googleapis/release-please-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65354, "scanner": "repobility-supply-chain", "fingerprint": "9c102f49f7de33a0805af1bf7443ade406399a160bea30b658cb8bf73e4dcc4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c102f49f7de33a0805af1bf7443ade406399a160bea30b658cb8bf73e4dcc4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-please.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 65338, "scanner": "repobility-threat-engine", "fingerprint": "4d7dafc8f10633faca06f78fde79d0cf3ec3bb49f694d73c7399d1519cd5e6ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(result", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4d7dafc8f10633faca06f78fde79d0cf3ec3bb49f694d73c7399d1519cd5e6ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/bidi/Deserializer.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65328, "scanner": "repobility-threat-engine", "fingerprint": "b48a3127ed67877b165f85b44e0db9a06380cd5077a4570bab55b1815e83d116", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "callPuppeteer.args.delete(seq);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b48a3127ed67877b165f85b44e0db9a06380cd5077a4570bab55b1815e83d116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/cdp/utils.ts"}, "region": {"startLine": 288}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65327, "scanner": "repobility-threat-engine", "fingerprint": "6bc4fdbb2f1b29cf40aef312d974bf2d6ead43f97817d0ebf7eebf395618abf6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "callbacks.delete(seq);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6bc4fdbb2f1b29cf40aef312d974bf2d6ead43f97817d0ebf7eebf395618abf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/cdp/Binding.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65326, "scanner": "repobility-threat-engine", "fingerprint": "1d26c6d04f38d57ea2e7e086715c2f24bbe664314738f6403682ad14f6833262", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "stream.destroy(e);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d26c6d04f38d57ea2e7e086715c2f24bbe664314738f6403682ad14f6833262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browsers/src/fileUtil.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65320, "scanner": "repobility-threat-engine", "fingerprint": "5709557746206069ab97eb6e72914a57420b6767990f8113278f0d276e631f83", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n  p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5709557746206069ab97eb6e72914a57420b6767990f8113278f0d276e631f83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browsers/src/browser-data/chromedriver.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65319, "scanner": "repobility-threat-engine", "fingerprint": "236181bdeefbae31e242bf3e69a8ea2fea0e530439424eafa268eb32c300c376", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n  p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|236181bdeefbae31e242bf3e69a8ea2fea0e530439424eafa268eb32c300c376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browsers/src/browser-data/chrome-headless-shell.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65318, "scanner": "repobility-threat-engine", "fingerprint": "4eccf92e850b90fa48949a911317e55087b737798da15a1e54f2f448be01dbfd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4eccf92e850b90fa48949a911317e55087b737798da15a1e54f2f448be01dbfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/browsers/src/DefaultProvider.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ALGOLIA_CRAWLER_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ALGOLIA_CRAWLER_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65360, "scanner": "repobility-supply-chain", "fingerprint": "e25cbc2eb977624fdd8412b2aa74866b95c341dfbbcb8c12899972bbcf22bef7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e25cbc2eb977624fdd8412b2aa74866b95c341dfbbcb8c12899972bbcf22bef7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ALGOLIA_CRAWLER_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ALGOLIA_CRAWLER_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65359, "scanner": "repobility-supply-chain", "fingerprint": "242ec030a662d9fd77ebb7b1bba50e88f5517632ab07e2e4addf19d66398f350", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|242ec030a662d9fd77ebb7b1bba50e88f5517632ab07e2e4addf19d66398f350"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ALGOLIA_CRAWLER_USER_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ALGOLIA_CRAWLER_USER_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65358, "scanner": "repobility-supply-chain", "fingerprint": "192feced03ac535071d6034682d137f56c23477d430c1237462db8cb9287a867", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|192feced03ac535071d6034682d137f56c23477d430c1237462db8cb9287a867"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ALGOLIA_CRAWLER_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ALGOLIA_CRAWLER_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65357, "scanner": "repobility-supply-chain", "fingerprint": "a8ebf30c62e99d256bccf7813a76b852414d2894df5b88b9d412db5346a9ad68", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8ebf30c62e99d256bccf7813a76b852414d2894df5b88b9d412db5346a9ad68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ALGOLIA_CRAWLER_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ALGOLIA_CRAWLER_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65356, "scanner": "repobility-supply-chain", "fingerprint": "3b8870cef3c94c238a77602e563e0afccf7ae5b13449537f4fb66ec2bd9e5f78", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b8870cef3c94c238a77602e563e0afccf7ae5b13449537f4fb66ec2bd9e5f78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ALGOLIA_CRAWLER_USER_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ALGOLIA_CRAWLER_USER_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65355, "scanner": "repobility-supply-chain", "fingerprint": "3d7ff175c2e9eb3bc47bf4d60aff111bca349f0a47b37051ca4b25e2021da4a2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d7ff175c2e9eb3bc47bf4d60aff111bca349f0a47b37051ca4b25e2021da4a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 65340, "scanner": "repobility-threat-engine", "fingerprint": "3bf3d45864f9b6e65c0c82860f2549cf06c32fc233c578d4d820c879328dfb33", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3bf3d45864f9b6e65c0c82860f2549cf06c32fc233c578d4d820c879328dfb33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/puppeteer-core/src/util/Function.ts"}, "region": {"startLine": 20}}}]}]}]}