{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED057] Todo Bomb (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 35 more): Same pattern found in 35 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 72 more): Same pattern found in 72 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 72 more): Same pattern found in 72 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 26 more): Same pattern found in 26 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `Shopify/snapit` pinned to mutable ref `@v0.0.14`: `uses: Shopify/snapit@v0.0.14` resolves at workflow", "shortDescription": {"text": "[MINED115] Action `Shopify/snapit` pinned to mutable ref `@v0.0.14`: `uses: Shopify/snapit@v0.0.14` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (20"}, "fullDescription": {"text": "Replace with: `uses: Shopify/snapit@<40-char-sha>  # v0.0.14` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CHROMATIC_PROJECT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CHROMATIC_PROJECT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CHROMATIC_PROJECT_TOKEN }` lets a PR from any fork e"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/161"}, "properties": {"repository": "Shopify/polaris-react", "repoUrl": "https://github.com/Shopify/polaris-react.git", "branch": "main"}, "results": [{"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 41308, "scanner": "repobility-threat-engine", "fingerprint": "b7f6a35a482a9bd5f4de592e2fa148c940bd3339a83d5d0aae34a129358337dd", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = WEB_COMPONENTS_URL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b7f6a35a482a9bd5f4de592e2fa148c940bd3339a83d5d0aae34a129358337dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/src/components/InterstitialModal/InterstitialModal.tsx"}, "region": {"startLine": 199}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 41307, "scanner": "repobility-threat-engine", "fingerprint": "b2a06e7921fee88251d71b49ae907261b6f79f28e12237ef45ebfb4599096557", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n    return true;\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b2a06e7921fee88251d71b49ae907261b6f79f28e12237ef45ebfb4599096557"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/playroom/FrameComponent.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 41296, "scanner": "repobility-threat-engine", "fingerprint": "01b774250da98bbbd9295186adcb6ea9b2056bdcd51f7eb88e608713b4230a1c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url=\"https://www.example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|01b774250da98bbbd9295186adcb6ea9b2056bdcd51f7eb88e608713b4230a1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/examples/data-table-with-fixed-first-columns.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 41295, "scanner": "repobility-threat-engine", "fingerprint": "17b0caa23e044613183ef9ea8dedc6ea1ea32f628bd1b4ae09008c9a601616f2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url=\"https://www.example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17b0caa23e044613183ef9ea8dedc6ea1ea32f628bd1b4ae09008c9a601616f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/examples/data-table-with-all-of-its-elements.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 41294, "scanner": "repobility-threat-engine", "fingerprint": "7b50d462bdffdb064bd0ebe11424d854099148f978844a9627f3a5884a906c6c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b50d462bdffdb064bd0ebe11424d854099148f978844a9627f3a5884a906c6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Tag/Tag.stories.tsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 41293, "scanner": "repobility-threat-engine", "fingerprint": "ceb7bedb1efe55cc5c0546977e9bfceac0c977b30f5fdde21d7b1385a6e710fa", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(primaryLinkElement.current.href, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|177|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/IndexTable/components/Row/Row.tsx"}, "region": {"startLine": 177}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 41272, "scanner": "repobility-threat-engine", "fingerprint": "f825aaf1b9d74023cc2c865c6e9b426ecebd301ebb79d59f77503934b9d454ee", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|164|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Picker/Picker.tsx"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 41271, "scanner": "repobility-threat-engine", "fingerprint": "2adb258f32c33f13af793eee862f814d919b418fe0e51ddbe8c451f3c0014753", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|182|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/config/rollup/plugin-styles.js"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 41270, "scanner": "repobility-threat-engine", "fingerprint": "e0224309caeab6b7d69af42df7dce66e1ace8dfc910fffb28aae086f89911174", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|16|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/config/rollup/namespaced-classname.mjs"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 41241, "scanner": "repobility-threat-engine", "fingerprint": "0c3c5e618e1ae29d2d2e4ffce683fa6ffe5c97a12d6cce4c53be35aa3de7293c", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|9|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/src/utils/markdown.mjs"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 41240, "scanner": "repobility-threat-engine", "fingerprint": "a59468a6b3d63c9371b0c30288bbd5de354f11a1311c2a7222c20a68730870cd", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|28|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-icons/rollup.config.mjs"}, "region": {"startLine": 28}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 4605, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 4604, "scanner": "repobility-threat-engine", "fingerprint": "695b4d392a0eb06f4a99175efeaa3e98c61e2da40f23d8b919ae74b08944cb61", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(k){}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|695b4d392a0eb06f4a99175efeaa3e98c61e2da40f23d8b919ae74b08944cb61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/_app.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 4603, "scanner": "repobility-threat-engine", "fingerprint": "e194fa6b93cde4c35afc51ccac572109e01a3965a2baf577691d582cefa99f05", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|.eslintrc.js|6|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslintrc.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41322, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34ad58334b7c2bbb490826cfa8a19ddd2563dfa75e785e8d12d5ed962da9d7d0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/MediaCard/MediaCard.stories.tsx", "duplicate_line": 107, "correlation_key": "fp|34ad58334b7c2bbb490826cfa8a19ddd2563dfa75e785e8d12d5ed962da9d7d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/VideoThumbnail/VideoThumbnail.stories.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41321, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9358bc85d0541f3d25d25d4ade1d16556e9d3daae7af03474103c19d6a884b8f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/LegacyTabs/LegacyTabs.stories.tsx", "duplicate_line": 13, "correlation_key": "fp|9358bc85d0541f3d25d25d4ade1d16556e9d3daae7af03474103c19d6a884b8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/VideoThumbnail/VideoThumbnail.stories.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41320, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f421a260df58c8c894eadd16f28eb24222f0326cc3afd9cd428decd6675b6ed5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Button/Button.tsx", "duplicate_line": 76, "correlation_key": "fp|f421a260df58c8c894eadd16f28eb24222f0326cc3afd9cd428decd6675b6ed5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/UnstyledButton/UnstyledButton.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41319, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd3de40d4ce82e3f5e5773512814863ac299d8c8a2bd6b2b658395729f227de7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Navigation/Navigation.tsx", "duplicate_line": 42, "correlation_key": "fp|fd3de40d4ce82e3f5e5773512814863ac299d8c8a2bd6b2b658395729f227de7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/TopBar/TopBar.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41318, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa5f057fe90ff453ae908e3f846fbff4038f326ac6010da92264dcd146b2d3fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Banner/Banner.stories.tsx", "duplicate_line": 135, "correlation_key": "fp|aa5f057fe90ff453ae908e3f846fbff4038f326ac6010da92264dcd146b2d3fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Toast/Toast.stories.tsx"}, "region": {"startLine": 221}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41317, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8438d007085cd5cb750d125040de6bfbe831f349d5df63a60255d588acf93f88", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/LegacyTabs/utilities.ts", "duplicate_line": 4, "correlation_key": "fp|8438d007085cd5cb750d125040de6bfbe831f349d5df63a60255d588acf93f88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Tabs/utilities.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41316, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d88d155341c1eaccea61c5111fcd544301522e0ba01f10205501de2a9f368dac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/LegacyTabs/components/TabMeasurer/TabMeasurer.tsx", "duplicate_line": 19, "correlation_key": "fp|d88d155341c1eaccea61c5111fcd544301522e0ba01f10205501de2a9f368dac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Tabs/components/TabMeasurer/TabMeasurer.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41315, "scanner": "repobility-ai-code-hygiene", "fingerprint": "86bba2edce0ea5c7d21ae5493e9d2a735993c8b4bf0a8aba1b7dbe215b5ec4d2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Tabs/components/CreateViewModal/CreateViewModal.tsx", "duplicate_line": 102, "correlation_key": "fp|86bba2edce0ea5c7d21ae5493e9d2a735993c8b4bf0a8aba1b7dbe215b5ec4d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Tabs/components/Tab/components/RenameModal/RenameModal.tsx"}, "region": {"startLine": 100}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41314, "scanner": "repobility-ai-code-hygiene", "fingerprint": "01725b0dcfe77e0cab6eb5cf8f16aea9f66cecaacba398c21262b9236b3d37c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Tabs/components/Tab/components/DuplicateModal/DuplicateModal.tsx", "duplicate_line": 49, "correlation_key": "fp|01725b0dcfe77e0cab6eb5cf8f16aea9f66cecaacba398c21262b9236b3d37c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Tabs/components/Tab/components/RenameModal/RenameModal.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41313, "scanner": "repobility-ai-code-hygiene", "fingerprint": "771378c6cbaf59ca9955c073851964fd2839d1c70113410a088c97e9fc7d8fd0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Tabs/components/CreateViewModal/CreateViewModal.tsx", "duplicate_line": 102, "correlation_key": "fp|771378c6cbaf59ca9955c073851964fd2839d1c70113410a088c97e9fc7d8fd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Tabs/components/Tab/components/DuplicateModal/DuplicateModal.tsx"}, "region": {"startLine": 101}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41312, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e48c0938976010faeb77138225a06c6d7332d3a72d9559d14c61ae5d42a03716", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/LegacyTabs/components/Panel/Panel.tsx", "duplicate_line": 4, "correlation_key": "fp|e48c0938976010faeb77138225a06c6d7332d3a72d9559d14c61ae5d42a03716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Tabs/components/Panel/Panel.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41311, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14e3ac6e7a8f3e0bbe3bc3119ae1f13c157c1648a9dd48b1b0eccdfc28465b94", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/LegacyTabs/components/List/List.tsx", "duplicate_line": 10, "correlation_key": "fp|14e3ac6e7a8f3e0bbe3bc3119ae1f13c157c1648a9dd48b1b0eccdfc28465b94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Tabs/components/List/List.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41310, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bfd25f31fafc276f9080540e485e99ae19dbf688dfdb0e2c572f2cf864d03b1a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/LegacyTabs/LegacyTabs.tsx", "duplicate_line": 183, "correlation_key": "fp|bfd25f31fafc276f9080540e485e99ae19dbf688dfdb0e2c572f2cf864d03b1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Tabs/Tabs.tsx"}, "region": {"startLine": 306}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41309, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb7f1c5b8d64665b54e2d1f8bba3e38dafdb1fa184d76f0d6a72e9c04d4a2c89", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Popover/Popover.stories.tsx", "duplicate_line": 570, "correlation_key": "fp|eb7f1c5b8d64665b54e2d1f8bba3e38dafdb1fa184d76f0d6a72e9c04d4a2c89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Sheet/Sheet.stories.tsx"}, "region": {"startLine": 322}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 41269, "scanner": "repobility-threat-engine", "fingerprint": "6b9d27a22ecd54a4d60b7f8c9d5e0bb40fe8449d2827a3acb8511a1b3d89cff6", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = J", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|31|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/.storybook/RenderPerformanceProfiler/RenderPerformanceProfiler.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 4606, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4602, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d96dbd5dccda2637a58253b0ad5a18e3280c9b526703e99a8fff89c3cb9a5aae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Listbox/Listbox.stories.tsx", "duplicate_line": 190, "correlation_key": "fp|d96dbd5dccda2637a58253b0ad5a18e3280c9b526703e99a8fff89c3cb9a5aae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Sheet/Sheet.stories.tsx"}, "region": {"startLine": 166}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4601, "scanner": "repobility-ai-code-hygiene", "fingerprint": "63e3659fd1fc6420e62badb0783df7c7ddc0987ba44558f156eecd76278d2e19", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/BulkActions/BulkActions.tsx", "duplicate_line": 139, "correlation_key": "fp|63e3659fd1fc6420e62badb0783df7c7ddc0987ba44558f156eecd76278d2e19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/SelectAllActions/SelectAllActions.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4600, "scanner": "repobility-ai-code-hygiene", "fingerprint": "86171c1054041a4e5b07c074860b10bdfdec4fa61b594915d959e5ede8af7bb7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Listbox/Listbox.stories.tsx", "duplicate_line": 183, "correlation_key": "fp|86171c1054041a4e5b07c074860b10bdfdec4fa61b594915d959e5ede8af7bb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Popover/Popover.stories.tsx"}, "region": {"startLine": 407}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4599, "scanner": "repobility-ai-code-hygiene", "fingerprint": "406f7edd802789dc00eae8038cb7e8dc41219dd63a7cb71552e7bd901addefc7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Combobox/components/TextField/TextField.tsx", "duplicate_line": 21, "correlation_key": "fp|406f7edd802789dc00eae8038cb7e8dc41219dd63a7cb71552e7bd901addefc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Picker/components/SearchField/SearchField.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4598, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4ec13b1f735347e48734ec749c1aed4b0a26cece1ef74a6a366cd8c8e8e139d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Combobox/Combobox.tsx", "duplicate_line": 99, "correlation_key": "fp|f4ec13b1f735347e48734ec749c1aed4b0a26cece1ef74a6a366cd8c8e8e139d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Picker/Picker.tsx"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4597, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc5a1d4c2b6e70fe7da9ba6f4912c37f4235f98e76b2964af5bc8dfc2cca2fa3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Banner/Banner.stories.tsx", "duplicate_line": 134, "correlation_key": "fp|fc5a1d4c2b6e70fe7da9ba6f4912c37f4235f98e76b2964af5bc8dfc2cca2fa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Modal/Modal.stories.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4596, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1b25b7b974f57f708624e2c34bdc0ed4bff1f886e582deb22b10ad4f32e9164b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Card/Card.stories.tsx", "duplicate_line": 670, "correlation_key": "fp|1b25b7b974f57f708624e2c34bdc0ed4bff1f886e582deb22b10ad4f32e9164b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/LegacyCard/LegacyCard.stories.tsx"}, "region": {"startLine": 373}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4595, "scanner": "repobility-ai-code-hygiene", "fingerprint": "67d1fd393db8d640ab416404b3a25a2bd56b67bee2ecadbb9bcec4742be62c83", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/Autocomplete/Autocomplete.stories.tsx", "duplicate_line": 14, "correlation_key": "fp|67d1fd393db8d640ab416404b3a25a2bd56b67bee2ecadbb9bcec4742be62c83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Combobox/Combobox.stories.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4594, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cdb886d55faded74a31332bf54804c103a4a57147f28328892096c39ea6212d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/ColorPicker/components/AlphaPicker/AlphaPicker.tsx", "duplicate_line": 18, "correlation_key": "fp|cdb886d55faded74a31332bf54804c103a4a57147f28328892096c39ea6212d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/ColorPicker/components/HuePicker/HuePicker.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4593, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d17bfe7f55dbac2d4b43f9771e304092040464a6761dd4c555722d3006aafa17", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/BulkActions/BulkActions.tsx", "duplicate_line": 212, "correlation_key": "fp|d17bfe7f55dbac2d4b43f9771e304092040464a6761dd4c555722d3006aafa17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/BulkActions/components/BulkActionsMeasurer/BulkActionsMeasurer.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4592, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34240b4d3f4ef291ced5a1b8b71d14e2d95f698ecb28c50c6bba1130c6b1358f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-react/src/components/ActionMenu/components/Actions/components/ActionsMeasurer/ActionsMeasurer.tsx", "duplicate_line": 35, "correlation_key": "fp|34240b4d3f4ef291ced5a1b8b71d14e2d95f698ecb28c50c6bba1130c6b1358f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/BulkActions/components/BulkActionsMeasurer/BulkActionsMeasurer.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4591, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be50646c678d42a9ec34ea4254d189c9c70cac785eedde7b64266e3ebd8d865f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "polaris-icons/jest.config.js", "duplicate_line": 1, "correlation_key": "fp|be50646c678d42a9ec34ea4254d189c9c70cac785eedde7b64266e3ebd8d865f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/jest.config.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 4590, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d96595e0c0d9b737d599d63bc0e5c2972002da2958d054020fa1281b6dc9d3e", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v8", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|2d96595e0c0d9b737d599d63bc0e5c2972002da2958d054020fa1281b6dc9d3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/src/components/IconsPage/icon-renames-v7-to-v8.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 41303, "scanner": "repobility-threat-engine", "fingerprint": "a76cbdc98f8dde1c3c34a513671d88e9a2f08a24d770d40bc43612ccd004bada", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a76cbdc98f8dde1c3c34a513671d88e9a2f08a24d770d40bc43612ccd004bada", "aggregated_count": 3}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 41302, "scanner": "repobility-threat-engine", "fingerprint": "9fb2b64b4f3721dd0332365cc21fe6cd4d1cc170e9e21cb92a01e78a49faefac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9fb2b64b4f3721dd0332365cc21fe6cd4d1cc170e9e21cb92a01e78a49faefac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/src/components/CodesandboxButton/CodesandboxButton.tsx"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 41301, "scanner": "repobility-threat-engine", "fingerprint": "e0277d4d49a85e53209238e0699f3c9793128b94eea4de6b14667f61d055bb33", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0277d4d49a85e53209238e0699f3c9793128b94eea4de6b14667f61d055bb33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/utilities/merge.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 41300, "scanner": "repobility-threat-engine", "fingerprint": "525f3ca2ecb7f4a889f54a3e7c14bfac41d3981c95feaeeaa906cdd0c853d73f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|525f3ca2ecb7f4a889f54a3e7c14bfac41d3981c95feaeeaa906cdd0c853d73f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/ThemeProvider/ThemeProvider.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 41299, "scanner": "repobility-threat-engine", "fingerprint": "5e1fbbb9be828f2289235e93c2b7ae9eb847de7690e21e5c1b7409d2d08334f2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e1fbbb9be828f2289235e93c2b7ae9eb847de7690e21e5c1b7409d2d08334f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/_app.tsx"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 41298, "scanner": "repobility-threat-engine", "fingerprint": "0cc22e3f39935576a6d9e82e990e325f2d87a8fb478d98820c172247cf78fc1b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0cc22e3f39935576a6d9e82e990e325f2d87a8fb478d98820c172247cf78fc1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/TextField/components/Resizer/Resizer.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 41297, "scanner": "repobility-threat-engine", "fingerprint": "c86a8223d36e18524aeee3169632549ad0e22449690a236f9850ddf0d78b00dc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c86a8223d36e18524aeee3169632549ad0e22449690a236f9850ddf0d78b00dc"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 41292, "scanner": "repobility-threat-engine", "fingerprint": "fcf1b79a14aae5f025c6b567c2b0aaa5398159c1258f1f24d5caed89f0d0d976", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fcf1b79a14aae5f025c6b567c2b0aaa5398159c1258f1f24d5caed89f0d0d976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/scripts/gen-site-map.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 41291, "scanner": "repobility-threat-engine", "fingerprint": "7f74f5aa80b48a668051b0917395a7e7e77acd199f1e901e2ae50d7198c43e9c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f74f5aa80b48a668051b0917395a7e7e77acd199f1e901e2ae50d7198c43e9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/examples/icon-with-custom-svg.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 41290, "scanner": "repobility-threat-engine", "fingerprint": "64c7f38a2d10375612c4b895c908584517552481f1a9d95294ebd4ff4037d4d5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64c7f38a2d10375612c4b895c908584517552481f1a9d95294ebd4ff4037d4d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Icon/Icon.stories.tsx"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 41289, "scanner": "repobility-threat-engine", "fingerprint": "82c6b69256192cc53f3e97906f4b7b1953127ff4369eaf5cc476c6a6e6d7a62f", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|82c6b69256192cc53f3e97906f4b7b1953127ff4369eaf5cc476c6a6e6d7a62f"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 41285, "scanner": "repobility-threat-engine", "fingerprint": "93cbe534951178666d5b4580a210cf7d90f5919f5b43a9731fa7dd1375669009", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|93cbe534951178666d5b4580a210cf7d90f5919f5b43a9731fa7dd1375669009", "aggregated_count": 15}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 41284, "scanner": "repobility-threat-engine", "fingerprint": "fed33aee8c08ab4f45d40c609653552ceb049c2c62406c01ad3313eb1632edb3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fed33aee8c08ab4f45d40c609653552ceb049c2c62406c01ad3313eb1632edb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/ButtonGroup/ButtonGroup.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 41283, "scanner": "repobility-threat-engine", "fingerprint": "494df88bff3c8b1d52c2417d32ead99c9992ab10d0411b9b6b5b402e68125cd6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|494df88bff3c8b1d52c2417d32ead99c9992ab10d0411b9b6b5b402e68125cd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/BulkActions/components/BulkActionsMeasurer/BulkActionsMeasurer.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 41282, "scanner": "repobility-threat-engine", "fingerprint": "f4b0880fe9b615aa5f71aa2f0f9cd872692080de2d659da196e343486e8f2968", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f4b0880fe9b615aa5f71aa2f0f9cd872692080de2d659da196e343486e8f2968"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/BulkActions/BulkActions.tsx"}, "region": {"startLine": 246}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 41281, "scanner": "repobility-threat-engine", "fingerprint": "f4e7333fe3c1bc087d5fa40dc8fe2454c0a8fa2179632a9306003262ddb93d38", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f4e7333fe3c1bc087d5fa40dc8fe2454c0a8fa2179632a9306003262ddb93d38", "aggregated_count": 8}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 41280, "scanner": "repobility-threat-engine", "fingerprint": "e22ee295843c681af4bebdc0bab07bd7ea6781f8fdb9304a56a78c4f7a274d8d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e22ee295843c681af4bebdc0bab07bd7ea6781f8fdb9304a56a78c4f7a274d8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/examples/index-table-with-bulk-actions.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 41279, "scanner": "repobility-threat-engine", "fingerprint": "d0215c852697bb41d6a79270bb40821f278a48b9e38a239781c5e4201cce5475", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d0215c852697bb41d6a79270bb40821f278a48b9e38a239781c5e4201cce5475"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/examples/index-table-with-bulk-actions-and-selection-across-pages.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 41278, "scanner": "repobility-threat-engine", "fingerprint": "8ad7471c143acd473cad21b16d8a5d79cc86c1b41752293ace4445003958f20b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8ad7471c143acd473cad21b16d8a5d79cc86c1b41752293ace4445003958f20b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/BulkActions/BulkActions.stories.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 41277, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 41273, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 41268, "scanner": "repobility-threat-engine", "fingerprint": "608d8d675ae0526fc953a53caf5c68a07518f95ee27080c50acec2df294a2cc4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|608d8d675ae0526fc953a53caf5c68a07518f95ee27080c50acec2df294a2cc4", "aggregated_count": 13}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 41267, "scanner": "repobility-threat-engine", "fingerprint": "abee66980c6af11b2adf3ee172a606289f5db252b7e79953e203973a3d494072", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|abee66980c6af11b2adf3ee172a606289f5db252b7e79953e203973a3d494072"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/playground/KitchenSink.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 41266, "scanner": "repobility-threat-engine", "fingerprint": "c9c899a8ad17ce91197596522170947d85a52a59b7da77143e9309ca87cfded8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c9c899a8ad17ce91197596522170947d85a52a59b7da77143e9309ca87cfded8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/src/utilities/jsx.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 41265, "scanner": "repobility-threat-engine", "fingerprint": "b0af7f57588a85f3134ab435ca7c0c1c41e6a7c20f45ee286281cf1b334bd25f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0af7f57588a85f3134ab435ca7c0c1c41e6a7c20f45ee286281cf1b334bd25f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/src/utilities/imports.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 41264, "scanner": "repobility-threat-engine", "fingerprint": "2371e3140f739d4c8ec9c5eb51e02722aa725628e8e87d1af94f75af9d1de902", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2371e3140f739d4c8ec9c5eb51e02722aa725628e8e87d1af94f75af9d1de902"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 41259, "scanner": "repobility-threat-engine", "fingerprint": "47f9601753ae22f0b9e47825e77ec6e2b5ec3b638fcf77e910682202190746e7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|47f9601753ae22f0b9e47825e77ec6e2b5ec3b638fcf77e910682202190746e7", "aggregated_count": 35}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 41258, "scanner": "repobility-threat-engine", "fingerprint": "fcd29f57771d4678f4178f7abccb90a45e0643961c7fb30b91167edca3d63b8b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fcd29f57771d4678f4178f7abccb90a45e0643961c7fb30b91167edca3d63b8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/src/utilities/jsx.ts"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 41257, "scanner": "repobility-threat-engine", "fingerprint": "5ef773b937c2497e303125b65132a7e54f06f6b811fc648a31301aae10010e4e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ef773b937c2497e303125b65132a7e54f06f6b811fc648a31301aae10010e4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/src/utilities/check.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 41256, "scanner": "repobility-threat-engine", "fingerprint": "2c528e814980d8c21a4a6677157fad536b80e39f00e0a0842b732973df282f3b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c528e814980d8c21a4a6677157fad536b80e39f00e0a0842b732973df282f3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/src/migrate.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 72 more): Same pattern found in 72 additional files. Review if needed."}, "properties": {"repobilityId": 41255, "scanner": "repobility-threat-engine", "fingerprint": "eb0eb05384212ac778ec771057bf6b907b2a743f1d4bc1ca4589df6eb2fe4040", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 72 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eb0eb05384212ac778ec771057bf6b907b2a743f1d4bc1ca4589df6eb2fe4040", "aggregated_count": 72}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 41254, "scanner": "repobility-threat-engine", "fingerprint": "a086a95cb9f0c8ea46576bd312899538b1e947e6e95438ff0eba5be8acd6a5b4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a086a95cb9f0c8ea46576bd312899538b1e947e6e95438ff0eba5be8acd6a5b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/ActionList/ActionList.stories.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 41253, "scanner": "repobility-threat-engine", "fingerprint": "d8a6a27a61e10064d77c13515d25d929531a03367214f39c60094c0e60c36003", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8a6a27a61e10064d77c13515d25d929531a03367214f39c60094c0e60c36003"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/.storybook/RenderPerformanceProfiler/RenderPerformanceProfiler.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 41252, "scanner": "repobility-threat-engine", "fingerprint": "2b28adf0d091a9a063fec66bcf28da152e623bc8cc79110d5e6fe1fc223442ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b28adf0d091a9a063fec66bcf28da152e623bc8cc79110d5e6fe1fc223442ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/src/migrate.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 41251, "scanner": "repobility-threat-engine", "fingerprint": "ee37b72ebde15cfbc31f78c9719de0889ff3a3c23590f5c2a982061826fb7c2f", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ee37b72ebde15cfbc31f78c9719de0889ff3a3c23590f5c2a982061826fb7c2f"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Shopify/snapit` pinned to mutable ref `@v0.0.14`: `uses: Shopify/snapit@v0.0.14` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41325, "scanner": "repobility-supply-chain", "fingerprint": "ab3785b18a6ecafdd2af642d60deec3c3bc1e318e307b32b0e0d66d49fccbc3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab3785b18a6ecafdd2af642d60deec3c3bc1e318e307b32b0e0d66d49fccbc3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/snapit.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Shopify/shopify-cla-action` pinned to mutable ref `@v1`: `uses: Shopify/shopify-cla-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41323, "scanner": "repobility-supply-chain", "fingerprint": "2b00cf13cb8ca278a3ee5f4ee37bedf62ee3a4a4f67ea8822433b1d6f2106e98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b00cf13cb8ca278a3ee5f4ee37bedf62ee3a4a4f67ea8822433b1d6f2106e98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cla.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 41306, "scanner": "repobility-threat-engine", "fingerprint": "ade56bb341e5018e8ae8851892698b71e04281bf6efab30e832920b5d4fc8a0b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ade56bb341e5018e8ae8851892698b71e04281bf6efab30e832920b5d4fc8a0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/api/tokens/v0/[tokens].tsx"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 41305, "scanner": "repobility-threat-engine", "fingerprint": "519624a76d9340e5bbad0147116988a635a5aa5127125df520ddfcf322ddd01b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "nextSelectedTags.delete(selected);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|519624a76d9340e5bbad0147116988a635a5aa5127125df520ddfcf322ddd01b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/examples/combobox-with-multi-select-and-vertical-content.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 41304, "scanner": "repobility-threat-engine", "fingerprint": "f2134925bec0cbe1ab93859127ceba01538aea48885f71ca7df7bdb58801ea7b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hookCallbacks.delete(callback);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2134925bec0cbe1ab93859127ceba01538aea48885f71ca7df7bdb58801ea7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/utilities/breakpoints.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41288, "scanner": "repobility-threat-engine", "fingerprint": "a254b69d131a7882dd3e390059f26d8bb15f519387d406cf0bb06e7cf9e69730", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a254b69d131a7882dd3e390059f26d8bb15f519387d406cf0bb06e7cf9e69730"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/api/tokens/v0/index.tsx"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41287, "scanner": "repobility-threat-engine", "fingerprint": "b798f38112bd01fed91216b739992e6ebde6a7c658ad5be54cf71328299c0fa2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b798f38112bd01fed91216b739992e6ebde6a7c658ad5be54cf71328299c0fa2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/pages/_app.tsx"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41286, "scanner": "repobility-threat-engine", "fingerprint": "0adc1e53ae5dae369dead8be93256a2a58b8245cd53f162eba948bc23e208520", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0adc1e53ae5dae369dead8be93256a2a58b8245cd53f162eba948bc23e208520"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Form/Form.stories.tsx"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 41276, "scanner": "repobility-threat-engine", "fingerprint": "23315f8afc7f6b53d03679f35004dd7b97e7b262d735b4c50de2433d561bb96e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(reactChildrenText", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|23315f8afc7f6b53d03679f35004dd7b97e7b262d735b4c50de2433d561bb96e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Picker/Picker.tsx"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 41275, "scanner": "repobility-threat-engine", "fingerprint": "26791d38bb49801ff0667baf4adf7f9f2379be02f7280b843ddec255b7e09553", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(result", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|26791d38bb49801ff0667baf4adf7f9f2379be02f7280b843ddec255b7e09553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/config/rollup/plugin-styles.js"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 41274, "scanner": "repobility-threat-engine", "fingerprint": "7d1d9a855fb527633ffe5975df353bf006c7d29933b0996ee22fd47b9c278c51", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cleanedFilename", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7d1d9a855fb527633ffe5975df353bf006c7d29933b0996ee22fd47b9c278c51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/config/rollup/namespaced-classname.mjs"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 41263, "scanner": "repobility-threat-engine", "fingerprint": "06c81e824866421f77f5338c1d549156f6c4676d78cbcfe35fc185c6661d50a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|06c81e824866421f77f5338c1d549156f6c4676d78cbcfe35fc185c6661d50a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Picker/Picker.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 41262, "scanner": "repobility-threat-engine", "fingerprint": "ccaabb4766bfb32f276fd5c9f7651e7cb38494101e79fdd2124b06876a89a073", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(comparison", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ccaabb4766bfb32f276fd5c9f7651e7cb38494101e79fdd2124b06876a89a073"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/src/utilities/matches.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 41261, "scanner": "repobility-threat-engine", "fingerprint": "683d7e2cf55fe5df01524858f271ed91a382460702139b4e25addfe8e26ae0ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(String", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|683d7e2cf55fe5df01524858f271ed91a382460702139b4e25addfe8e26ae0ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/src/utilities/imports.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 41260, "scanner": "repobility-threat-engine", "fingerprint": "a775c75643eadeb4bc063f3926af72d5cf2f5e7d37de81b065505c5443ada5a0", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(fixtureDir, `${fixture}.input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|51|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/src/utilities/check.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 41250, "scanner": "repobility-threat-engine", "fingerprint": "b7293452f41996e857acf817db83e2023510a211b6a34ef1f7bd8cb5bc12d1bf", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([tokenName, {value}]) => `@keyframes p-${tokenName}${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b7293452f41996e857acf817db83e2023510a211b6a34ef1f7bd8cb5bc12d1bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-tokens/scripts/toStyleSheet.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 41249, "scanner": "repobility-threat-engine", "fingerprint": "8b8521ead17658077eb8d9ab3a0e778c09103ea205d23eef381c8b251ed3bf43", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n            ({source: subSource, descriptor}) => `${subSource} ${descriptor}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8b8521ead17658077eb8d9ab3a0e778c09103ea205d23eef381c8b251ed3bf43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-react/src/components/Image/Image.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 41248, "scanner": "repobility-threat-engine", "fingerprint": "e8394a0d5192db84e00344f7224bde2538b9c37e41720cc84e6617714ca76161", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((arg) => `<${arg.name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e8394a0d5192db84e00344f7224bde2538b9c37e41720cc84e6617714ca76161"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris-migrator/src/cli.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CHROMATIC_PROJECT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CHROMATIC_PROJECT_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 41324, "scanner": "repobility-supply-chain", "fingerprint": "285c355735bc22da64f8e2e2a8c4af4727d2f58aad9ff2f594ce6bc43254599c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|285c355735bc22da64f8e2e2a8c4af4727d2f58aad9ff2f594ce6bc43254599c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-a11y-vrt.yml"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 41247, "scanner": "repobility-threat-engine", "fingerprint": "ef0c44dd190cf483db07449a8371bcbee6c7a7c6561b6ec8601a9e77b446d2a1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef0c44dd190cf483db07449a8371bcbee6c7a7c6561b6ec8601a9e77b446d2a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/src/utils/markdown.mjs"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 41246, "scanner": "repobility-threat-engine", "fingerprint": "fc35fecfa827b4fcf21717b84ebd505652611e21d058486ac05979cd57aceace", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fc35fecfa827b4fcf21717b84ebd505652611e21d058486ac05979cd57aceace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslintrc.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 41245, "scanner": "repobility-threat-engine", "fingerprint": "bc0c09a44cd872d78480d0bdce676de228b1937d4726c82a14033486c038e93f", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|9|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/src/utils/markdown.mjs"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 41244, "scanner": "repobility-threat-engine", "fingerprint": "37b69ea16f2b004033689c2677be36cb6babd693c22e8b17c3644029a06e32e8", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|.eslintrc.js|6|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslintrc.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 41243, "scanner": "repobility-threat-engine", "fingerprint": "eae57c397c8132ab9df53516bc5588848c1d358501c3bbacf79648ef26454e8d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(frontMatterSection)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eae57c397c8132ab9df53516bc5588848c1d358501c3bbacf79648ef26454e8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "polaris.shopify.com/src/utils/markdown.mjs"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 41242, "scanner": "repobility-threat-engine", "fingerprint": "f56df92ffe789604fb52e484fd32e07c0cd0be2bc53bb5ffcb90345c4cf64cb3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(fs.readFileSync(pnpmWorkspace, 'utf8')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f56df92ffe789604fb52e484fd32e07c0cd0be2bc53bb5ffcb90345c4cf64cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslintrc.js"}, "region": {"startLine": 6}}}]}]}]}