{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `globals` is 2 major version(s) behind (^15.14.0 -> 17.6.0)", "shortDescription": {"text": "npm package `globals` is 2 major version(s) behind (^15.14.0 -> 17.6.0)"}, "fullDescription": {"text": "`globals` is pinned/resolved at ^15.14.0 but the latest stable release on the npm registry is 17.6.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2wj-q39q-566r", "name": "vite: GHSA-v2wj-q39q-566r", "shortDescription": {"text": "vite: GHSA-v2wj-q39q-566r"}, "fullDescription": {"text": "Vite: `server.fs.deny` bypassed with queries"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9ff-h696-f583", "name": "vite: GHSA-p9ff-h696-f583", "shortDescription": {"text": "vite: GHSA-p9ff-h696-f583"}, "fullDescription": {"text": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `pmndrs/docs/.github/workflows/build.yml` pinned to mutable ref `@v3`", "shortDescription": {"text": "Action `pmndrs/docs/.github/workflows/build.yml` pinned to mutable ref `@v3`"}, "fullDescription": {"text": "`uses: pmndrs/docs/.github/workflows/build.yml@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/896"}, "properties": {"repository": "pmndrs/zustand", "repoUrl": "https://github.com/pmndrs/zustand", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 83366, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 83365, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 83360, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 83357, "scanner": "osv-scanner", "fingerprint": "a2c12e2b28152cf8b2318c26eb42f38e3894a8280e15146de8ce046c997d7d89", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `globals` is 2 major version(s) behind (^15.14.0 -> 17.6.0)"}, "properties": {"repobilityId": 83346, "scanner": "repobility-dependency-currency", "fingerprint": "67b29d907d6c17e5a378cd24ad4961aa2b703350567bd369f945119c1226a050", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "globals", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.6.0", "correlation_key": "fp|67b29d907d6c17e5a378cd24ad4961aa2b703350567bd369f945119c1226a050", "current_version": "^15.14.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitejs/plugin-react-swc` is 1 major version(s) behind (^3.3.2 -> 4.3.1)"}, "properties": {"repobilityId": 83343, "scanner": "repobility-dependency-currency", "fingerprint": "8bfb352484487a9053af7735a25a33a5831f6b11aafe2f1f408f97f5e22db0ce", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react-swc", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.3.1", "correlation_key": "fp|8bfb352484487a9053af7735a25a33a5831f6b11aafe2f1f408f97f5e22db0ce", "current_version": "^3.3.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/react-dom` is 1 major version(s) behind (^18.2.6 -> 19.2.3)"}, "properties": {"repobilityId": 83342, "scanner": "repobility-dependency-currency", "fingerprint": "e9510562f407d1b645cbc488262a2cedb858a83fa39be6c51e4448d64164b229", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|e9510562f407d1b645cbc488262a2cedb858a83fa39be6c51e4448d64164b229", "current_version": "^18.2.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@eslint/js` is 1 major version(s) behind (^9.17.0 -> 10.0.1)"}, "properties": {"repobilityId": 83341, "scanner": "repobility-dependency-currency", "fingerprint": "91522d6e6facfd9f54cabbc7e06b4b3ba8cad71330262492b951ce766d0dc10f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|91522d6e6facfd9f54cabbc7e06b4b3ba8cad71330262492b951ce766d0dc10f", "current_version": "^9.17.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `zustand` is 1 major version(s) behind (^4.3.9 -> 5.0.14)"}, "properties": {"repobilityId": 83340, "scanner": "repobility-dependency-currency", "fingerprint": "ef407e844945b71e5ee86ce613a4979cd56970c47d548582c0b5c23119727dd2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "zustand", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.14", "correlation_key": "fp|ef407e844945b71e5ee86ce613a4979cd56970c47d548582c0b5c23119727dd2", "current_version": "^4.3.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@react-three/postprocessing` is 1 major version(s) behind (^2.14.13 -> 3.0.4)"}, "properties": {"repobilityId": 83333, "scanner": "repobility-dependency-currency", "fingerprint": "f9ca5f305a2edd5b61c741ca18f7f266069eb9dd99265cff0159e19699937125", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@react-three/postprocessing", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.4", "correlation_key": "fp|f9ca5f305a2edd5b61c741ca18f7f266069eb9dd99265cff0159e19699937125", "current_version": "^2.14.13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@react-three/fiber` is 1 major version(s) behind (^8.13.7 -> 9.6.1)"}, "properties": {"repobilityId": 83332, "scanner": "repobility-dependency-currency", "fingerprint": "16e73d60d6e450701a870d7e13a7ae6892dff5d667226da9085b0732feb5be02", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@react-three/fiber", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.6.1", "correlation_key": "fp|16e73d60d6e450701a870d7e13a7ae6892dff5d667226da9085b0732feb5be02", "current_version": "^8.13.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitejs/plugin-react-swc` is 1 major version(s) behind (^3.5.0 -> 4.3.1)"}, "properties": {"repobilityId": 83331, "scanner": "repobility-dependency-currency", "fingerprint": "30866987a5d5026f04c839a0ce6ce313413cd1da3465518e3cc8fd0c2ec7f336", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react-swc", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.3.1", "correlation_key": "fp|30866987a5d5026f04c839a0ce6ce313413cd1da3465518e3cc8fd0c2ec7f336", "current_version": "^3.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/starter/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/react-dom` is 1 major version(s) behind (^18.2.0 -> 19.2.3)"}, "properties": {"repobilityId": 83330, "scanner": "repobility-dependency-currency", "fingerprint": "3042d56a0b6294b86866ccc156c6554fbd057be02fcaafdd085699a7f17896c9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|3042d56a0b6294b86866ccc156c6554fbd057be02fcaafdd085699a7f17896c9", "current_version": "^18.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/starter/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@eslint/js` is 1 major version(s) behind (9.39.4 -> 10.0.1)"}, "properties": {"repobilityId": 83324, "scanner": "repobility-dependency-currency", "fingerprint": "dd12763b7c002336aa8edfe4278f9574b853dee6922f8b4d7a6bee1dd6bc3c6f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|dd12763b7c002336aa8edfe4278f9574b853dee6922f8b4d7a6bee1dd6bc3c6f", "current_version": "9.39.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 83367, "scanner": "repobility-web-presence", "fingerprint": "68839e99a4147f60220d88237da3bf5f73268ced45e694aaf3afc8c71520de11", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|68839e99a4147f60220d88237da3bf5f73268ced45e694aaf3afc8c71520de11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 83364, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 83363, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 83362, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 83361, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `eslint-plugin-react-refresh` is minor version(s) behind (^0.4.16 -> 0.5.2)"}, "properties": {"repobilityId": 83345, "scanner": "repobility-dependency-currency", "fingerprint": "a20970f9b66954b8485f2926a3c43fe6f4dcde80966e11f5675fdde517956593", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-react-refresh", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.2", "correlation_key": "fp|a20970f9b66954b8485f2926a3c43fe6f4dcde80966e11f5675fdde517956593", "current_version": "^0.4.16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `three` is minor version(s) behind (^0.154.0 -> 0.184.0)"}, "properties": {"repobilityId": 83339, "scanner": "repobility-dependency-currency", "fingerprint": "796c48f43a99de684f886b5f409853a8fc07afda9bb56dd468af1163463e87aa", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "three", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.184.0", "correlation_key": "fp|796c48f43a99de684f886b5f409853a8fc07afda9bb56dd468af1163463e87aa", "current_version": "^0.154.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `prismjs` is minor version(s) behind (^1.29.0 -> 1.30.0)"}, "properties": {"repobilityId": 83338, "scanner": "repobility-dependency-currency", "fingerprint": "3a0accc13c82755834afb9a1b0e1ae666028a72b3274a8e53100ff50a8d6de72", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prismjs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.30.0", "correlation_key": "fp|3a0accc13c82755834afb9a1b0e1ae666028a72b3274a8e53100ff50a8d6de72", "current_version": "^1.29.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `prism-react-renderer` is minor version(s) behind (^2.0.6 -> 2.4.1)"}, "properties": {"repobilityId": 83337, "scanner": "repobility-dependency-currency", "fingerprint": "b08f00e3661615e9e970c048dfc793a0a3a9e7e1ef4590c9d33559a7ab9a6cdf", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prism-react-renderer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.4.1", "correlation_key": "fp|b08f00e3661615e9e970c048dfc793a0a3a9e7e1ef4590c9d33559a7ab9a6cdf", "current_version": "^2.0.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `postprocessing` is minor version(s) behind (^6.35.4 -> 6.39.1)"}, "properties": {"repobilityId": 83336, "scanner": "repobility-dependency-currency", "fingerprint": "80480afcc386ccd7e7114bf09a244d179fab2da08e8bcf6cc90ae39621e2149c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "postprocessing", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.39.1", "correlation_key": "fp|80480afcc386ccd7e7114bf09a244d179fab2da08e8bcf6cc90ae39621e2149c", "current_version": "^6.35.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `meshline` is minor version(s) behind (^3.1.6 -> 3.3.1)"}, "properties": {"repobilityId": 83335, "scanner": "repobility-dependency-currency", "fingerprint": "086909fd1b8d37532c1120936c799a061afaeb66cac032152db2625874afad55", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "meshline", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.3.1", "correlation_key": "fp|086909fd1b8d37532c1120936c799a061afaeb66cac032152db2625874afad55", "current_version": "^3.1.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/three` is minor version(s) behind (^0.155.0 -> 0.184.1)"}, "properties": {"repobilityId": 83334, "scanner": "repobility-dependency-currency", "fingerprint": "275647e8dfe68a40caa00b879cd924245d97c89dbd39c571e965c97a4ef7b42a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/three", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.184.1", "correlation_key": "fp|275647e8dfe68a40caa00b879cd924245d97c89dbd39c571e965c97a4ef7b42a", "current_version": "^0.155.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 83356, "scanner": "repobility-threat-engine", "fingerprint": "0ac13ab5f107c37d86f47a5987ead2300048517936a444d6a338296976662520", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ac13ab5f107c37d86f47a5987ead2300048517936a444d6a338296976662520"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/traditional.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 83355, "scanner": "repobility-threat-engine", "fingerprint": "6236560a906a23321651307ce064496934379f0dd851b645c022f1f1587a8b02", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6236560a906a23321651307ce064496934379f0dd851b645c022f1f1587a8b02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/react.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 83354, "scanner": "repobility-threat-engine", "fingerprint": "969610b739bc27eb40e0002c7f43c142ca70434492e147fb242c9cf2023d7949", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|969610b739bc27eb40e0002c7f43c142ca70434492e147fb242c9cf2023d7949"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/middleware/subscribeWithSelector.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 83353, "scanner": "repobility-threat-engine", "fingerprint": "21ed80a5ddd021c94a20eb62cddc1b0c5075df63c6fe0fac4807d3c18a53bcad", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|21ed80a5ddd021c94a20eb62cddc1b0c5075df63c6fe0fac4807d3c18a53bcad", "aggregated_count": 4}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 83352, "scanner": "repobility-threat-engine", "fingerprint": "c73268bdffc3be7fe62e1e55c65e34b4287378961b057f04378753f8a0f6f4b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c73268bdffc3be7fe62e1e55c65e34b4287378961b057f04378753f8a0f6f4b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/middleware/redux.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 83351, "scanner": "repobility-threat-engine", "fingerprint": "481681a20504869bdc6d51ab72e5680075d431b426b6284052278349da045f22", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|481681a20504869bdc6d51ab72e5680075d431b426b6284052278349da045f22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/middleware/immer.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 83350, "scanner": "repobility-threat-engine", "fingerprint": "368f2a50a31eac0071937ed3f1ae16a4557767660ff76bdf55118268373ab805", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|368f2a50a31eac0071937ed3f1ae16a4557767660ff76bdf55118268373ab805"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/middleware/combine.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 83349, "scanner": "repobility-threat-engine", "fingerprint": "40b2ee6e92740fb993fedb747160fa3c74395eb5b41817d40975b7eff8b934cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|40b2ee6e92740fb993fedb747160fa3c74395eb5b41817d40975b7eff8b934cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/src/components/Scene.jsx"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 83348, "scanner": "repobility-threat-engine", "fingerprint": "d3342fb6943f59242cdd1a69ae034abc476b020dea8f73b681e7be31f5e1cf55", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d3342fb6943f59242cdd1a69ae034abc476b020dea8f73b681e7be31f5e1cf55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/src/components/Fireflies.jsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 83347, "scanner": "repobility-threat-engine", "fingerprint": "0c0b8c410f86106687a43330c040d38a2b559f0161af09cf758a5f6db938fc55", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c0b8c410f86106687a43330c040d38a2b559f0161af09cf758a5f6db938fc55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/src/components/CodePreview.jsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `eslint-plugin-react` is patch version(s) behind (^7.37.2 -> 7.37.5)"}, "properties": {"repobilityId": 83344, "scanner": "repobility-dependency-currency", "fingerprint": "34de843075916eadf1eb7b6a344a733c080b5613ec859a340802df9e8d512d85", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.37.5", "correlation_key": "fp|34de843075916eadf1eb7b6a344a733c080b5613ec859a340802df9e8d512d85", "current_version": "^7.37.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/demo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `zustand` is patch version(s) behind (^5.0.2 -> 5.0.14)"}, "properties": {"repobilityId": 83329, "scanner": "repobility-dependency-currency", "fingerprint": "25f8e5ba6654e9b8c06e0fd707db97e4eb94d77a51f914f9f306283cafabdfeb", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "zustand", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.14", "correlation_key": "fp|25f8e5ba6654e9b8c06e0fd707db97e4eb94d77a51f914f9f306283cafabdfeb", "current_version": "^5.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/starter/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `eslint-import-resolver-typescript` is patch version(s) behind (^4.4.4 -> 4.4.5)"}, "properties": {"repobilityId": 83328, "scanner": "repobility-dependency-currency", "fingerprint": "8d97f0804c6c5582b6b3b2247e76a275beedf38552085bc4001af049e3b67cf3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-import-resolver-typescript", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.4.5", "correlation_key": "fp|8d97f0804c6c5582b6b3b2247e76a275beedf38552085bc4001af049e3b67cf3", "current_version": "^4.4.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vitest/ui` is patch version(s) behind (^4.1.7 -> 4.1.8)"}, "properties": {"repobilityId": 83327, "scanner": "repobility-dependency-currency", "fingerprint": "f651c0516aae626fc442533306eaebde7664ff90f89b1ba1e191f6cf01a25f2e", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/ui", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|f651c0516aae626fc442533306eaebde7664ff90f89b1ba1e191f6cf01a25f2e", "current_version": "^4.1.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vitest/eslint-plugin` is patch version(s) behind (^1.6.18 -> 1.6.19)"}, "properties": {"repobilityId": 83326, "scanner": "repobility-dependency-currency", "fingerprint": "120d90f183f4ef14cb245840263910fc0f4a6f4f0d47951a583014647136021e", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/eslint-plugin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.6.19", "correlation_key": "fp|120d90f183f4ef14cb245840263910fc0f4a6f4f0d47951a583014647136021e", "current_version": "^1.6.18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vitest/coverage-v8` is patch version(s) behind (^4.1.7 -> 4.1.8)"}, "properties": {"repobilityId": 83325, "scanner": "repobility-dependency-currency", "fingerprint": "bebf9a75432f2da6de37887675c4b6268093efbb04f34c34562b4b8fad1b0ed6", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/coverage-v8", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|bebf9a75432f2da6de37887675c4b6268093efbb04f34c34562b4b8fad1b0ed6", "current_version": "^4.1.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2wj-q39q-566r", "level": "error", "message": {"text": "vite: GHSA-v2wj-q39q-566r"}, "properties": {"repobilityId": 83359, "scanner": "osv-scanner", "fingerprint": "68a0844d20f136d615ab0960bcb9f017c7f8e1b97ee41d092d4cde292e2641fe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39364"], "package": "vite", "rule_id": "GHSA-v2wj-q39q-566r", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39364|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 83358, "scanner": "osv-scanner", "fingerprint": "e4e3f54a4dc9146916e0304c9d50318b9ef24b5c1473da2baafc759d95054cac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pmndrs/docs/.github/workflows/build.yml` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 83323, "scanner": "repobility-supply-chain", "fingerprint": "091b49a2d5369ef64724425d418f1646e3e11f1e2b84289bbcf6149695439502", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|091b49a2d5369ef64724425d418f1646e3e11f1e2b84289bbcf6149695439502"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 18}}}]}]}]}