{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation (and 55 more): Same pattern found in 55 additional files. Review if needed.", "shortDescription": {"text": "[MINED027] React State Array Mutation (and 55 more): Same pattern found in 55 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED123", "name": "[MINED123] Trojan Source bidi character (LRI) in source: Line 4 contains a Unicode bidirectional override character (U+2", "shortDescription": {"text": "[MINED123] Trojan Source bidi character (LRI) in source: Line 4 contains a Unicode bidirectional override character (U+2066 LRI). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see differ"}, "fullDescription": {"text": "Audit the line manually. If the character is not intentional (it almost never is in code), remove it. Configure your editor / pre-commit hook to reject bidi controls in source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/793"}, "properties": {"repository": "sveltejs/svelte", "repoUrl": "https://github.com/sveltejs/svelte", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 67345, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 67333, "scanner": "repobility-threat-engine", "fingerprint": "0daab91b4c0074cbffa9e24e82565e77ecc7854ecab2afb41bae1f02089c43f6", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0daab91b4c0074cbffa9e24e82565e77ecc7854ecab2afb41bae1f02089c43f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/internal/server/hydratable.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 67317, "scanner": "repobility-threat-engine", "fingerprint": "118f16bd4d3f30792cbd16449fed34791172307f9d940660f38f223b57579298", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|29|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/utils/extract_svelte_ignore.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 67316, "scanner": "repobility-threat-engine", "fingerprint": "e22c31815ecfdb0b726b122e57b1a8d27f3d96d32fb077108ab112d23c66133f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|229|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/preprocess/index.js"}, "region": {"startLine": 229}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 67315, "scanner": "repobility-threat-engine", "fingerprint": "6272819ce628adcd243e6045a9ec2a2d299d8a033db4b4e6def81f30c495b342", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|99|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/1-parse/index.js"}, "region": {"startLine": 99}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 67344, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 67343, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 67342, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 67341, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67340, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dcb238a8bff1cadf558bd92047cabf9b70a3b361e0166728ad32e9f8e25b2c5c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/svelte/src/store/index-client.js", "duplicate_line": 40, "correlation_key": "fp|dcb238a8bff1cadf558bd92047cabf9b70a3b361e0166728ad32e9f8e25b2c5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/store/index-server.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67339, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6520fb0ddab69dc16b528a47284201ab6329d3f2f8985d143dd61ed19770de8f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/svelte/src/internal/client/context.js", "duplicate_line": 35, "correlation_key": "fp|6520fb0ddab69dc16b528a47284201ab6329d3f2f8985d143dd61ed19770de8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/internal/server/context.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67338, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5889bd8a1ef1be1a1c32d9fe1a99efea0c5131d6f02fe5c7d301ac9d405dbd13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/svelte/src/compiler/phases/3-transform/client/visitors/shared/component.js", "duplicate_line": 33, "correlation_key": "fp|5889bd8a1ef1be1a1c32d9fe1a99efea0c5131d6f02fe5c7d301ac9d405dbd13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/3-transform/server/visitors/shared/component.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67337, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e8ce9eeb56774f9db42bf631b16af3265ffb198f4be00af5f68d5eb15c856ca6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/svelte/src/compiler/phases/3-transform/client/visitors/VariableDeclaration.js", "duplicate_line": 216, "correlation_key": "fp|e8ce9eeb56774f9db42bf631b16af3265ffb198f4be00af5f68d5eb15c856ca6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/3-transform/server/visitors/VariableDeclaration.js"}, "region": {"startLine": 102}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67336, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9de9e15626983f5f958445ee3d2244ae76176b590d92938ee91f9d234f17778d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/svelte/src/compiler/phases/3-transform/client/visitors/DeclarationTag.js", "duplicate_line": 16, "correlation_key": "fp|9de9e15626983f5f958445ee3d2244ae76176b590d92938ee91f9d234f17778d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/3-transform/server/visitors/DeclarationTag.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67335, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1df26498ac02fb96f4f5b9231c31809b35c3c1d35a94fb6c34149798aa8070e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/svelte/src/compiler/phases/3-transform/client/visitors/ClassBody.js", "duplicate_line": 4, "correlation_key": "fp|1df26498ac02fb96f4f5b9231c31809b35c3c1d35a94fb6c34149798aa8070e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/3-transform/server/visitors/ClassBody.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67334, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d4790debab8eb284223ee4aeaa51961ab11d92d56bce784e9ea89392e9cec34", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/svelte/src/compiler/phases/3-transform/client/visitors/AttachTag.js", "duplicate_line": 6, "correlation_key": "fp|2d4790debab8eb284223ee4aeaa51961ab11d92d56bce784e9ea89392e9cec34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/3-transform/client/visitors/UseDirective.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 67332, "scanner": "repobility-threat-engine", "fingerprint": "cf4a03adf87c0b7c8b7db2dba00414ddd60c6610d8a6e68be3e5ea0c156e6042", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = c", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|23|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/internal/client/dom/reconciler.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 67331, "scanner": "repobility-threat-engine", "fingerprint": "7fbea97017360fbb74de9fb5f90a69cad2335a600d1342263189499939856307", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = c", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|18|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/internal/client/dom/elements/customizable-select.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 67330, "scanner": "repobility-threat-engine", "fingerprint": "d9ee476566e9b9002dfebe6689555312396eb1ccddbbc932cce80cad7984d6b9", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = /", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|84|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/internal/client/dom/blocks/html.js"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 67329, "scanner": "repobility-threat-engine", "fingerprint": "74ee3e18a1d88185ed851f0aedbc17a918a2619ad939ec116caae1a978894771", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|74ee3e18a1d88185ed851f0aedbc17a918a2619ad939ec116caae1a978894771"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vitest-xhtml-environment.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 67328, "scanner": "repobility-threat-engine", "fingerprint": "90daf68fbe3496188930a7b6a12999cca0284ccff331c626e7209cce0a785b68", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|90daf68fbe3496188930a7b6a12999cca0284ccff331c626e7209cce0a785b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/internal/client/dom/operations.js"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 67327, "scanner": "repobility-threat-engine", "fingerprint": "8d142cdc1aad8ee3be8a223cb30cb28af16b385c85593b7b7d0c82c084a03e2a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d142cdc1aad8ee3be8a223cb30cb28af16b385c85593b7b7d0c82c084a03e2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/constants.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED027", "level": "none", "message": {"text": "[MINED027] React State Array Mutation (and 55 more): Same pattern found in 55 additional files. Review if needed."}, "properties": {"repobilityId": 67326, "scanner": "repobility-threat-engine", "fingerprint": "472b4db432b8c8c4605a4d581b2f4d5ce2242e015c05cfd350ce9c1ad5d38334", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 55 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|472b4db432b8c8c4605a4d581b2f4d5ce2242e015c05cfd350ce9c1ad5d38334", "aggregated_count": 55}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 67322, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 67318, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 67312, "scanner": "repobility-threat-engine", "fingerprint": "b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 67308, "scanner": "repobility-threat-engine", "fingerprint": "fb9fb002bf587f4fed1decfa21432ba221db6d030b7a6ee9ca0c881453dc1abd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fb9fb002bf587f4fed1decfa21432ba221db6d030b7a6ee9ca0c881453dc1abd", "aggregated_count": 20}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67307, "scanner": "repobility-threat-engine", "fingerprint": "46f6d77d472d300c16718b168c4aa9a9332bf10a45638c8146d5a96462770f20", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46f6d77d472d300c16718b168c4aa9a9332bf10a45638c8146d5a96462770f20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarking/compare/profile-diff.mjs"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67306, "scanner": "repobility-threat-engine", "fingerprint": "8a8ef131b1f5c005edaa16f5d6b607b5af8590d17c145dd747e157e20f2c0e59", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8a8ef131b1f5c005edaa16f5d6b607b5af8590d17c145dd747e157e20f2c0e59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarking/compare/index.js"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67305, "scanner": "repobility-threat-engine", "fingerprint": "7301f8f741e2d37478c6511b461c3e0b4e4828bb58f2427e8971ebf671399190", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7301f8f741e2d37478c6511b461c3e0b4e4828bb58f2427e8971ebf671399190"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarking/compare/generate-report.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67370, "scanner": "repobility-supply-chain", "fingerprint": "723892e6ff0f30d570f0263ad8c0fda0747aa018064b19224ee019d7d0edfbd6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|723892e6ff0f30d570f0263ad8c0fda0747aa018064b19224ee019d7d0edfbd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pkg.pr.new.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67369, "scanner": "repobility-supply-chain", "fingerprint": "d3785b738450d351f10292a5f28045b1b86ea06b4bae0cba88427da05ef96846", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3785b738450d351f10292a5f28045b1b86ea06b4bae0cba88427da05ef96846"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pkg.pr.new.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67368, "scanner": "repobility-supply-chain", "fingerprint": "242766143430ac9cf722c685d10acbd522d5d36b99926a346b1be89ed59ce399", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|242766143430ac9cf722c685d10acbd522d5d36b99926a346b1be89ed59ce399"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pkg.pr.new.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67367, "scanner": "repobility-supply-chain", "fingerprint": "a5e04e70c4cb159535c9f59047398d01f18c1bab27b246ebf9d6e082d58ff9c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5e04e70c4cb159535c9f59047398d01f18c1bab27b246ebf9d6e082d58ff9c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pkg.pr.new.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67366, "scanner": "repobility-supply-chain", "fingerprint": "b619150a5260267db2e2eff8e44df73a880ada7edd21abbe61974540df6de11f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b619150a5260267db2e2eff8e44df73a880ada7edd21abbe61974540df6de11f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pkg.pr.new.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67365, "scanner": "repobility-supply-chain", "fingerprint": "21fde9d429d6c9f246ffc41eb0db57bd5a3caa6f542490c44edf18e3c964096e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21fde9d429d6c9f246ffc41eb0db57bd5a3caa6f542490c44edf18e3c964096e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pkg.pr.new.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67364, "scanner": "repobility-supply-chain", "fingerprint": "8cfc853e0cd7bfec6598f90f3fa74591be981a376cf13049eb3b970b71ade383", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cfc853e0cd7bfec6598f90f3fa74591be981a376cf13049eb3b970b71ade383"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67363, "scanner": "repobility-supply-chain", "fingerprint": "8c7b8b100f94bfafb6fa3e20c1c11ebe306f8fece53797fc6e64e3ecad4d21d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c7b8b100f94bfafb6fa3e20c1c11ebe306f8fece53797fc6e64e3ecad4d21d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67362, "scanner": "repobility-supply-chain", "fingerprint": "2aae0785ac26cfddf3ccf570c3c6e94fe19cd59ffc75dda47fd031c906e90315", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2aae0785ac26cfddf3ccf570c3c6e94fe19cd59ffc75dda47fd031c906e90315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ecosystem-ci-trigger.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v2`: `uses: actions/create-github-app-token@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67361, "scanner": "repobility-supply-chain", "fingerprint": "7e1ec4efa685907eae8f5f6536afae1bfff539a625346058dc3b402a5c81da95", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e1ec4efa685907eae8f5f6536afae1bfff539a625346058dc3b402a5c81da95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ecosystem-ci-trigger.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67360, "scanner": "repobility-supply-chain", "fingerprint": "9ac4d2e9d305f5f3de07a4e0513a76117f89b025345bf7473cb36caee8131d27", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ac4d2e9d305f5f3de07a4e0513a76117f89b025345bf7473cb36caee8131d27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ecosystem-ci-trigger.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67359, "scanner": "repobility-supply-chain", "fingerprint": "ab5a3c595d6a96b769e2b0a4c68f39452403aa6d49151545d13c64f327d30af9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab5a3c595d6a96b769e2b0a4c68f39452403aa6d49151545d13c64f327d30af9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ecosystem-ci-trigger.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67358, "scanner": "repobility-supply-chain", "fingerprint": "7c6b6687c63681c54057df5dad1b280e5136b15641d06c67ea211bf486624e73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c6b6687c63681c54057df5dad1b280e5136b15641d06c67ea211bf486624e73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autofix.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67357, "scanner": "repobility-supply-chain", "fingerprint": "5e28bd62339592c72e8ebd1f915a9da0f231fed07d2d7a3776d237ecc121bd91", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e28bd62339592c72e8ebd1f915a9da0f231fed07d2d7a3776d237ecc121bd91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autofix.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67356, "scanner": "repobility-supply-chain", "fingerprint": "548770252a9145a888d0940ca21f9df7b13c12ca9f48dab32c7fda0135c44f2d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|548770252a9145a888d0940ca21f9df7b13c12ca9f48dab32c7fda0135c44f2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autofix.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67355, "scanner": "repobility-supply-chain", "fingerprint": "d3e4739a0d77b78d4ed6ae309533ace03abde320f7484791e3cf9dca0482f74e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3e4739a0d77b78d4ed6ae309533ace03abde320f7484791e3cf9dca0482f74e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67354, "scanner": "repobility-supply-chain", "fingerprint": "b48aa84aeca653c8fb96733e110b704177a3fb5021567a9488e4c0b39f7a459f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b48aa84aeca653c8fb96733e110b704177a3fb5021567a9488e4c0b39f7a459f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67353, "scanner": "repobility-supply-chain", "fingerprint": "6818a6a3ba069ef9286499f2af2819a9916cc04270210426acbc97eba390753a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6818a6a3ba069ef9286499f2af2819a9916cc04270210426acbc97eba390753a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67352, "scanner": "repobility-supply-chain", "fingerprint": "000d96e00a9ffba2492065a4ae744247928c5a987ef2c3c6c4ae83f7f1fd9587", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|000d96e00a9ffba2492065a4ae744247928c5a987ef2c3c6c4ae83f7f1fd9587"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67351, "scanner": "repobility-supply-chain", "fingerprint": "6941c52a3c9a6fb7821db1ed17a7be0a1b143781acdc8445a99b1f366490a049", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6941c52a3c9a6fb7821db1ed17a7be0a1b143781acdc8445a99b1f366490a049"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67350, "scanner": "repobility-supply-chain", "fingerprint": "3d2d8901ff8e1fe44e1be1133abdf1a5ec8486f5250540138c260b0894019708", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d2d8901ff8e1fe44e1be1133abdf1a5ec8486f5250540138c260b0894019708"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67349, "scanner": "repobility-supply-chain", "fingerprint": "e54297cf8d2016c3e36ea4736cb4e9a33f75447deb8804f3d0e541efbe856e2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e54297cf8d2016c3e36ea4736cb4e9a33f75447deb8804f3d0e541efbe856e2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67348, "scanner": "repobility-supply-chain", "fingerprint": "06b1ae75565b2fd36bd6d516fb94287355f56a66a2d13f79d82519a1e9746f10", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06b1ae75565b2fd36bd6d516fb94287355f56a66a2d13f79d82519a1e9746f10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67347, "scanner": "repobility-supply-chain", "fingerprint": "24b7642e94ede81dce16468e0428b9d6ccc319449b58cb69358b747bd4aa4941", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24b7642e94ede81dce16468e0428b9d6ccc319449b58cb69358b747bd4aa4941"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67346, "scanner": "repobility-supply-chain", "fingerprint": "4d973365e4765db810ac151defcb6ece0a10b032532d2ea9fca59505e78d4f38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d973365e4765db810ac151defcb6ece0a10b032532d2ea9fca59505e78d4f38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 67325, "scanner": "repobility-threat-engine", "fingerprint": "72e315c6298b235594ef6059ea616981b32665dffe4f6067305f0ab5dca3d1ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72e315c6298b235594ef6059ea616981b32665dffe4f6067305f0ab5dca3d1ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/2-analyze/visitors/ExportSpecifier.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 67324, "scanner": "repobility-threat-engine", "fingerprint": "be0c2e9b0688795e261854efcdb0c5f0a0686c8c5d91488f191655daa172dab8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be0c2e9b0688795e261854efcdb0c5f0a0686c8c5d91488f191655daa172dab8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/2-analyze/visitors/ExportNamedDeclaration.js"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 67323, "scanner": "repobility-threat-engine", "fingerprint": "90ded709975846f208a5fe16ad7606d6a37aca8b99280af8d3136183c175d2c6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|90ded709975846f208a5fe16ad7606d6a37aca8b99280af8d3136183c175d2c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/2-analyze/css/css-analyze.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 67321, "scanner": "repobility-threat-engine", "fingerprint": "048eef771df93b5b1cc2df0731e9bff38b614f4dfbb9b0e146f7abc4fda4bf3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|048eef771df93b5b1cc2df0731e9bff38b614f4dfbb9b0e146f7abc4fda4bf3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/utils/extract_svelte_ignore.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 67320, "scanner": "repobility-threat-engine", "fingerprint": "a90277729a57891ee3707dcdc55729a0b1072cc49b2d49c0131741371c91b514", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(str", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a90277729a57891ee3707dcdc55729a0b1072cc49b2d49c0131741371c91b514"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/preprocess/index.js"}, "region": {"startLine": 229}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 67319, "scanner": "repobility-threat-engine", "fingerprint": "ff56cae477a4cd415da5bebea8aa987637440eae28c5cab3882eb00c9a7feae5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(template", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff56cae477a4cd415da5bebea8aa987637440eae28c5cab3882eb00c9a7feae5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/1-parse/index.js"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 67314, "scanner": "repobility-threat-engine", "fingerprint": "24fcdb9f84b1e545188f902140c0ebad333a8ebbf67f0adc3538ca2f14879724", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((path) => `- <value>${path}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|24fcdb9f84b1e545188f902140c0ebad333a8ebbf67f0adc3538ca2f14879724"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/internal/shared/clone.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 67313, "scanner": "repobility-threat-engine", "fingerprint": "ac99d6ec0156ceeb5bfbae0f7591ad9c447c4e5d6d55dec7b240e23c0dc700a8", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => ` * ${line}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ac99d6ec0156ceeb5bfbae0f7591ad9c447c4e5d6d55dec7b240e23c0dc700a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/scripts/process-messages/index.js"}, "region": {"startLine": 358}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67311, "scanner": "repobility-threat-engine", "fingerprint": "4fc695424b41973848a36e01b9badd00aac757103298709eab2879988cc29d4f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "all_styles.delete(hash);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4fc695424b41973848a36e01b9badd00aac757103298709eab2879988cc29d4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/internal/client/dev/css.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67310, "scanner": "repobility-threat-engine", "fingerprint": "c49755a0884cb934c03e68c181fe75c5d2db0d9145d81a37c94a005e0a5bb3a3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "on_stack.delete(v);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c49755a0884cb934c03e68c181fe75c5d2db0d9145d81a37c94a005e0a5bb3a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/compiler/phases/2-analyze/utils/check_graph_for_cycles.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67309, "scanner": "repobility-threat-engine", "fingerprint": "55b6cd92fdc8cdb9bfe52f1ce0faaa6637331770ffe5f41e15e20b2519f8745a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "stack.delete(node_id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55b6cd92fdc8cdb9bfe52f1ce0faaa6637331770ffe5f41e15e20b2519f8745a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarking/utils.js"}, "region": {"startLine": 194}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67304, "scanner": "repobility-threat-engine", "fingerprint": "e2d037804847c7b1898705dd1f325f5ff4b8a45f7d08f767f4d32c0aac10daf5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e2d037804847c7b1898705dd1f325f5ff4b8a45f7d08f767f4d32c0aac10daf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/src/reactivity/url.js"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67303, "scanner": "repobility-threat-engine", "fingerprint": "76b333a844082972abe44aa1c67d4d5658724a535352f107882c3624f0af1318", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|76b333a844082972abe44aa1c67d4d5658724a535352f107882c3624f0af1318"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarking/utils.js"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67302, "scanner": "repobility-threat-engine", "fingerprint": "252872ca3ef0968ad00e7fa3f8f18ef6bce23e435e533f448305a36523dbefcc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|252872ca3ef0968ad00e7fa3f8f18ef6bce23e435e533f448305a36523dbefcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarking/compare/generate-report.js"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED123", "level": "error", "message": {"text": "[MINED123] Trojan Source bidi character (LRI) in source: Line 4 contains a Unicode bidirectional override character (U+2066 LRI). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer."}, "properties": {"repobilityId": 67371, "scanner": "repobility-supply-chain", "fingerprint": "2ef433c5e618422aafa9337d9f945f585e71dfa994abfa5c0412dd0fcee07686", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"mined": true, "mining": {"slug": "trojan-source-bidi", "owasp": null, "cwe_ids": ["CWE-1007"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "vuln||CVE-2021-42574|token", "duplicate_count": 1, "duplicate_rule_ids": ["MINED123"], "duplicate_scanners": ["repobility-supply-chain"], "duplicate_fingerprints": ["2ef433c5e618422aafa9337d9f945f585e71dfa994abfa5c0412dd0fcee07686", "f51cb23b0b92d935e2faf12a15d4e3832852b4ddf14e1ffaaab3304f300dd75b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/svelte/tests/validator/samples/bidirectional-control-characters/input.svelte"}, "region": {"startLine": 4}}}]}]}]}