{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 17 more): Same pattern found in 17 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `ghostty-web` pulled from URL/Git: `dependencies.ghostty-web` = `github:anomalyco/ghostty-we", "shortDescription": {"text": "[MINED122] package.json dep `ghostty-web` pulled from URL/Git: `dependencies.ghostty-web` = `github:anomalyco/ghostty-web#main` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git h"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC033", "name": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without fil", "shortDescription": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting ever"}, "fullDescription": {"text": "Sanitize keys BEFORE merge:\n  function sanitize(obj) {\n    delete obj.__proto__;\n    delete obj.constructor;\n    delete obj.prototype;\n    return obj;\n  }\nOr use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED125", "name": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolat", "shortDescription": {"text": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "fullDescription": {"text": "Capture the field into an env var first; reference $ENV_VAR in shell."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/725"}, "properties": {"repository": "anomalyco/opencode", "repoUrl": "https://github.com/anomalyco/opencode", "branch": "dev"}, "results": [{"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59113, "scanner": "repobility-agent-runtime", "fingerprint": "c310668a89dd9c80303617d225cb93ceaaabf95a95e7c46691bce32bbfb1d238", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c310668a89dd9c80303617d225cb93ceaaabf95a95e7c46691bce32bbfb1d238"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.fr.md"}, "region": {"startLine": 50}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59112, "scanner": "repobility-agent-runtime", "fingerprint": "de9d1f3767446a30e3815bec92a6c0306ec7e50196a7eace36ebf1e2004eb9f7", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|de9d1f3767446a30e3815bec92a6c0306ec7e50196a7eace36ebf1e2004eb9f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.es.md"}, "region": {"startLine": 50}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59111, "scanner": "repobility-agent-runtime", "fingerprint": "a407e530859887786d38b5b057e62e0afc5ed6e63ebba46b1cd318f34c41e834", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a407e530859887786d38b5b057e62e0afc5ed6e63ebba46b1cd318f34c41e834"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.de.md"}, "region": {"startLine": 50}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59110, "scanner": "repobility-agent-runtime", "fingerprint": "cec2715cc98dd91221719c0d1e457fe6b723d0b7d612f6b0c631cf70034ea5b7", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cec2715cc98dd91221719c0d1e457fe6b723d0b7d612f6b0c631cf70034ea5b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.da.md"}, "region": {"startLine": 50}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59109, "scanner": "repobility-agent-runtime", "fingerprint": "f8cd5860ef4c319e15bf8c9edbf00bd5e45c6ca402a0ff4646db95003bf67d74", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f8cd5860ef4c319e15bf8c9edbf00bd5e45c6ca402a0ff4646db95003bf67d74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.bs.md"}, "region": {"startLine": 50}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59108, "scanner": "repobility-agent-runtime", "fingerprint": "7753be015dfbb5ce7c023cab39594e10fe0ef63ae986b236ea7cadf24bfabf90", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7753be015dfbb5ce7c023cab39594e10fe0ef63ae986b236ea7cadf24bfabf90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.br.md"}, "region": {"startLine": 50}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59107, "scanner": "repobility-agent-runtime", "fingerprint": "fcb991da41477096e54afefe88b7eb94f059c75074811eb7bc58061a68992ea1", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|fcb991da41477096e54afefe88b7eb94f059c75074811eb7bc58061a68992ea1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.bn.md"}, "region": {"startLine": 50}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59106, "scanner": "repobility-agent-runtime", "fingerprint": "40e72caa0df40d8d27aee82384d482b8f79468e159c6b5a55ddee4719e144f5d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|40e72caa0df40d8d27aee82384d482b8f79468e159c6b5a55ddee4719e144f5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.ar.md"}, "region": {"startLine": 50}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59105, "scanner": "repobility-agent-runtime", "fingerprint": "883ed5fb11034d10881830ab5e42cdceba59a3b467df9d9ac10924684889dbe1", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|883ed5fb11034d10881830ab5e42cdceba59a3b467df9d9ac10924684889dbe1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/triage.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59104, "scanner": "repobility-agent-runtime", "fingerprint": "7135816d9720a509f407cdaaab7844943d29e637e75b29d769764ba40e62ad18", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7135816d9720a509f407cdaaab7844943d29e637e75b29d769764ba40e62ad18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/review.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59103, "scanner": "repobility-agent-runtime", "fingerprint": "0dd6813943c3c8e69ae69bcba9fee077f672c53a26884468065c4c59349d38e2", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0dd6813943c3c8e69ae69bcba9fee077f672c53a26884468065c4c59349d38e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-management.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 59102, "scanner": "repobility-agent-runtime", "fingerprint": "8f5e607d4491d1c57d3d6e883eae6d43d0470b868a0cec333459211dc1fba765", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8f5e607d4491d1c57d3d6e883eae6d43d0470b868a0cec333459211dc1fba765"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-locale-sync.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 59071, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 59069, "scanner": "repobility-threat-engine", "fingerprint": "62ac5d394833878b0a965685817af62fda7c1f06fd013da1664e02a9cb9330a2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62ac5d394833878b0a965685817af62fda7c1f06fd013da1664e02a9cb9330a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/pages/directory-layout.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 59068, "scanner": "repobility-threat-engine", "fingerprint": "e7a7e5d1971ff248e425d4dd562db8cc54c5d1befaebea11266494ef483da6ca", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, \"_blank\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|packages/app/src/entry.tsx|82|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/entry.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59101, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b935b9ff331df95e3994343010ed7870b90ad383a32aeff53755a30be0eaef9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|4b935b9ff331df95e3994343010ed7870b90ad383a32aeff53755a30be0eaef9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/th.ts"}, "region": {"startLine": 353}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59100, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d04fa0d5abf4c02f0bcaa783f5ace7bbb6f09b4d5d4654668274415f274f75ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/br.ts", "duplicate_line": 624, "correlation_key": "fp|d04fa0d5abf4c02f0bcaa783f5ace7bbb6f09b4d5d4654668274415f274f75ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/ru.ts"}, "region": {"startLine": 627}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59099, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e64b37f0cb554918f8fa098dfc19fa11d0daa981f99f0d061efed92d36204d60", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/pl.ts", "duplicate_line": 612, "correlation_key": "fp|e64b37f0cb554918f8fa098dfc19fa11d0daa981f99f0d061efed92d36204d60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/ru.ts"}, "region": {"startLine": 617}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59098, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4d2b2af61988e289aced9dc96a230bfa5954eab6ca589f96cc8f53df32c67421", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|4d2b2af61988e289aced9dc96a230bfa5954eab6ca589f96cc8f53df32c67421"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/ru.ts"}, "region": {"startLine": 356}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59097, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec96038c69ed8628068d74cb27179c8a7635a4a05b8a0b79bd0dc010f49ea3e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/br.ts", "duplicate_line": 624, "correlation_key": "fp|ec96038c69ed8628068d74cb27179c8a7635a4a05b8a0b79bd0dc010f49ea3e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/pl.ts"}, "region": {"startLine": 622}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59096, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0790d70667c5b96b28888181b11cef5f33ca7796a40438b1dc949cd8e2c6198b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|0790d70667c5b96b28888181b11cef5f33ca7796a40438b1dc949cd8e2c6198b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/pl.ts"}, "region": {"startLine": 354}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59095, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f897e2bd864441c1e7301353f63f082b41e8e89547a6a03e39a898ca19422212", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/br.ts", "duplicate_line": 624, "correlation_key": "fp|f897e2bd864441c1e7301353f63f082b41e8e89547a6a03e39a898ca19422212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/no.ts"}, "region": {"startLine": 622}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59094, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5a6b765a6e6a991162c3b6d1f39ff56cd0f1c66e0a80f3b0528612bb540871d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|c5a6b765a6e6a991162c3b6d1f39ff56cd0f1c66e0a80f3b0528612bb540871d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/no.ts"}, "region": {"startLine": 355}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59093, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c2e8808b69a4d5475ef5afb531cd79ffdd09677f1526a09ceae64929a31c4672", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|c2e8808b69a4d5475ef5afb531cd79ffdd09677f1526a09ceae64929a31c4672"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/ko.ts"}, "region": {"startLine": 352}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59092, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea3ceb90218fe62ee83b9df214f424654cec2d85ac66974155678af77d902e38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|ea3ceb90218fe62ee83b9df214f424654cec2d85ac66974155678af77d902e38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/ja.ts"}, "region": {"startLine": 353}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59091, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ad1984ebcfc637f3384316152a3acab10c7ee7a9e761f1ee7da2e5513883a69", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/br.ts", "duplicate_line": 624, "correlation_key": "fp|3ad1984ebcfc637f3384316152a3acab10c7ee7a9e761f1ee7da2e5513883a69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/fr.ts"}, "region": {"startLine": 632}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59090, "scanner": "repobility-ai-code-hygiene", "fingerprint": "15e1a39e9d38e138ede1e98390d3e00483fa3233aa2040314ed56d42a219645a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|15e1a39e9d38e138ede1e98390d3e00483fa3233aa2040314ed56d42a219645a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/fr.ts"}, "region": {"startLine": 356}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59089, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a6bca4259b67ed08bdc972679068fb4b30e74312882a6b394285462363672e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/br.ts", "duplicate_line": 360, "correlation_key": "fp|3a6bca4259b67ed08bdc972679068fb4b30e74312882a6b394285462363672e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/es.ts"}, "region": {"startLine": 361}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59088, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7682c2eaf990565c5b2af2061657dfb9477a65d609093275c26ed1bc20103d0e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|7682c2eaf990565c5b2af2061657dfb9477a65d609093275c26ed1bc20103d0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/es.ts"}, "region": {"startLine": 355}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59087, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e17b87f768fd23ea9d933f3599aaf468ce5e2a739773e5776a5ac425c67d95a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/br.ts", "duplicate_line": 624, "correlation_key": "fp|e17b87f768fd23ea9d933f3599aaf468ce5e2a739773e5776a5ac425c67d95a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/de.ts"}, "region": {"startLine": 633}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59086, "scanner": "repobility-ai-code-hygiene", "fingerprint": "caa7c9d55afa4daf939f057db12e149b03337b29f37137ca4b10e6c3e7a4da70", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/da.ts", "duplicate_line": 610, "correlation_key": "fp|caa7c9d55afa4daf939f057db12e149b03337b29f37137ca4b10e6c3e7a4da70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/de.ts"}, "region": {"startLine": 623}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59085, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5a4ce757cb311ca76c6d8530e4e10243955a0b9f098278593a3ed878f2d0351e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|5a4ce757cb311ca76c6d8530e4e10243955a0b9f098278593a3ed878f2d0351e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/de.ts"}, "region": {"startLine": 359}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59084, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd0e72a9a0e4bbf2ef1142f2733e40043a9ed791d047d92491715ed70532fc68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/br.ts", "duplicate_line": 624, "correlation_key": "fp|fd0e72a9a0e4bbf2ef1142f2733e40043a9ed791d047d92491715ed70532fc68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/da.ts"}, "region": {"startLine": 620}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59083, "scanner": "repobility-ai-code-hygiene", "fingerprint": "978184e4322922404e0cfbcefc9aed7b8c4ba649945b0ccf37ef68c86e085b7e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|978184e4322922404e0cfbcefc9aed7b8c4ba649945b0ccf37ef68c86e085b7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/da.ts"}, "region": {"startLine": 354}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59082, "scanner": "repobility-ai-code-hygiene", "fingerprint": "445b85eabc24dc50bcfcec4cdf9afaceb5cea7e358a0cee0df7fb074c239f8a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/br.ts", "duplicate_line": 624, "correlation_key": "fp|445b85eabc24dc50bcfcec4cdf9afaceb5cea7e358a0cee0df7fb074c239f8a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/bs.ts"}, "region": {"startLine": 621}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59081, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a022a400efc56edd0e094bb90de76e8f8c85615644cfac216f5cd98d13ec37a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|a022a400efc56edd0e094bb90de76e8f8c85615644cfac216f5cd98d13ec37a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/bs.ts"}, "region": {"startLine": 355}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59080, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4bd801d5ce8c8fdb5c2e24b1fcb656bd46c189a6fcf23ffad625e3e6b06ec8d5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/i18n/ar.ts", "duplicate_line": 353, "correlation_key": "fp|4bd801d5ce8c8fdb5c2e24b1fcb656bd46c189a6fcf23ffad625e3e6b06ec8d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/i18n/br.ts"}, "region": {"startLine": 354}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59079, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0284a44de9f564cd1e7f2c1f1c36a921e64221d83c0dcaf72e41ad3a24b6373d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/context/directory-sync.ts", "duplicate_line": 41, "correlation_key": "fp|0284a44de9f564cd1e7f2c1f1c36a921e64221d83c0dcaf72e41ad3a24b6373d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/context/sync.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59078, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68acc212d42063dce19f8b8bded08e6d9c9e11658eb9f8bfd109d5311e77f749", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/context/global.tsx", "duplicate_line": 190, "correlation_key": "fp|68acc212d42063dce19f8b8bded08e6d9c9e11658eb9f8bfd109d5311e77f749"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/context/server.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59077, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc7fbf6c52d9a9b213ebc2e1d0a4c4647bbd69956f6df1ae16c79d7562c490f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/components/dialog-select-mcp.tsx", "duplicate_line": 30, "correlation_key": "fp|fc7fbf6c52d9a9b213ebc2e1d0a4c4647bbd69956f6df1ae16c79d7562c490f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/components/status-popover-body.tsx"}, "region": {"startLine": 103}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59076, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30bdecd5e99b10e7c675caa8f3ed166f0ec2ce62b1e517d8aa2645ff48fbbb3b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/components/settings-providers.tsx", "duplicate_line": 16, "correlation_key": "fp|30bdecd5e99b10e7c675caa8f3ed166f0ec2ce62b1e517d8aa2645ff48fbbb3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/components/settings-v2/providers.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59075, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c7a7228202f3c06c849b6b02dbf46daade0937c8f3183932c5ad91300df0e02f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/components/settings-models.tsx", "duplicate_line": 39, "correlation_key": "fp|c7a7228202f3c06c849b6b02dbf46daade0937c8f3183932c5ad91300df0e02f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/components/settings-v2/models.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59074, "scanner": "repobility-ai-code-hygiene", "fingerprint": "330663900d4cb37021e394882a413bc0c3a4626cd71756f9dfc794c59b995e11", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/components/settings-general.tsx", "duplicate_line": 14, "correlation_key": "fp|330663900d4cb37021e394882a413bc0c3a4626cd71756f9dfc794c59b995e11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/components/settings-v2/general.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59073, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ddfbe4553ecc9484c2bfd553f0d95c94ed47f0259b28d202fd922508e62e471", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app/src/components/dialog-connect-provider.tsx", "duplicate_line": 533, "correlation_key": "fp|7ddfbe4553ecc9484c2bfd553f0d95c94ed47f0259b28d202fd922508e62e471"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/components/dialog-custom-provider.tsx"}, "region": {"startLine": 145}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59072, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a865d8d1ccb9b4bfb669f2678238cae575e438de9d5218cf256c540046b6b28", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".opencode/tool/github-pr-search.ts", "duplicate_line": 2, "correlation_key": "fp|1a865d8d1ccb9b4bfb669f2678238cae575e438de9d5218cf256c540046b6b28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".opencode/tool/github-triage.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 59054, "scanner": "repobility-threat-engine", "fingerprint": "bde36e0f0d90cc967c85e4e6e72a3163240f30fa7658fd5d01cebecf24aecef6", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\":root{color-scheme:\" +\n      mode +\n      \";--text-mix-blend-mode:\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bde36e0f0d90cc967c85e4e6e72a3163240f30fa7658fd5d01cebecf24aecef6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/public/oc-theme-preload.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 59066, "scanner": "repobility-threat-engine", "fingerprint": "50a5c8c337d621dbe7f69d0e64842c1ca6754fb76978dd3127ee467bb851b62e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|50a5c8c337d621dbe7f69d0e64842c1ca6754fb76978dd3127ee467bb851b62e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/context/server.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 59065, "scanner": "repobility-threat-engine", "fingerprint": "0609c144c8199a0d81a980613c36ef5f7101bae4d0adbb422990152d81a7c667", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0609c144c8199a0d81a980613c36ef5f7101bae4d0adbb422990152d81a7c667"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/entry.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 59064, "scanner": "repobility-threat-engine", "fingerprint": "dc0a8db4034094e302c7c928d16fe2d7c414b65038094919c15b43607ed3c906", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc0a8db4034094e302c7c928d16fe2d7c414b65038094919c15b43607ed3c906"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/context/server.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 59063, "scanner": "repobility-threat-engine", "fingerprint": "299f2c1c4712edafe3f341a26287f3e6f2f6586b60390dfe8bcd84234fc73b0d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|299f2c1c4712edafe3f341a26287f3e6f2f6586b60390dfe8bcd84234fc73b0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/context/global.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 59062, "scanner": "repobility-threat-engine", "fingerprint": "9a4dded8559d76bfe00bc64cc7f3b84ea0bd9b1742965a6b760ddbb7eebe1048", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9a4dded8559d76bfe00bc64cc7f3b84ea0bd9b1742965a6b760ddbb7eebe1048"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 59058, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 59053, "scanner": "repobility-threat-engine", "fingerprint": "c045cf9d21c96aaf56df16c8ec2ed9c63beb43d6fa265653594c1ef215491fe3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c045cf9d21c96aaf56df16c8ec2ed9c63beb43d6fa265653594c1ef215491fe3", "aggregated_count": 15}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 59052, "scanner": "repobility-threat-engine", "fingerprint": "43005f7a77e3785af8e61cbabc78eba9aa7b231b801d0091f42a57bccba32223", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|43005f7a77e3785af8e61cbabc78eba9aa7b231b801d0091f42a57bccba32223"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/components/dialog-edit-project.tsx"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 59051, "scanner": "repobility-threat-engine", "fingerprint": "8d60523576360892cd03a4b5870108e9128d603108a70aaeccf5f0bc0cd8cbd2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d60523576360892cd03a4b5870108e9128d603108a70aaeccf5f0bc0cd8cbd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "nix/scripts/normalize-bun-binaries.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 59050, "scanner": "repobility-threat-engine", "fingerprint": "91f6f43e1136faae725d853e8ca2f533500fd40a445b25d78db48d2665be7cb3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|91f6f43e1136faae725d853e8ca2f533500fd40a445b25d78db48d2665be7cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "nix/scripts/canonicalize-node-modules.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 59049, "scanner": "repobility-threat-engine", "fingerprint": "4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "aggregated_count": 3}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 59048, "scanner": "repobility-threat-engine", "fingerprint": "db38b0dbfa28382d4319f9a08b10179ae811aa873e0a57b3ffe934f834be2e49", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|db38b0dbfa28382d4319f9a08b10179ae811aa873e0a57b3ffe934f834be2e49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/context/global-sync/child-store.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 59047, "scanner": "repobility-threat-engine", "fingerprint": "3b7eb5fd9063ec336a1473d687d1d870b4a4f2bdab03875b76f35feb39bfc247", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b7eb5fd9063ec336a1473d687d1d870b4a4f2bdab03875b76f35feb39bfc247"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "nix/scripts/normalize-bun-binaries.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 59046, "scanner": "repobility-threat-engine", "fingerprint": "d8e53be1843630cc16a6422be68ee8f474edba0fd39cd246140c39ceb3a3edbd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8e53be1843630cc16a6422be68ee8f474edba0fd39cd246140c39ceb3a3edbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "nix/scripts/canonicalize-node-modules.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `ghostty-web` pulled from URL/Git: `dependencies.ghostty-web` = `github:anomalyco/ghostty-web#main` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 59114, "scanner": "repobility-supply-chain", "fingerprint": "c696380849748ba9d7655a321cffe49fb7b08969e86f4c193b13cc29df53292a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c696380849748ba9d7655a321cffe49fb7b08969e86f4c193b13cc29df53292a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 59070, "scanner": "repobility-threat-engine", "fingerprint": "9ee865a0375cd8b440b217c04bc9c3a22ddae49dc98d5c803251eac3d0bdb40a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9ee865a0375cd8b440b217c04bc9c3a22ddae49dc98d5c803251eac3d0bdb40a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/utils/aim.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 59067, "scanner": "repobility-threat-engine", "fingerprint": "1db4f16a94d94e8edfc18f46836bc8db4ff1453353d5e6f12d1faba9ca1106ba", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "[input.sessionID] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1db4f16a94d94e8edfc18f46836bc8db4ff1453353d5e6f12d1faba9ca1106ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/context/sync.tsx"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59061, "scanner": "repobility-threat-engine", "fingerprint": "05532c81ea799ebac2b1a708cd0d4e6a83414bb5a38d268cbaa0ff02e323a868", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "lru.delete(path)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|05532c81ea799ebac2b1a708cd0d4e6a83414bb5a38d268cbaa0ff02e323a868"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/context/file/content-cache.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59060, "scanner": "repobility-threat-engine", "fingerprint": "193fd8500bb5cabc90085de359a1a8bf0285f47116fde139d6888e86b7dec8e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "inflight.delete(key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|193fd8500bb5cabc90085de359a1a8bf0285f47116fde139d6888e86b7dec8e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/context/file.tsx"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59059, "scanner": "repobility-threat-engine", "fingerprint": "478c7ecf4706a2240bf0910637591150c457c804670f44511a031dcc65d5eadc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "terminal.update({ id: props.terminal.id, title: value })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|478c7ecf4706a2240bf0910637591150c457c804670f44511a031dcc65d5eadc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/components/session/session-sortable-terminal-tab.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59057, "scanner": "repobility-threat-engine", "fingerprint": "2d9907fdbfd9c0877773d0ee026b59ae0ceae018b4ca04b89493666f97814ace", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2d9907fdbfd9c0877773d0ee026b59ae0ceae018b4ca04b89493666f97814ace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/context/server-sdk.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59056, "scanner": "repobility-threat-engine", "fingerprint": "759281cf93c7b6cd9fd1a401ad522776504ab1730ac9522eadc1f2bb35eddd32", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|759281cf93c7b6cd9fd1a401ad522776504ab1730ac9522eadc1f2bb35eddd32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/components/prompt-input/attachments.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59055, "scanner": "repobility-threat-engine", "fingerprint": "28d169b546beca04bf6339ddd74f4e888afd9f96ba2958e2e282c98e72b1e737", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|28d169b546beca04bf6339ddd74f4e888afd9f96ba2958e2e282c98e72b1e737"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app/src/components/dialog-edit-project.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 59045, "scanner": "repobility-threat-engine", "fingerprint": "1a39ba5bd55b6d20d362a3431b5684446be80e28a55fbbd69ac4859d14a747db", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((pr) => `${pr.title}\\n${pr.html_url}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a39ba5bd55b6d20d362a3431b5684446be80e28a55fbbd69ac4859d14a747db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".opencode/tool/github-pr-search.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 59115, "scanner": "repobility-supply-chain", "fingerprint": "4b6441281e6767439c3ce6d07fe3151599fab73a4b41506e5af86bcc6f41608e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b6441281e6767439c3ce6d07fe3151599fab73a4b41506e5af86bcc6f41608e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate.yml"}, "region": {"startLine": 40}}}]}]}]}