{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-6fx8-h7jm-663j", "name": "parseuri: GHSA-6fx8-h7jm-663j", "shortDescription": {"text": "parseuri: GHSA-6fx8-h7jm-663j"}, "fullDescription": {"text": "parse-uri Regular expression Denial of Service (ReDoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w9mr-4mfr-499f", "name": "ms: GHSA-w9mr-4mfr-499f", "shortDescription": {"text": "ms: GHSA-w9mr-4mfr-499f"}, "fullDescription": {"text": "Vercel ms Inefficient Regular Expression Complexity vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vh95-rmgr-6w4m", "name": "minimist: GHSA-vh95-rmgr-6w4m", "shortDescription": {"text": "minimist: GHSA-vh95-rmgr-6w4m"}, "fullDescription": {"text": "Prototype Pollution in minimist"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6rw7-vpxm-498p", "name": "qs: GHSA-6rw7-vpxm-498p", "shortDescription": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "fullDescription": {"text": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-65ch-62r8-g69g", "name": "node-forge: GHSA-65ch-62r8-g69g", "shortDescription": {"text": "node-forge: GHSA-65ch-62r8-g69g"}, "fullDescription": {"text": "node-forge is vulnerable to ASN.1 OID Integer Truncation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xx6v-rp6x-q39c", "name": "axios: GHSA-xx6v-rp6x-q39c", "shortDescription": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "fullDescription": {"text": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w9j2-pvgh-6h63", "name": "axios: GHSA-w9j2-pvgh-6h63", "shortDescription": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "fullDescription": {"text": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vf2m-468p-8v99", "name": "axios: GHSA-vf2m-468p-8v99", "shortDescription": {"text": "axios: GHSA-vf2m-468p-8v99"}, "fullDescription": {"text": "Axios: HTTP adapter streamed responses bypass maxContentLength"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m7pr-hjqh-92cm", "name": "axios: GHSA-m7pr-hjqh-92cm", "shortDescription": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "fullDescription": {"text": "Axios: no_proxy bypass via IP alias allows SSRF"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fvcv-3m26-pcqx", "name": "axios: GHSA-fvcv-3m26-pcqx", "shortDescription": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "fullDescription": {"text": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-898c-q2cr-xwhg", "name": "axios: GHSA-898c-q2cr-xwhg", "shortDescription": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "fullDescription": {"text": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-62hf-57xw-28j9", "name": "axios: GHSA-62hf-57xw-28j9", "shortDescription": {"text": "axios: GHSA-62hf-57xw-28j9"}, "fullDescription": {"text": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c9x-8gcm-mpgx", "name": "axios: GHSA-5c9x-8gcm-mpgx", "shortDescription": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "fullDescription": {"text": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-445q-vr5w-6q77", "name": "axios: GHSA-445q-vr5w-6q77", "shortDescription": {"text": "axios: GHSA-445q-vr5w-6q77"}, "fullDescription": {"text": "Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3w6x-2g7m-8v23", "name": "axios: GHSA-3w6x-2g7m-8v23", "shortDescription": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "fullDescription": {"text": "Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j8xg-fqg3-53r7", "name": "word-wrap: GHSA-j8xg-fqg3-53r7", "shortDescription": {"text": "word-wrap: GHSA-j8xg-fqg3-53r7"}, "fullDescription": {"text": "word-wrap vulnerable to Regular Expression Denial of Service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-72xf-g2v4-qvf3", "name": "tough-cookie: GHSA-72xf-g2v4-qvf3", "shortDescription": {"text": "tough-cookie: GHSA-72xf-g2v4-qvf3"}, "fullDescription": {"text": "tough-cookie Prototype Pollution vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cqmj-92xf-r6r9", "name": "socket.io-parser: GHSA-cqmj-92xf-r6r9", "shortDescription": {"text": "socket.io-parser: GHSA-cqmj-92xf-r6r9"}, "fullDescription": {"text": "Insufficient validation when decoding a Socket.IO packet"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25hc-qcg6-38wj", "name": "socket.io: GHSA-25hc-qcg6-38wj", "shortDescription": {"text": "socket.io: GHSA-25hc-qcg6-38wj"}, "fullDescription": {"text": "socket.io has an unhandled 'error' event"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q9mw-68c2-j6m5", "name": "engine.io: GHSA-q9mw-68c2-j6m5", "shortDescription": {"text": "engine.io: GHSA-q9mw-68c2-j6m5"}, "fullDescription": {"text": "engine.io Uncaught Exception vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ghr5-ch3p-vcr6", "name": "ejs: GHSA-ghr5-ch3p-vcr6", "shortDescription": {"text": "ejs: GHSA-ghr5-ch3p-vcr6"}, "fullDescription": {"text": "ejs lacks certain pollution protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-prr3-c3m5-p7q2", "name": "@adobe/css-tools: GHSA-prr3-c3m5-p7q2", "shortDescription": {"text": "@adobe/css-tools: GHSA-prr3-c3m5-p7q2"}, "fullDescription": {"text": "@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hpx4-r86g-5jrg", "name": "@adobe/css-tools: GHSA-hpx4-r86g-5jrg", "shortDescription": {"text": "@adobe/css-tools: GHSA-hpx4-r86g-5jrg"}, "fullDescription": {"text": "@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9jgg-88mc-972h", "name": "webpack-dev-server: GHSA-9jgg-88mc-972h", "shortDescription": {"text": "webpack-dev-server: GHSA-9jgg-88mc-972h"}, "fullDescription": {"text": "webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-79cf-xcqc-c78w", "name": "webpack-dev-server: GHSA-79cf-xcqc-c78w", "shortDescription": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "fullDescription": {"text": "webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4v9v-hfq4-rm2v", "name": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v", "shortDescription": {"text": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v"}, "fullDescription": {"text": "webpack-dev-server users' source code may be stolen when they access a malicious web site"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4vvj-4cpr-p986", "name": "webpack: GHSA-4vvj-4cpr-p986", "shortDescription": {"text": "webpack: GHSA-4vvj-4cpr-p986"}, "fullDescription": {"text": "Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7fh5-64p2-3v2j", "name": "postcss: GHSA-7fh5-64p2-3v2j", "shortDescription": {"text": "postcss: GHSA-7fh5-64p2-3v2j"}, "fullDescription": {"text": "PostCSS line return parsing error"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9gqv-wp59-fq42", "name": "http-proxy-middleware: GHSA-9gqv-wp59-fq42", "shortDescription": {"text": "http-proxy-middleware: GHSA-9gqv-wp59-fq42"}, "fullDescription": {"text": "http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4www-5p9h-95mh", "name": "http-proxy-middleware: GHSA-4www-5p9h-95mh", "shortDescription": {"text": "http-proxy-middleware: GHSA-4www-5p9h-95mh"}, "fullDescription": {"text": "http-proxy-middleware can call writeBody twice because \"else if\" is not used"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jchw-25xp-jwwc", "name": "follow-redirects: GHSA-jchw-25xp-jwwc", "shortDescription": {"text": "follow-redirects: GHSA-jchw-25xp-jwwc"}, "fullDescription": {"text": "Follow Redirects improperly handles URLs in the url.parse() function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cxjh-pqwp-8mfp", "name": "follow-redirects: GHSA-cxjh-pqwp-8mfp", "shortDescription": {"text": "follow-redirects: GHSA-cxjh-pqwp-8mfp"}, "fullDescription": {"text": "follow-redirects' Proxy-Authorization header kept across hosts"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rv95-896h-c2vc", "name": "express: GHSA-rv95-896h-c2vc", "shortDescription": {"text": "express: GHSA-rv95-896h-c2vc"}, "fullDescription": {"text": "Express.js Open Redirect in malformed URLs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-952p-6rrq-rcjv", "name": "micromatch: GHSA-952p-6rrq-rcjv", "shortDescription": {"text": "micromatch: GHSA-952p-6rrq-rcjv"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in micromatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jp2q-39xq-3w4g", "name": "fast-xml-parser: GHSA-jp2q-39xq-3w4g", "shortDescription": {"text": "fast-xml-parser: GHSA-jp2q-39xq-3w4g"}, "fullDescription": {"text": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gh4j-gqv2-49f6", "name": "fast-xml-parser: GHSA-gh4j-gqv2-49f6", "shortDescription": {"text": "fast-xml-parser: GHSA-gh4j-gqv2-49f6"}, "fullDescription": {"text": "fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-968p-4wvh-cqc8", "name": "@babel/runtime: GHSA-968p-4wvh-cqc8", "shortDescription": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "fullDescription": {"text": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-76p7-773f-r4q5", "name": "serialize-javascript: GHSA-76p7-773f-r4q5", "shortDescription": {"text": "serialize-javascript: GHSA-76p7-773f-r4q5"}, "fullDescription": {"text": "Cross-site Scripting (XSS) in serialize-javascript"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vp56-6g26-6827", "name": "node-fetch: GHSA-vp56-6g26-6827", "shortDescription": {"text": "node-fetch: GHSA-vp56-6g26-6827"}, "fullDescription": {"text": "node-fetch Inefficient Regular Expression Complexity "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwcw-c2x4-8c55", "name": "nanoid: GHSA-mwcw-c2x4-8c55", "shortDescription": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "fullDescription": {"text": "Predictable results in nanoid generation when given non-integer values"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `express` is 1 major version(s) behind (4.21.2 -> 5.2.1)", "shortDescription": {"text": "npm package `express` is 1 major version(s) behind (4.21.2 -> 5.2.1)"}, "fullDescription": {"text": "`express` is pinned/resolved at 4.21.2 but the latest stable release on the npm registry is 5.2.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-gxpj-cx7g-858c", "name": "debug: GHSA-gxpj-cx7g-858c", "shortDescription": {"text": "debug: GHSA-gxpj-cx7g-858c"}, "fullDescription": {"text": "Regular Expression Denial of Service in debug"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8fgc-7cc6-rx7x", "name": "webpack: GHSA-8fgc-7cc6-rx7x", "shortDescription": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "fullDescription": {"text": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38r7-794h-5758", "name": "webpack: GHSA-38r7-794h-5758", "shortDescription": {"text": "webpack: GHSA-38r7-794h-5758"}, "fullDescription": {"text": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects \u2192 SSRF + cache persistence"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-52f5-9888-hmc6", "name": "tmp: GHSA-52f5-9888-hmc6", "shortDescription": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "fullDescription": {"text": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w7fw-mjwx-w883", "name": "qs: GHSA-w7fw-mjwx-w883", "shortDescription": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "fullDescription": {"text": "qs's arrayLimit bypass in comma parsing allows denial of service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xhjh-pmcv-23jw", "name": "axios: GHSA-xhjh-pmcv-23jw", "shortDescription": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "fullDescription": {"text": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vpq2-c234-7xj6", "name": "@tootallnate/once: GHSA-vpq2-c234-7xj6", "shortDescription": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "fullDescription": {"text": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qw6h-vgh9-j6wx", "name": "express: GHSA-qw6h-vgh9-j6wx", "shortDescription": {"text": "express: GHSA-qw6h-vgh9-j6wx"}, "fullDescription": {"text": "express vulnerable to XSS via response.redirect()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pxg6-pf52-xh8x", "name": "cookie: GHSA-pxg6-pf52-xh8x", "shortDescription": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "fullDescription": {"text": "cookie accepts cookie name, path, and domain with out of bounds characters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cm22-4g7w-348p", "name": "serve-static: GHSA-cm22-4g7w-348p", "shortDescription": {"text": "serve-static: GHSA-cm22-4g7w-348p"}, "fullDescription": {"text": "serve-static vulnerable to template injection that can lead to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m6fv-jmcg-4jfg", "name": "send: GHSA-m6fv-jmcg-4jfg", "shortDescription": {"text": "send: GHSA-m6fv-jmcg-4jfg"}, "fullDescription": {"text": "send vulnerable to template injection that can lead to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-76c9-3jph-rj3q", "name": "on-headers: GHSA-76c9-3jph-rj3q", "shortDescription": {"text": "on-headers: GHSA-76c9-3jph-rj3q"}, "fullDescription": {"text": "on-headers is vulnerable to http response header manipulation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fj3w-jwp8-x2g3", "name": "fast-xml-parser: GHSA-fj3w-jwp8-x2g3", "shortDescription": {"text": "fast-xml-parser: GHSA-fj3w-jwp8-x2g3"}, "fullDescription": {"text": "fast-xml-parser has stack overflow in XMLBuilder with preserveOrder"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 6 more): Same pattern found in 6 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 60 more): Same pattern found in 60 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 60 more): Same pattern found in 60 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-vj76-c3g6-qr5v", "name": "tar-fs: GHSA-vj76-c3g6-qr5v", "shortDescription": {"text": "tar-fs: GHSA-vj76-c3g6-qr5v"}, "fullDescription": {"text": "tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pq67-2wwv-3xjx", "name": "tar-fs: GHSA-pq67-2wwv-3xjx", "shortDescription": {"text": "tar-fs: GHSA-pq67-2wwv-3xjx"}, "fullDescription": {"text": "tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8cj5-5rvv-wf4v", "name": "tar-fs: GHSA-8cj5-5rvv-wf4v", "shortDescription": {"text": "tar-fs: GHSA-8cj5-5rvv-wf4v"}, "fullDescription": {"text": "tar-fs can extract outside the specified dir with a specific tarball"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c9f4-xj24-8jqx", "name": "uglify-js: GHSA-c9f4-xj24-8jqx", "shortDescription": {"text": "uglify-js: GHSA-c9f4-xj24-8jqx"}, "fullDescription": {"text": "Regular Expression Denial of Service in uglify-js"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hxm2-r34f-qmc5", "name": "minimatch: GHSA-hxm2-r34f-qmc5", "shortDescription": {"text": "minimatch: GHSA-hxm2-r34f-qmc5"}, "fullDescription": {"text": "Regular Expression Denial of Service in minimatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wrvr-8mpx-r7pp", "name": "mime: GHSA-wrvr-8mpx-r7pp", "shortDescription": {"text": "mime: GHSA-wrvr-8mpx-r7pp"}, "fullDescription": {"text": "mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9vvw-cc9w-f27h", "name": "debug: GHSA-9vvw-cc9w-f27h", "shortDescription": {"text": "debug: GHSA-9vvw-cc9w-f27h"}, "fullDescription": {"text": "debug Inefficient Regular Expression Complexity vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r6q2-hw4h-h46w", "name": "tar: GHSA-r6q2-hw4h-h46w", "shortDescription": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "fullDescription": {"text": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qffp-2rhf-9h96", "name": "tar: GHSA-qffp-2rhf-9h96", "shortDescription": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "fullDescription": {"text": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9ppj-qmqm-q256", "name": "tar: GHSA-9ppj-qmqm-q256", "shortDescription": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "fullDescription": {"text": "node-tar Symlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8qq5-rm4j-mr97", "name": "tar: GHSA-8qq5-rm4j-mr97", "shortDescription": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "fullDescription": {"text": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-83g3-92jg-28cx", "name": "tar: GHSA-83g3-92jg-28cx", "shortDescription": {"text": "tar: GHSA-83g3-92jg-28cx"}, "fullDescription": {"text": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-34x7-hfp2-rc4v", "name": "tar: GHSA-34x7-hfp2-rc4v", "shortDescription": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "fullDescription": {"text": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-677m-j7p3-52f9", "name": "socket.io-parser: GHSA-677m-j7p3-52f9", "shortDescription": {"text": "socket.io-parser: GHSA-677m-j7p3-52f9"}, "fullDescription": {"text": "socket.io allows an unbounded number of binary attachments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37ch-88jc-xwx2", "name": "path-to-regexp: GHSA-37ch-88jc-xwx2", "shortDescription": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q67f-28xg-22rw", "name": "node-forge: GHSA-q67f-28xg-22rw", "shortDescription": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "fullDescription": {"text": "Forge has signature forgery in Ed25519 due to missing S > L check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ppp5-5v6c-4jwp", "name": "node-forge: GHSA-ppp5-5v6c-4jwp", "shortDescription": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "fullDescription": {"text": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field  "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5m6q-g25r-mvwx", "name": "node-forge: GHSA-5m6q-g25r-mvwx", "shortDescription": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "fullDescription": {"text": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5gfm-wpxj-wjgq", "name": "node-forge: GHSA-5gfm-wpxj-wjgq", "shortDescription": {"text": "node-forge: GHSA-5gfm-wpxj-wjgq"}, "fullDescription": {"text": "node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-554w-wpv2-vw27", "name": "node-forge: GHSA-554w-wpv2-vw27", "shortDescription": {"text": "node-forge: GHSA-554w-wpv2-vw27"}, "fullDescription": {"text": "node-forge has ASN.1 Unbounded Recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2328-f5f3-gj25", "name": "node-forge: GHSA-2328-f5f3-gj25", "shortDescription": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "fullDescription": {"text": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5j98-mcp5-4vw2", "name": "glob: GHSA-5j98-mcp5-4vw2", "shortDescription": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "fullDescription": {"text": "glob CLI: Command injection via -c/--cmd executes matches with shell:true"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4c3q-x735-j3r5", "name": "compressing: GHSA-4c3q-x735-j3r5", "shortDescription": {"text": "compressing: GHSA-4c3q-x735-j3r5"}, "fullDescription": {"text": "Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rpmf-866q-6p89", "name": "basic-ftp: GHSA-rpmf-866q-6p89", "shortDescription": {"text": "basic-ftp: GHSA-rpmf-866q-6p89"}, "fullDescription": {"text": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rp42-5vxx-qpwr", "name": "basic-ftp: GHSA-rp42-5vxx-qpwr", "shortDescription": {"text": "basic-ftp: GHSA-rp42-5vxx-qpwr"}, "fullDescription": {"text": "basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6v7q-wjvx-w8wg", "name": "basic-ftp: GHSA-6v7q-wjvx-w8wg", "shortDescription": {"text": "basic-ftp: GHSA-6v7q-wjvx-w8wg"}, "fullDescription": {"text": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8qp-cvcw-x6jj", "name": "axios: GHSA-q8qp-cvcw-x6jj", "shortDescription": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "fullDescription": {"text": "Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pf86-5x62-jrwf", "name": "axios: GHSA-pf86-5x62-jrwf", "shortDescription": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "fullDescription": {"text": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p92q-9vqr-4j8v", "name": "axios: GHSA-p92q-9vqr-4j8v", "shortDescription": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "fullDescription": {"text": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j5f8-grm9-p9fc", "name": "axios: GHSA-j5f8-grm9-p9fc", "shortDescription": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "fullDescription": {"text": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hfxv-24rg-xrqf", "name": "axios: GHSA-hfxv-24rg-xrqf", "shortDescription": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "fullDescription": {"text": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-777c-7fjr-54vf", "name": "axios: GHSA-777c-7fjr-54vf", "shortDescription": {"text": "axios: GHSA-777c-7fjr-54vf"}, "fullDescription": {"text": "Allocation of Resources Without Limits or Throttling in Axios"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6chq-wfr3-2hj9", "name": "axios: GHSA-6chq-wfr3-2hj9", "shortDescription": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "fullDescription": {"text": "Axios: Header Injection via Prototype Pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-43fc-jf86-j433", "name": "axios: GHSA-43fc-jf86-j433", "shortDescription": {"text": "axios: GHSA-43fc-jf86-j433"}, "fullDescription": {"text": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjwm-pj3p-43mv", "name": "axios: GHSA-pjwm-pj3p-43mv", "shortDescription": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "fullDescription": {"text": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3g43-6gmg-66jw", "name": "axios: GHSA-3g43-6gmg-66jw", "shortDescription": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "fullDescription": {"text": "axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-35jp-ww65-95wh", "name": "axios: GHSA-35jp-ww65-95wh", "shortDescription": {"text": "axios: GHSA-35jp-ww65-95wh"}, "fullDescription": {"text": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fv7c-fp4j-7gwp", "name": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp", "shortDescription": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "fullDescription": {"text": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2qf-rxjj-qqgw", "name": "semver: GHSA-c2qf-rxjj-qqgw", "shortDescription": {"text": "semver: GHSA-c2qf-rxjj-qqgw"}, "fullDescription": {"text": "semver vulnerable to Regular Expression Denial of Service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gcx4-mw62-g8wm", "name": "rollup: GHSA-gcx4-mw62-g8wm", "shortDescription": {"text": "rollup: GHSA-gcx4-mw62-g8wm"}, "fullDescription": {"text": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rp65-9cf3-cjxr", "name": "nth-check: GHSA-rp65-9cf3-cjxr", "shortDescription": {"text": "nth-check: GHSA-rp65-9cf3-cjxr"}, "fullDescription": {"text": "Inefficient Regular Expression Complexity in nth-check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wr3j-pwj9-hqq6", "name": "webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6", "shortDescription": {"text": "webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6"}, "fullDescription": {"text": "Path traversal in webpack-dev-middleware"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xpqw-6gx7-v673", "name": "svgo: GHSA-xpqw-6gx7-v673", "shortDescription": {"text": "svgo: GHSA-xpqw-6gx7-v673"}, "fullDescription": {"text": "SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rhx6-c78j-4q9w", "name": "path-to-regexp: GHSA-rhx6-c78j-4q9w", "shortDescription": {"text": "path-to-regexp: GHSA-rhx6-c78j-4q9w"}, "fullDescription": {"text": "path-to-regexp contains a ReDoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wv6-86v2-598j", "name": "path-to-regexp: GHSA-9wv6-86v2-598j", "shortDescription": {"text": "path-to-regexp: GHSA-9wv6-86v2-598j"}, "fullDescription": {"text": "path-to-regexp outputs backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c27g-q93r-2cwf", "name": "launch-editor: GHSA-c27g-q93r-2cwf", "shortDescription": {"text": "launch-editor: GHSA-c27g-q93r-2cwf"}, "fullDescription": {"text": "launch-editor vulnerable to command injection via the crafted request on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c7qv-q95q-8v27", "name": "http-proxy-middleware: GHSA-c7qv-q95q-8v27", "shortDescription": {"text": "http-proxy-middleware: GHSA-c7qv-q95q-8v27"}, "fullDescription": {"text": "Denial of service in http-proxy-middleware"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qwcr-r2fm-qrc7", "name": "body-parser: GHSA-qwcr-r2fm-qrc7", "shortDescription": {"text": "body-parser: GHSA-qwcr-r2fm-qrc7"}, "fullDescription": {"text": "body-parser vulnerable to denial of service when url encoding is enabled"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3h5v-q93c-6h6q", "name": "ws: GHSA-3h5v-q93c-6h6q", "shortDescription": {"text": "ws: GHSA-3h5v-q93c-6h6q"}, "fullDescription": {"text": "ws affected by a DoS when handling a request with many HTTP headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m5qc-5hw7-8vg7", "name": "image-size: GHSA-m5qc-5hw7-8vg7", "shortDescription": {"text": "image-size: GHSA-m5qc-5hw7-8vg7"}, "fullDescription": {"text": "image-size Denial of Service via Infinite Loop during Image Processing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mpg4-rc92-vx8v", "name": "fast-xml-parser: GHSA-mpg4-rc92-vx8v", "shortDescription": {"text": "fast-xml-parser: GHSA-mpg4-rc92-vx8v"}, "fullDescription": {"text": "fast-xml-parser vulnerable to ReDOS at currency parsing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8gc5-j5rx-235r", "name": "fast-xml-parser: GHSA-8gc5-j5rx-235r", "shortDescription": {"text": "fast-xml-parser: GHSA-8gc5-j5rx-235r"}, "fullDescription": {"text": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3xgq-45jj-v275", "name": "cross-spawn: GHSA-3xgq-45jj-v275", "shortDescription": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in cross-spawn"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f8q6-p94x-37v3", "name": "minimatch: GHSA-f8q6-p94x-37v3", "shortDescription": {"text": "minimatch: GHSA-f8q6-p94x-37v3"}, "fullDescription": {"text": "minimatch ReDoS vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4q6p-r6v2-jvc5", "name": "get-func-name: GHSA-4q6p-r6v2-jvc5", "shortDescription": {"text": "get-func-name: GHSA-4q6p-r6v2-jvc5"}, "fullDescription": {"text": "Chaijs/get-func-name vulnerable to ReDoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-grv7-fg5c-xmjg", "name": "braces: GHSA-grv7-fg5c-xmjg", "shortDescription": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "fullDescription": {"text": "Uncontrolled resource consumption in braces"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `examples/ReactNativeExample/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `examples/ReactNativeExample/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`examples/ReactNativeExample/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (63,721 bytes) committed to a repo that otherwise has 288 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `redis:7` unpinned", "shortDescription": {"text": "Workflow container/services image `redis:7` unpinned"}, "fullDescription": {"text": "`container/services image: redis:7` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:14-alpine` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:14-alpine` not pinned by digest"}, "fullDescription": {"text": "`FROM node:14-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "package.json dep `uWebSockets.js` pulled from URL/Git", "shortDescription": {"text": "package.json dep `uWebSockets.js` pulled from URL/Git"}, "fullDescription": {"text": "`devDependencies.uWebSockets.js` = `github:uNetworking/uWebSockets.js#v20.56.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /login has no auth", "shortDescription": {"text": "Express POST /login has no auth"}, "fullDescription": {"text": "Express route POST /login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "GHSA-34r7-q49f-h37c", "name": "uglify-js: GHSA-34r7-q49f-h37c", "shortDescription": {"text": "uglify-js: GHSA-34r7-q49f-h37c"}, "fullDescription": {"text": "Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qg8p-v9q4-gh34", "name": "shell-quote: GHSA-qg8p-v9q4-gh34", "shortDescription": {"text": "shell-quote: GHSA-qg8p-v9q4-gh34"}, "fullDescription": {"text": "Potential Command Injection in shell-quote"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xvch-5gv4-984h", "name": "minimist: GHSA-xvch-5gv4-984h", "shortDescription": {"text": "minimist: GHSA-xvch-5gv4-984h"}, "fullDescription": {"text": "Prototype Pollution in minimist"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5rq4-664w-9x2c", "name": "basic-ftp: GHSA-5rq4-664w-9x2c", "shortDescription": {"text": "basic-ftp: GHSA-5rq4-664w-9x2c"}, "fullDescription": {"text": "Basic FTP has Path Traversal Vulnerability in its downloadToDir()\u00a0method"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hc6q-2mpp-qw7j", "name": "webpack: GHSA-hc6q-2mpp-qw7j", "shortDescription": {"text": "webpack: GHSA-hc6q-2mpp-qw7j"}, "fullDescription": {"text": "Cross-realm object access in Webpack 5"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fjxv-7rqg-78g4", "name": "form-data: GHSA-fjxv-7rqg-78g4", "shortDescription": {"text": "form-data: GHSA-fjxv-7rqg-78g4"}, "fullDescription": {"text": "form-data uses unsafe random function in form-data for choosing boundary"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67hx-6x53-jw92", "name": "@babel/traverse: GHSA-67hx-6x53-jw92", "shortDescription": {"text": "@babel/traverse: GHSA-67hx-6x53-jw92"}, "fullDescription": {"text": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m7jm-9gc2-mpf2", "name": "fast-xml-parser: GHSA-m7jm-9gc2-mpf2", "shortDescription": {"text": "fast-xml-parser: GHSA-m7jm-9gc2-mpf2"}, "fullDescription": {"text": "fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "pkcs12-file", "name": "Found a PKCS #12 file, which commonly contain bundled private keys.", "shortDescription": {"text": "Found a PKCS #12 file, which commonly contain bundled private keys."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKC008", "name": "Compose service mounts the Docker socket", "shortDescription": {"text": "Compose service mounts the Docker socket"}, "fullDescription": {"text": "The Docker socket gives the container control over the Docker host and is commonly equivalent to host root access."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.SAUCE_ACCESS_KEY` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.SAUCE_ACCESS_KEY` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SAUCE_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/865"}, "properties": {"repository": "socketio/socket.io", "repoUrl": "https://github.com/socketio/socket.io", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 78642, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 78640, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 1, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 78639, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-6fx8-h7jm-663j", "level": "warning", "message": {"text": "parseuri: GHSA-6fx8-h7jm-663j"}, "properties": {"repobilityId": 78632, "scanner": "osv-scanner", "fingerprint": "95d2bd60af34eb9b2e3f330d5ae78d9ce4a3b76e6accb93e967b2a97315e9609", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-36751"], "package": "parseuri", "rule_id": "GHSA-6fx8-h7jm-663j", "scanner": "osv-scanner", "correlation_key": "vuln|parseuri|CVE-2024-36751|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w9mr-4mfr-499f", "level": "warning", "message": {"text": "ms: GHSA-w9mr-4mfr-499f"}, "properties": {"repobilityId": 78631, "scanner": "osv-scanner", "fingerprint": "53fe7e1ed954976069023ae5a45d02956cf61838fafbbfea90ac5da9ac48c752", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2017-20162"], "package": "ms", "rule_id": "GHSA-w9mr-4mfr-499f", "scanner": "osv-scanner", "correlation_key": "vuln|ms|CVE-2017-20162|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vh95-rmgr-6w4m", "level": "warning", "message": {"text": "minimist: GHSA-vh95-rmgr-6w4m"}, "properties": {"repobilityId": 78629, "scanner": "osv-scanner", "fingerprint": "ac56a69862f09741eb0390fdd300568479193d4e5bca7e0d7a6885054062d384", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2020-7598"], "package": "minimist", "rule_id": "GHSA-vh95-rmgr-6w4m", "scanner": "osv-scanner", "correlation_key": "vuln|minimist|CVE-2020-7598|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 78622, "scanner": "osv-scanner", "fingerprint": "2f6e44d3056f0549be14ae43b720d756ca97d735468761433ea29a9ddf340eaa", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 78609, "scanner": "osv-scanner", "fingerprint": "861c9140d2458e85a1dd789a1de43fb0746f37a04647da29356e9e95fb4647ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 78605, "scanner": "osv-scanner", "fingerprint": "47af66b2941511910bef679f7fdc36232d020247a0f6ed279e094f6f5cfdf3b5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rw7-vpxm-498p", "level": "warning", "message": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "properties": {"repobilityId": 78604, "scanner": "osv-scanner", "fingerprint": "fa80c0113a31d4aa749588a85511874d731a5f17963bf03bd5aa107cf81d4b3f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-15284"], "package": "qs", "rule_id": "GHSA-6rw7-vpxm-498p", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2025-15284|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 78602, "scanner": "osv-scanner", "fingerprint": "d01f2097e7b318fed09051dc9486d1856dda99f71ea520983bca2d575128e70d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6fx8-h7jm-663j", "level": "warning", "message": {"text": "parseuri: GHSA-6fx8-h7jm-663j"}, "properties": {"repobilityId": 78600, "scanner": "osv-scanner", "fingerprint": "5a3e2c853c4bd19b56661c4f78ac56d95cff27644d2c82f0291d5eda3a28e1f7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-36751"], "package": "parseuri", "rule_id": "GHSA-6fx8-h7jm-663j", "scanner": "osv-scanner", "correlation_key": "vuln|parseuri|CVE-2024-36751|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65ch-62r8-g69g", "level": "warning", "message": {"text": "node-forge: GHSA-65ch-62r8-g69g"}, "properties": {"repobilityId": 78597, "scanner": "osv-scanner", "fingerprint": "fdcdff9efc13682e8a57a04b193e7253de4f457030335af8d1d0b27fce29a23b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66030"], "package": "node-forge", "rule_id": "GHSA-65ch-62r8-g69g", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-66030|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 78589, "scanner": "osv-scanner", "fingerprint": "f047ccc7d9c1109aced3a5c21f0b53a27d6582174ed7660bc0f4dfe83bf08a1a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 78587, "scanner": "osv-scanner", "fingerprint": "de986ead824c9cd2225230d6fcc7a484a3f62fc4668bd948eb33bf3de3e73e26", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 78586, "scanner": "osv-scanner", "fingerprint": "28d729fc1155c54fc66f4fb51841604d700ad2e22c31e413765f6dd36f601211", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 78585, "scanner": "osv-scanner", "fingerprint": "88e37ad91ff38f5df72baa5745d86869e8a461f1cce98114f89b163d238468a4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 78583, "scanner": "osv-scanner", "fingerprint": "248c1e434ec83c5a892dfdf2f0e0aa80ddc9030d3cbaccddc0f5a14a5c6577be", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 78580, "scanner": "osv-scanner", "fingerprint": "e8eb0ab1ffbb15b3b127c7436af364aa04d69dbc42fb22d21fcb4f304d428269", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xx6v-rp6x-q39c", "level": "warning", "message": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "properties": {"repobilityId": 78575, "scanner": "osv-scanner", "fingerprint": "1b1ce84a73c4616c503ae499f1e9f71bb5504b91f278108b93fbda72873fe978", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42042"], "package": "axios", "rule_id": "GHSA-xx6v-rp6x-q39c", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42042|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w9j2-pvgh-6h63", "level": "warning", "message": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "properties": {"repobilityId": 78573, "scanner": "osv-scanner", "fingerprint": "34143b1c2129cf5bfede7709a53959ce3124636b59db9a50161a482b0a2c00eb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42041"], "package": "axios", "rule_id": "GHSA-w9j2-pvgh-6h63", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42041|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vf2m-468p-8v99", "level": "warning", "message": {"text": "axios: GHSA-vf2m-468p-8v99"}, "properties": {"repobilityId": 78572, "scanner": "osv-scanner", "fingerprint": "75b233cf541f7bb7a8024aafc53dfc9a485058fd533514a7d10efb41bf7448ea", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42036"], "package": "axios", "rule_id": "GHSA-vf2m-468p-8v99", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42036|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m7pr-hjqh-92cm", "level": "warning", "message": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "properties": {"repobilityId": 78568, "scanner": "osv-scanner", "fingerprint": "1cec90618bebb188c17fe310fb3033768a72b6137c6a40c836779024308147c0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42038"], "package": "axios", "rule_id": "GHSA-m7pr-hjqh-92cm", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42038|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fvcv-3m26-pcqx", "level": "warning", "message": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "properties": {"repobilityId": 78565, "scanner": "osv-scanner", "fingerprint": "194638f48fb7480a0400250b68d28c6069ca8218bc89ba146b8f6d04c4d3278f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40175"], "package": "axios", "rule_id": "GHSA-fvcv-3m26-pcqx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-40175|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-898c-q2cr-xwhg", "level": "warning", "message": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "properties": {"repobilityId": 78564, "scanner": "osv-scanner", "fingerprint": "e0f789ea8b2d8f62959bbaf20e3ba5535e687b8c3be953373597bdc70b626254", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44490"], "package": "axios", "rule_id": "GHSA-898c-q2cr-xwhg", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44490|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-62hf-57xw-28j9", "level": "warning", "message": {"text": "axios: GHSA-62hf-57xw-28j9"}, "properties": {"repobilityId": 78561, "scanner": "osv-scanner", "fingerprint": "19b18323ef10e595c7d22624ffcae0cf84c0d84d20f975340eba11740cb6399e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42039"], "package": "axios", "rule_id": "GHSA-62hf-57xw-28j9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42039|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c9x-8gcm-mpgx", "level": "warning", "message": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "properties": {"repobilityId": 78560, "scanner": "osv-scanner", "fingerprint": "e6cd3ab5e59f556a7738149d19ec8d30eb349cd423503e51002e40fb93d566c1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42034"], "package": "axios", "rule_id": "GHSA-5c9x-8gcm-mpgx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42034|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-445q-vr5w-6q77", "level": "warning", "message": {"text": "axios: GHSA-445q-vr5w-6q77"}, "properties": {"repobilityId": 78559, "scanner": "osv-scanner", "fingerprint": "c7dc7346c89b379676f951ef9dafc8289422df6a7bc1d3e0ad138a1f1bddb81f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42037"], "package": "axios", "rule_id": "GHSA-445q-vr5w-6q77", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42037|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3w6x-2g7m-8v23", "level": "warning", "message": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "properties": {"repobilityId": 78557, "scanner": "osv-scanner", "fingerprint": "5cf4f362c78e0884a4fbf39c4fc1a01408751d99e053455c539b6a3630054c12", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42044"], "package": "axios", "rule_id": "GHSA-3w6x-2g7m-8v23", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42044|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 78553, "scanner": "osv-scanner", "fingerprint": "b6e4ab66cc3522d009fa9b7b4cb49ad3d9a60843a6d25559c80bbc6b5b65b8d7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j8xg-fqg3-53r7", "level": "warning", "message": {"text": "word-wrap: GHSA-j8xg-fqg3-53r7"}, "properties": {"repobilityId": 78551, "scanner": "osv-scanner", "fingerprint": "41e3d19752760107091ed7dcbd4cc9374a2f3e214bde0df5edc839a6f7c484e1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-26115"], "package": "word-wrap", "rule_id": "GHSA-j8xg-fqg3-53r7", "scanner": "osv-scanner", "correlation_key": "vuln|word-wrap|CVE-2023-26115|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-72xf-g2v4-qvf3", "level": "warning", "message": {"text": "tough-cookie: GHSA-72xf-g2v4-qvf3"}, "properties": {"repobilityId": 78549, "scanner": "osv-scanner", "fingerprint": "0902aa8b0043ecf561daebfc07957af481182ed63d7c0a7c2d35e21353ed6e8d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-26136"], "package": "tough-cookie", "rule_id": "GHSA-72xf-g2v4-qvf3", "scanner": "osv-scanner", "correlation_key": "vuln|tough-cookie|CVE-2023-26136|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cqmj-92xf-r6r9", "level": "warning", "message": {"text": "socket.io-parser: GHSA-cqmj-92xf-r6r9"}, "properties": {"repobilityId": 78548, "scanner": "osv-scanner", "fingerprint": "959a7fbde20283f552ebd7852d10602f9be75d59bf4e018952d2ef6feb631cf8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-32695"], "package": "socket.io-parser", "rule_id": "GHSA-cqmj-92xf-r6r9", "scanner": "osv-scanner", "correlation_key": "vuln|socket.io-parser|CVE-2023-32695|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25hc-qcg6-38wj", "level": "warning", "message": {"text": "socket.io: GHSA-25hc-qcg6-38wj"}, "properties": {"repobilityId": 78547, "scanner": "osv-scanner", "fingerprint": "a9700e819b009172cfe331ad5476b94eaa0b8171a758d484ff1a02e4d07ab885", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-38355"], "package": "socket.io", "rule_id": "GHSA-25hc-qcg6-38wj", "scanner": "osv-scanner", "correlation_key": "vuln|socket.io|CVE-2024-38355|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q9mw-68c2-j6m5", "level": "warning", "message": {"text": "engine.io: GHSA-q9mw-68c2-j6m5"}, "properties": {"repobilityId": 78541, "scanner": "osv-scanner", "fingerprint": "f3fe2c785d5608f2175088756e59acd950f53290cbad9be92e610efc7fa67aaf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-31125"], "package": "engine.io", "rule_id": "GHSA-q9mw-68c2-j6m5", "scanner": "osv-scanner", "correlation_key": "vuln|engine.io|CVE-2023-31125|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ghr5-ch3p-vcr6", "level": "warning", "message": {"text": "ejs: GHSA-ghr5-ch3p-vcr6"}, "properties": {"repobilityId": 78540, "scanner": "osv-scanner", "fingerprint": "a2130835a1766355aed299e545c6b8a4315d3738f6f2fa84f8c3ec1210ef0a5c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-33883"], "package": "ejs", "rule_id": "GHSA-ghr5-ch3p-vcr6", "scanner": "osv-scanner", "correlation_key": "vuln|ejs|CVE-2024-33883|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-prr3-c3m5-p7q2", "level": "warning", "message": {"text": "@adobe/css-tools: GHSA-prr3-c3m5-p7q2"}, "properties": {"repobilityId": 78537, "scanner": "osv-scanner", "fingerprint": "ce8fe4c037b28bc8afef3f8c0472d94f573aed19be31b1ecb35a5c34beb64208", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-48631"], "package": "@adobe/css-tools", "rule_id": "GHSA-prr3-c3m5-p7q2", "scanner": "osv-scanner", "correlation_key": "vuln|adobe/css-tools|CVE-2023-48631|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hpx4-r86g-5jrg", "level": "warning", "message": {"text": "@adobe/css-tools: GHSA-hpx4-r86g-5jrg"}, "properties": {"repobilityId": 78536, "scanner": "osv-scanner", "fingerprint": "ff4e487f9b4116d868b774a8a9b74fa826006a05fa7f43d2dd26c20c7afb4700", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-26364"], "package": "@adobe/css-tools", "rule_id": "GHSA-hpx4-r86g-5jrg", "scanner": "osv-scanner", "correlation_key": "vuln|adobe/css-tools|CVE-2023-26364|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9jgg-88mc-972h", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-9jgg-88mc-972h"}, "properties": {"repobilityId": 78535, "scanner": "osv-scanner", "fingerprint": "3baef15f350c72d704e805b4ce60f3ebdd0a6c770d7587aedd5f39cd9a481b19", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-30360"], "package": "webpack-dev-server", "rule_id": "GHSA-9jgg-88mc-972h", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2025-30360|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-9jgg-88mc-972h"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3baef15f350c72d704e805b4ce60f3ebdd0a6c770d7587aedd5f39cd9a481b19", "7c0ff70f295ca77483d7cc6551bc89b5b2b03f044d2a1d38e73f7f77a7e24803"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-79cf-xcqc-c78w", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "properties": {"repobilityId": 78534, "scanner": "osv-scanner", "fingerprint": "92d1a5549a7bda10d2deaafdebcfc89a1b41a0a0b08630a59e91e2ffa507a53a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-6402"], "package": "webpack-dev-server", "rule_id": "GHSA-79cf-xcqc-c78w", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2026-6402|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-79cf-xcqc-c78w"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["92d1a5549a7bda10d2deaafdebcfc89a1b41a0a0b08630a59e91e2ffa507a53a", "fd09d4d3c1c4b8b6b558675789a1d5a1396e469efe9287772ef5f7045ed8a7ff"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4v9v-hfq4-rm2v", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v"}, "properties": {"repobilityId": 78533, "scanner": "osv-scanner", "fingerprint": "0041bc126853636a3c9c1429c820cdc85fe8c08646c4a7d3cb3cd94a95f1d4ea", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-30359"], "package": "webpack-dev-server", "rule_id": "GHSA-4v9v-hfq4-rm2v", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2025-30359|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-4v9v-hfq4-rm2v"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0041bc126853636a3c9c1429c820cdc85fe8c08646c4a7d3cb3cd94a95f1d4ea", "da00e7cb858e47232b899d15bdcb998c9719e81188ae8ace2e0e762cadebc93b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4vvj-4cpr-p986", "level": "warning", "message": {"text": "webpack: GHSA-4vvj-4cpr-p986"}, "properties": {"repobilityId": 78530, "scanner": "osv-scanner", "fingerprint": "5f784c8ef94288483e14ac6b05040e10c14790ad295bee23c67d96af0acf2eca", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-43788"], "package": "webpack", "rule_id": "GHSA-4vvj-4cpr-p986", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2024-43788|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-4vvj-4cpr-p986"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5f784c8ef94288483e14ac6b05040e10c14790ad295bee23c67d96af0acf2eca", "aa11f2050cc3cdaa3d82520cc2c45592ee97f16102f77c03f86bb3f4f85f6b41"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 78528, "scanner": "osv-scanner", "fingerprint": "452d1c9ad2a984f515c2608972ee928ba587811ad0775e2cfde2fb7015c8caec", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-w5hq-g745-h8pq"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["452d1c9ad2a984f515c2608972ee928ba587811ad0775e2cfde2fb7015c8caec", "c7f3086ed90f78df6d1520603ccbec4761171aaab7d968e1805995b9d08e17d6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rw7-vpxm-498p", "level": "warning", "message": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "properties": {"repobilityId": 78525, "scanner": "osv-scanner", "fingerprint": "b822fc5108b128adffebceececf1adaf0f431641399049639bae36b0bdfa4b74", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-15284"], "package": "qs", "rule_id": "GHSA-6rw7-vpxm-498p", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2025-15284|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-6rw7-vpxm-498p"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["b4904e9eb224e33df44d5a9e1e8ff65d9fd0bfbc50ee1be3459b368b255597ec", "b822fc5108b128adffebceececf1adaf0f431641399049639bae36b0bdfa4b74", "c6b215b3b77ea6e8e023ee05ea03cf284a329e63f88053e352c5fb1adb4077e5"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 78524, "scanner": "osv-scanner", "fingerprint": "46a4c2b44004449832572ff546b8269db0566391b426a2ca80aa09df9d99a6d8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qx2v-qp2m-jg93"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["46a4c2b44004449832572ff546b8269db0566391b426a2ca80aa09df9d99a6d8", "994e7586a37ff94b108d5dd31384e0ea12dd2e2909c6f89452c56cf07567000b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7fh5-64p2-3v2j", "level": "warning", "message": {"text": "postcss: GHSA-7fh5-64p2-3v2j"}, "properties": {"repobilityId": 78523, "scanner": "osv-scanner", "fingerprint": "2ffdaa386ad4585789dbe351c98989081a9ec4ff0a8313a650137fcf77be5612", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-44270"], "package": "postcss", "rule_id": "GHSA-7fh5-64p2-3v2j", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2023-44270|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-7fh5-64p2-3v2j"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2ffdaa386ad4585789dbe351c98989081a9ec4ff0a8313a650137fcf77be5612", "aa5e91b51acaf7fcc22c94a1b77dc58f9b5a7825ca4499fffa2a7dc338adc531"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65ch-62r8-g69g", "level": "warning", "message": {"text": "node-forge: GHSA-65ch-62r8-g69g"}, "properties": {"repobilityId": 78517, "scanner": "osv-scanner", "fingerprint": "bd1715e7a8f25c13dcf01a63557151de9e3f245bbec33450635d0b02cc41748a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-66030"], "package": "node-forge", "rule_id": "GHSA-65ch-62r8-g69g", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-66030|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-65ch-62r8-g69g"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["91a9c1fc2a2019a3f56217c42c837260fee10de3a1c8c06e47fa3b4eef5f5af0", "bd1715e7a8f25c13dcf01a63557151de9e3f245bbec33450635d0b02cc41748a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9gqv-wp59-fq42", "level": "warning", "message": {"text": "http-proxy-middleware: GHSA-9gqv-wp59-fq42"}, "properties": {"repobilityId": 78510, "scanner": "osv-scanner", "fingerprint": "fd17143c41b617e87069bab519bfa83622faf383d93b4c7915637d56db8041cd", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-32997"], "package": "http-proxy-middleware", "rule_id": "GHSA-9gqv-wp59-fq42", "scanner": "osv-scanner", "correlation_key": "vuln|http-proxy-middleware|CVE-2025-32997|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-9gqv-wp59-fq42"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["fd17143c41b617e87069bab519bfa83622faf383d93b4c7915637d56db8041cd", "fe2e78ceaebaec2bc3836e71308e35336995a09b8f4c2a0938c60d61f5641acb"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4www-5p9h-95mh", "level": "warning", "message": {"text": "http-proxy-middleware: GHSA-4www-5p9h-95mh"}, "properties": {"repobilityId": 78509, "scanner": "osv-scanner", "fingerprint": "106ece4c3226017fe979ad6fd4e35c71a982a95ee18f32ed5234cd050a8a6787", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-32996"], "package": "http-proxy-middleware", "rule_id": "GHSA-4www-5p9h-95mh", "scanner": "osv-scanner", "correlation_key": "vuln|http-proxy-middleware|CVE-2025-32996|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-4www-5p9h-95mh"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0afcce94f5efff63c68d4b8510b37228fdead3995615873b52efe446be7a8457", "106ece4c3226017fe979ad6fd4e35c71a982a95ee18f32ed5234cd050a8a6787"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 78508, "scanner": "osv-scanner", "fingerprint": "55f0d216dd50c95a14e50f8789b4594e8596b4c8a3214ae6e329407ca30401bf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r4q5-vmmm-2653"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4e09dd716fbfd85923e0fd23207af13bccd4ddac127d5cc0c9b091edec8c8a85", "55f0d216dd50c95a14e50f8789b4594e8596b4c8a3214ae6e329407ca30401bf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jchw-25xp-jwwc", "level": "warning", "message": {"text": "follow-redirects: GHSA-jchw-25xp-jwwc"}, "properties": {"repobilityId": 78507, "scanner": "osv-scanner", "fingerprint": "c836e56606f1cdd2dd98a08455e3fa6f28a7dfd50805088e5f026e9426c657f8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-26159"], "package": "follow-redirects", "rule_id": "GHSA-jchw-25xp-jwwc", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|CVE-2023-26159|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-jchw-25xp-jwwc"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["c836e56606f1cdd2dd98a08455e3fa6f28a7dfd50805088e5f026e9426c657f8", "eef0f9a42d4cb42d2b3a2a5d4fbb642c8e0f106455bc8a2863c10ee76219c730"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cxjh-pqwp-8mfp", "level": "warning", "message": {"text": "follow-redirects: GHSA-cxjh-pqwp-8mfp"}, "properties": {"repobilityId": 78506, "scanner": "osv-scanner", "fingerprint": "c8e0dee940c01165964995f78da99f248054e4124483cb8608791fc23bb748e6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-28849"], "package": "follow-redirects", "rule_id": "GHSA-cxjh-pqwp-8mfp", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|CVE-2024-28849|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cxjh-pqwp-8mfp"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["28754a445d8736c8a7e562f4a3b48b7ebd5ef206bd956750a77d3e3ff0406c97", "c8e0dee940c01165964995f78da99f248054e4124483cb8608791fc23bb748e6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rv95-896h-c2vc", "level": "warning", "message": {"text": "express: GHSA-rv95-896h-c2vc"}, "properties": {"repobilityId": 78505, "scanner": "osv-scanner", "fingerprint": "9c5998a30f13e92c314344272d09eb81d7f786dc8d577ce7498fde6613175038", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-29041"], "package": "express", "rule_id": "GHSA-rv95-896h-c2vc", "scanner": "osv-scanner", "correlation_key": "vuln|express|CVE-2024-29041|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-rv95-896h-c2vc"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["9c5998a30f13e92c314344272d09eb81d7f786dc8d577ce7498fde6613175038", "d8ed0b27a079be2eff8e73f7235caedecc744fb8ee145b91dbe3f220830a12ff"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 78501, "scanner": "osv-scanner", "fingerprint": "829337cbe8f8dec9ec4c69f61bcd348ceec2579da595d7d712ad816de1326031", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-48c2-rrv3-qjmp"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["829337cbe8f8dec9ec4c69f61bcd348ceec2579da595d7d712ad816de1326031", "9b61b9b2e6dcf2eab990372ce2c92dca4268dd057c61a96d66f0da24f14698e4", "a247e6cba37784dd7326fc07af6bbc5cd6e4a6863486b1e2dd004e7c4879a10a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 78500, "scanner": "osv-scanner", "fingerprint": "0caba92b358723af6267a303d8ba2e6a429e87b8bde08bca070e211dc13f13cf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-58qx-3vcg-4xpx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0caba92b358723af6267a303d8ba2e6a429e87b8bde08bca070e211dc13f13cf", "1bac4baa624b4728951f052b79272c201032f5ac33e95f8fc22c62ce3d574877", "3f78250feafb971e21c0f2321555a3f4016816d74973c7e24fe6297276a24c5f", "5ffe7a7637cf11ae8d0a542d521f732044f62fc07ff9a13bf60a70284e58aa45", "aee6a04f49ad0e16ea7c202314523699b1e7d8a95ff3d284b88510f0e664eee1", "e96f2820e3a522edbbac27861921145b652104eabbe40f854695220267ba49b0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-952p-6rrq-rcjv", "level": "warning", "message": {"text": "micromatch: GHSA-952p-6rrq-rcjv"}, "properties": {"repobilityId": 78494, "scanner": "osv-scanner", "fingerprint": "a5ad21d6bd16d77b54d9a332a740ab9680431f078f3ae13ce3fa4441a9597637", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-4067"], "package": "micromatch", "rule_id": "GHSA-952p-6rrq-rcjv", "scanner": "osv-scanner", "correlation_key": "vuln|micromatch|CVE-2024-4067|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-952p-6rrq-rcjv"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["199ff46cd6e0aa1a7a2ac8afb98aefe16cab20aa9749aeb1f15ece70c3d95a5d", "a5ad21d6bd16d77b54d9a332a740ab9680431f078f3ae13ce3fa4441a9597637", "bd862d713ab2c996deb47b9d1883686654a294f79fe232c5457abd981873506c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 78493, "scanner": "osv-scanner", "fingerprint": "ada4199f4478116540af41855d7bba6a243e74091267375e87c16e3f0dbb02bb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-xxjr-mmjv-4gpg"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["65ac6826c3c687d793cb1c81bbd27dfb81f3f3bdc263b09cec94c3738dad8e41", "ada4199f4478116540af41855d7bba6a243e74091267375e87c16e3f0dbb02bb", "c8b8921e14746efc7f87bccbc15b48576d06d44fb7462782009b38af54c21265"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 78491, "scanner": "osv-scanner", "fingerprint": "3836152ae7a4806ce7c9f9198b19309ee3861e9a897f6406e56924e2f1d72d6d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-f23m-r3pf-42rh"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0460aba37042c10080e95c94e57d77ad067222b510f6db86425667a2cdd8d454", "3836152ae7a4806ce7c9f9198b19309ee3861e9a897f6406e56924e2f1d72d6d", "e09922e68ffba2215121aff4b7f2fd5d8adf769dea1945e1228b2ab23c4c7fdd"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jp2q-39xq-3w4g", "level": "warning", "message": {"text": "fast-xml-parser: GHSA-jp2q-39xq-3w4g"}, "properties": {"repobilityId": 78485, "scanner": "osv-scanner", "fingerprint": "3cd016e0b3f18e05ca9fb9c7f3322df0259a81d57e1b76e27cdcc3a19339f18c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33349"], "package": "fast-xml-parser", "rule_id": "GHSA-jp2q-39xq-3w4g", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-33349|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gh4j-gqv2-49f6", "level": "warning", "message": {"text": "fast-xml-parser: GHSA-gh4j-gqv2-49f6"}, "properties": {"repobilityId": 78484, "scanner": "osv-scanner", "fingerprint": "cbee50fb64b88a8726efe77a6bcbfd85695c5958393594dbfb32e3bf6366a6cf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41650"], "package": "fast-xml-parser", "rule_id": "GHSA-gh4j-gqv2-49f6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-41650|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 78480, "scanner": "osv-scanner", "fingerprint": "74bf478e5755853423980404171a93420cace4a5debd5f0ee4b970026f879976", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-2g4f-4pwh-qvx6"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["26565b720221b0abf06f9324ca59e8cd992187497e619ac045fe222407faf626", "74bf478e5755853423980404171a93420cace4a5debd5f0ee4b970026f879976", "7b6e849ce38aacf465e1643844372d3976815e0f0591be0ecbc50397a4334989"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 78479, "scanner": "osv-scanner", "fingerprint": "f23a21c20fbf2755228fc6de918a5581e55208095fb3a81ed3e73388505f6c5c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/runtime", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/runtime|CVE-2025-27789|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-968p-4wvh-cqc8"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3ec51cc497f4e62423a78e8c4bb43c46504a5488f2117b9393134871743821e6", "8359fde25243a09231a28775905ef2c22616a6578536e3b258f74abde5674d97", "f23a21c20fbf2755228fc6de918a5581e55208095fb3a81ed3e73388505f6c5c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/helpers: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 78477, "scanner": "osv-scanner", "fingerprint": "b8103ac57d6b620a346e1ab905f2e5f17a4416c92b1ec3ba787ec3dc0cde8f6f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/helpers", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/helpers|CVE-2025-27789|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-968p-4wvh-cqc8"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["64a1dc6b6ee6fe3a18e7bb284aa595e52f1d36f922b6da9bf0b5d1444c73616a", "b8103ac57d6b620a346e1ab905f2e5f17a4416c92b1ec3ba787ec3dc0cde8f6f", "c02b3fb7ba32b21a723a8199366883955e586cd44eba653359aa5a7b3a5d0bfb"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 78476, "scanner": "osv-scanner", "fingerprint": "e9518ef351775d2786fdc4b0ab24c4013c774ec8ba52aa406c02ec18e653fc20", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|token", "duplicate_count": 4, "duplicate_rule_ids": ["GHSA-qj8w-gfj5-8c6v"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0ed3f95fc8f1c6edc1e7663067b14bdd4d31dc75f485c914a8954a922b3373dc", "22a484e9436d8f731cddbe48af845057736bfcc99f2d489c3aca489349a6d426", "4eda269415dca8784e62af7f8643c2754489cef8b269f3afe55f0bdda5d6cf3c", "de821020fe0200a3fbc98bbfe1d9c612f10aac8779c32f88926c4ebc1473f020", "e9518ef351775d2786fdc4b0ab24c4013c774ec8ba52aa406c02ec18e653fc20"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-76p7-773f-r4q5", "level": "warning", "message": {"text": "serialize-javascript: GHSA-76p7-773f-r4q5"}, "properties": {"repobilityId": 78475, "scanner": "osv-scanner", "fingerprint": "bbb21fa14c7cb6a21b0db5aed5a5b20c61e7c46ae14f144e6d7e3a135ca61213", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-11831"], "package": "serialize-javascript", "rule_id": "GHSA-76p7-773f-r4q5", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2024-11831|token", "duplicate_count": 4, "duplicate_rule_ids": ["GHSA-76p7-773f-r4q5"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6df330ea33a0e5a331a4a2480a3f6c652d905a3a42437513d98c1026ca60aa52", "6f429479ce6b880171f5dd61fca317cae0ff042ec0ed6b1add354c3175a69c7f", "a3364235f50319018719815480dc2c1ccdff402e5922fb2d782aa235c8c8b561", "bbb21fa14c7cb6a21b0db5aed5a5b20c61e7c46ae14f144e6d7e3a135ca61213", "cdae3354a907eb1879136758f71c072371ee1363abc6938c706e004290772ec1"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 78472, "scanner": "osv-scanner", "fingerprint": "0c11f9cf8809e20274d2dec9caef9c8245dd8855b6ef3f1b4f62ac6c45265e31", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-3v7f-55p6-f55p"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0c11f9cf8809e20274d2dec9caef9c8245dd8855b6ef3f1b4f62ac6c45265e31", "0df41e7f3a927411798f8f7c483a4d93637d60b96df170b49287a2e0fab1f766", "21c16bbab58d2568f8f86cbbeecf2ce33af960df11534e26846faa81c7b249be", "aa9b140304cc3384f222446fb17c843f33896121483a09b4ca09495395992ef1", "b87048bf25ac1b58b9610419584bddcc140031b6a4c43acc7653498904a9954f", "dfc264e0345e8e9a456010a315ec84a2894bc3adced183d4011515ff161fe1e8"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vp56-6g26-6827", "level": "warning", "message": {"text": "node-fetch: GHSA-vp56-6g26-6827"}, "properties": {"repobilityId": 78471, "scanner": "osv-scanner", "fingerprint": "48f06b7ad5b9e3809f65feb382016bbe970b2fdd02ce257ca9eb7521536746f5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2022-2596"], "package": "node-fetch", "rule_id": "GHSA-vp56-6g26-6827", "scanner": "osv-scanner", "correlation_key": "vuln|node-fetch|CVE-2022-2596|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-vp56-6g26-6827"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["31abb830ddb76d1ff1796b6852559d99f1ee7d0ee0143d43ace63da8bae1fa49", "48f06b7ad5b9e3809f65feb382016bbe970b2fdd02ce257ca9eb7521536746f5", "c05f4ba250385bfd4a73d90e086f96e8d278c3cc8bb44572ae24969edce6b4c2"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwcw-c2x4-8c55", "level": "warning", "message": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "properties": {"repobilityId": 78470, "scanner": "osv-scanner", "fingerprint": "2deaf79d23723615451c6b9c4e961f633f6ce9d1b3acc9ac74b8462f698a59e5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-55565"], "package": "nanoid", "rule_id": "GHSA-mwcw-c2x4-8c55", "scanner": "osv-scanner", "correlation_key": "vuln|nanoid|CVE-2024-55565|token", "duplicate_count": 4, "duplicate_rule_ids": ["GHSA-mwcw-c2x4-8c55"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0252bf0187c8a02aa88a0f86c2e183dd5397ffa217e3fb51fe8a1719fb5068d2", "2deaf79d23723615451c6b9c4e961f633f6ce9d1b3acc9ac74b8462f698a59e5", "47791af59c236dd1e82b9f888776bbd114ed3a439e655e65a573899a818063cf", "7724f3d8d6873f97362900e75387d8bcf134b4d0b8b5b3183285cb2108ba896c", "861c6e0bb5672540b0abf2aff4accc1463332a62a9a94a95b0e4d7adf58c1a8c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 78465, "scanner": "osv-scanner", "fingerprint": "5897725970e7c747e7951d87f3974c46c94decbf694e6a64090edda5fd5f9507", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-mh29-5h37-fv8m"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5897725970e7c747e7951d87f3974c46c94decbf694e6a64090edda5fd5f9507", "61544dbc76cd27d4f24b10e730e0532b5ed0874e775da409e0146c9b8f5d613a", "a64f7174052023ee62d9d3cbbbd31d6343438745e95dc3d60b888a7aae5de795", "a6afcc0c0ab9f38353c0bc414771b2c00ab924e2a871ca17baa879147e1cdb70", "e4e6d0995f928241be5c691d6919ff9b71b7171f6082345ba205250fc9c8e7e8", "ee13c92f5cf15b4d25874fed9a4105124feaa684b3147fd686de2b3ea476d2a5"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 78460, "scanner": "osv-scanner", "fingerprint": "39fdab5659d97db75c5913d2d6c00ab638e82edc6c97200a7224cb93bd56a76f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-f886-m6hf-6m8v"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["15e552e28e5a7f23400ddc2471850bb3b31bc67144731c43d23aac2d699c27f7", "28d469e1d9290aa3421757a925d0dd4f09b8783c7d41527af5633d3697fe233f", "39fdab5659d97db75c5913d2d6c00ab638e82edc6c97200a7224cb93bd56a76f", "78b7af3d7fa1f79d99f2d1a983d833d0af02e2203364276de56e6dd962018db7", "b92eb79d2db0727ca91b2cd100bf314b08a9b273f4e988d7fae876417b4fd2b0", "ea733514c8376578acf0e20199431d619ea959364cec721232ed8696ac487707"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78451, "scanner": "repobility-docker", "fingerprint": "e91a1d4cbc1065fc1e90e9460513202d240effc89e7547d241811ef8f8141860", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis-cluster", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|e91a1d4cbc1065fc1e90e9460513202d240effc89e7547d241811ef8f8141860", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/compose.yaml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78448, "scanner": "repobility-docker", "fingerprint": "b971ab371aaa64f7e7c514dbac60de88e54da7937fafbef0986aa43be1d8c558", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|b971ab371aaa64f7e7c514dbac60de88e54da7937fafbef0986aa43be1d8c558", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78446, "scanner": "repobility-docker", "fingerprint": "5a9857d9b504ce73562e768d2b7690538650201eb89e7a6010955261bb967b91", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|5a9857d9b504ce73562e768d2b7690538650201eb89e7a6010955261bb967b91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-postgres-emitter/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78441, "scanner": "repobility-docker", "fingerprint": "1a44ca56f2c50ff6cd6319cd66e68462e4080b8d8ba64425d7b238f090d95082", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|1a44ca56f2c50ff6cd6319cd66e68462e4080b8d8ba64425d7b238f090d95082", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-cluster-engine/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78438, "scanner": "repobility-docker", "fingerprint": "0362087cc1c76cb453ced841662f8284eb33dc9b338bb68fe106d3672a723f19", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|0362087cc1c76cb453ced841662f8284eb33dc9b338bb68fe106d3672a723f19", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/private-messaging/server/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78436, "scanner": "repobility-docker", "fingerprint": "8ab7ca025919fea644af641665d869734926ed919656000bd432732128da6553", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|8ab7ca025919fea644af641665d869734926ed919656000bd432732128da6553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/postgres-adapter-example/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 78433, "scanner": "repobility-docker", "fingerprint": "82b7e0576146462d975574686752eae4c83dbf983134afa7311301bb3f61bf99", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|82b7e0576146462d975574686752eae4c83dbf983134afa7311301bb3f61bf99", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/postgres-adapter-example/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78431, "scanner": "repobility-docker", "fingerprint": "4a1bef75d34084ba5c4129f0bd2314c82b6951c197db01f004c5a3a22339ec1d", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|4a1bef75d34084ba5c4129f0bd2314c82b6951c197db01f004c5a3a22339ec1d", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-traefik/docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78426, "scanner": "repobility-docker", "fingerprint": "4e6ef430a71b7e0c30c792a7bdd9de514ceeae838f29868c0753285abf7bd44b", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|4e6ef430a71b7e0c30c792a7bdd9de514ceeae838f29868c0753285abf7bd44b", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78414, "scanner": "repobility-docker", "fingerprint": "c0d5e3a738411b38cae9bd91cda3886792aa862cbc9bd55c634e348f4534486c", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|c0d5e3a738411b38cae9bd91cda3886792aa862cbc9bd55c634e348f4534486c", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78402, "scanner": "repobility-docker", "fingerprint": "7210843aafa85379acc5e3d735af61ba0ff39257adf566680f162aa3a596ebc6", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7210843aafa85379acc5e3d735af61ba0ff39257adf566680f162aa3a596ebc6", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78390, "scanner": "repobility-docker", "fingerprint": "7a8e92afff073597acbcf223abe9b0ede5f44314f1f863fe4eface45b1f04330", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7a8e92afff073597acbcf223abe9b0ede5f44314f1f863fe4eface45b1f04330", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-engine-redis/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78388, "scanner": "repobility-docker", "fingerprint": "66c8b23f7acb3ba7d90d331211ff3de3235b91a832bd192078e75dc0c603934b", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|66c8b23f7acb3ba7d90d331211ff3de3235b91a832bd192078e75dc0c603934b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/server-postgres-cluster/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 78385, "scanner": "repobility-docker", "fingerprint": "018f3d84e5f4a16e8b206a93dc5c606512ced8cf389f254545e9894326c87914", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|018f3d84e5f4a16e8b206a93dc5c606512ced8cf389f254545e9894326c87914", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/server-postgres-cluster/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78384, "scanner": "repobility-docker", "fingerprint": "ee9c4e2da7c13dbd628806a3649e74ca80bbb26b29fe78a3c09baf7ff13e753a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-bullseye", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ee9c4e2da7c13dbd628806a3649e74ca80bbb26b29fe78a3c09baf7ff13e753a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/connection-state-recovery-example/esm/.codesandbox/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78383, "scanner": "repobility-docker", "fingerprint": "1ffaf5743edce01b16a77b068399b242707afbfdf98a6346d81801b8d14b0ebe", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-bullseye", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1ffaf5743edce01b16a77b068399b242707afbfdf98a6346d81801b8d14b0ebe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/connection-state-recovery-example/cjs/.codesandbox/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78382, "scanner": "repobility-docker", "fingerprint": "ea33e633b7c70eb37f348674f436ce7ed1d9ded70ff3a1745687534e8194b346", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:14-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ea33e633b7c70eb37f348674f436ce7ed1d9ded70ff3a1745687534e8194b346"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-traefik/server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78380, "scanner": "repobility-docker", "fingerprint": "d54a8582c2409ae3d8a7e11b2dfa82558bb7924dfc4170c7edc9f273d01305d2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:14-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d54a8582c2409ae3d8a7e11b2dfa82558bb7924dfc4170c7edc9f273d01305d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78378, "scanner": "repobility-docker", "fingerprint": "5b044c151b3dc209811e0f3950eb604db995a131c32d12eacab6d62967e7e5c5", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:14-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5b044c151b3dc209811e0f3950eb604db995a131c32d12eacab6d62967e7e5c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/client/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78376, "scanner": "repobility-docker", "fingerprint": "311cde6e593705f426dc3decbf91753858ee005925ea74e9f8c1fdb67ae935ec", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:14-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|311cde6e593705f426dc3decbf91753858ee005925ea74e9f8c1fdb67ae935ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 78374, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78373, "scanner": "repobility-docker", "fingerprint": "a8cd1cf7e3aaca07f31fd61b2d177ccdc9a0bd2e1dced4df7a4527c75aef60aa", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:14-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a8cd1cf7e3aaca07f31fd61b2d177ccdc9a0bd2e1dced4df7a4527c75aef60aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 78368, "scanner": "repobility-threat-engine", "fingerprint": "aaf4b5fc10fdd2cd8da88f4324eb0dbb952e4083fa5de2cbb2715682cc88271c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|55|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/private-messaging/server/sessionStore.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 78367, "scanner": "repobility-threat-engine", "fingerprint": "21a2235749a2f0a00bd0fede4238402810cc79d14feaf09c1ddd25416c142699", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|45|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/private-messaging/server/messageStore.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 78366, "scanner": "repobility-threat-engine", "fingerprint": "66dad784c0234102c0bc0a3dfc122c2da525873d0a43410f82b9cc23947b7a3b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66dad784c0234102c0bc0a3dfc122c2da525873d0a43410f82b9cc23947b7a3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/nextjs-pages-router/src/pages/api/hello.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `express` is 1 major version(s) behind (4.21.2 -> 5.2.1)"}, "properties": {"repobilityId": 78351, "scanner": "repobility-dependency-currency", "fingerprint": "80c6f75436c0bfb6463774d183fbd7c643dfa9c4c39daa5c85dbb0874f376466", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "express", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.2.1", "correlation_key": "fp|80c6f75436c0bfb6463774d183fbd7c643dfa9c4c39daa5c85dbb0874f376466", "current_version": "4.21.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `eiows` is 2 major version(s) behind (7.1.0 -> 9.2.0)"}, "properties": {"repobilityId": 78350, "scanner": "repobility-dependency-currency", "fingerprint": "0e7dadb0cb8990eedc9c3bdb2f12fc077053070d63dcc3a7689411e3ff1d7851", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eiows", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.2.0", "correlation_key": "fp|0e7dadb0cb8990eedc9c3bdb2f12fc077053070d63dcc3a7689411e3ff1d7851", "current_version": "7.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `cookie` is 1 major version(s) behind (0.7.2 -> 1.1.1)"}, "properties": {"repobilityId": 78349, "scanner": "repobility-dependency-currency", "fingerprint": "e598d53ca48faac49d8f5d8c92c536d0a6748f90afb7bebc3b79b7b5b912e7aa", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cookie", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.1.1", "correlation_key": "fp|e598d53ca48faac49d8f5d8c92c536d0a6748f90afb7bebc3b79b7b5b912e7aa", "current_version": "0.7.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `babel-loader` is 1 major version(s) behind (9.1.3 -> 10.1.1)"}, "properties": {"repobilityId": 78348, "scanner": "repobility-dependency-currency", "fingerprint": "08960fbc37c2d5641492a27ed96ac315e63032745e6bbb20c4d7838834149043", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "babel-loader", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.1.1", "correlation_key": "fp|08960fbc37c2d5641492a27ed96ac315e63032745e6bbb20c4d7838834149043", "current_version": "9.1.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wdio/spec-reporter` is 1 major version(s) behind (8.39.0 -> 9.27.2)"}, "properties": {"repobilityId": 78347, "scanner": "repobility-dependency-currency", "fingerprint": "b2b4fadefa0b5556d9953072230c2a2b4c2a873debf93ec51b8e69801fa336d5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wdio/spec-reporter", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.27.2", "correlation_key": "fp|b2b4fadefa0b5556d9953072230c2a2b4c2a873debf93ec51b8e69801fa336d5", "current_version": "8.39.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wdio/sauce-service` is 1 major version(s) behind (8.46.0 -> 9.27.2)"}, "properties": {"repobilityId": 78346, "scanner": "repobility-dependency-currency", "fingerprint": "08ba5792f1231fb134267614ac0fe3c2a946164187e02d621dd21cb18ea443f9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wdio/sauce-service", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.27.2", "correlation_key": "fp|08ba5792f1231fb134267614ac0fe3c2a946164187e02d621dd21cb18ea443f9", "current_version": "8.46.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wdio/mocha-framework` is 1 major version(s) behind (8.46.0 -> 9.27.2)"}, "properties": {"repobilityId": 78345, "scanner": "repobility-dependency-currency", "fingerprint": "5cffefcdbaca18be4e8a18090faf5be32989d7613df792052c5f27a8beeb3349", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wdio/mocha-framework", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.27.2", "correlation_key": "fp|5cffefcdbaca18be4e8a18090faf5be32989d7613df792052c5f27a8beeb3349", "current_version": "8.46.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wdio/local-runner` is 1 major version(s) behind (8.46.0 -> 9.27.2)"}, "properties": {"repobilityId": 78344, "scanner": "repobility-dependency-currency", "fingerprint": "8569d6f4986c3b950c28beb3057a29d233fc2605ecffd4f0624512263989d0c3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wdio/local-runner", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.27.2", "correlation_key": "fp|8569d6f4986c3b950c28beb3057a29d233fc2605ecffd4f0624512263989d0c3", "current_version": "8.46.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/sinonjs__fake-timers` is 7 major version(s) behind (8.1.5 -> 15.0.1)"}, "properties": {"repobilityId": 78343, "scanner": "repobility-dependency-currency", "fingerprint": "3c11775e05647232a8edf7a877f87520b6b14fb9d16802ccae3a4cf10b110866", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "7 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/sinonjs__fake-timers", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "15.0.1", "correlation_key": "fp|3c11775e05647232a8edf7a877f87520b6b14fb9d16802ccae3a4cf10b110866", "current_version": "8.1.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@sinonjs/fake-timers` is 4 major version(s) behind (11.2.2 -> 15.4.0)"}, "properties": {"repobilityId": 78337, "scanner": "repobility-dependency-currency", "fingerprint": "54a086795f21a6647f1613db08157ef1624672b753f6d14add63c4af4b4ebf9c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "4 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@sinonjs/fake-timers", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "15.4.0", "correlation_key": "fp|54a086795f21a6647f1613db08157ef1624672b753f6d14add63c4af4b4ebf9c", "current_version": "11.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-node-resolve` is 1 major version(s) behind (15.2.3 -> 16.0.3)"}, "properties": {"repobilityId": 78336, "scanner": "repobility-dependency-currency", "fingerprint": "15441b76aafaf9e458e120e89750cf04acc9a13a94564ae01fc3ee239bb94c4d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-node-resolve", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.0.3", "correlation_key": "fp|15441b76aafaf9e458e120e89750cf04acc9a13a94564ae01fc3ee239bb94c4d", "current_version": "15.2.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-commonjs` is 3 major version(s) behind (26.0.1 -> 29.0.3)"}, "properties": {"repobilityId": 78335, "scanner": "repobility-dependency-currency", "fingerprint": "ae212883d97b495cf2d6043530e18fe2fc14508fd377fef11d3f3c485a1cd15c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-commonjs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "29.0.3", "correlation_key": "fp|ae212883d97b495cf2d6043530e18fe2fc14508fd377fef11d3f3c485a1cd15c", "current_version": "26.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-babel` is 1 major version(s) behind (6.0.4 -> 7.1.0)"}, "properties": {"repobilityId": 78334, "scanner": "repobility-dependency-currency", "fingerprint": "ff106067d2c7bccd3d60b7c13126c0d25553ccb02a96ff7c4178865411b35353", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-babel", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.1.0", "correlation_key": "fp|ff106067d2c7bccd3d60b7c13126c0d25553ccb02a96ff7c4178865411b35353", "current_version": "6.0.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-alias` is 1 major version(s) behind (5.1.0 -> 6.0.0)"}, "properties": {"repobilityId": 78333, "scanner": "repobility-dependency-currency", "fingerprint": "6d5a5984fcdd6ed9b88f8ff9f61b3a560800d07efd8497b5dc2883a754ecc973", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-alias", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.0", "correlation_key": "fp|6d5a5984fcdd6ed9b88f8ff9f61b3a560800d07efd8497b5dc2883a754ecc973", "current_version": "5.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 78643, "scanner": "repobility-web-presence", "fingerprint": "cfa373247b369209bfc0b3138cf2c8d1cb21a3a8c5c8c3ae4fa8e92fc43f14be", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|cfa373247b369209bfc0b3138cf2c8d1cb21a3a8c5c8c3ae4fa8e92fc43f14be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 78641, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "GHSA-gxpj-cx7g-858c", "level": "note", "message": {"text": "debug: GHSA-gxpj-cx7g-858c"}, "properties": {"repobilityId": 78626, "scanner": "osv-scanner", "fingerprint": "940dd3e8e449ab662cdbcd944a297fb2d5b04d082bd45cc2d7370f0acef10e50", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2017-16137"], "package": "debug", "rule_id": "GHSA-gxpj-cx7g-858c", "scanner": "osv-scanner", "correlation_key": "vuln|debug|CVE-2017-16137|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8fgc-7cc6-rx7x", "level": "note", "message": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "properties": {"repobilityId": 78624, "scanner": "osv-scanner", "fingerprint": "885831ec9a185235867071859b61a882e0ef92e6f19d618957bda24e6b9a1eff", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68458"], "package": "webpack", "rule_id": "GHSA-8fgc-7cc6-rx7x", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68458|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38r7-794h-5758", "level": "note", "message": {"text": "webpack: GHSA-38r7-794h-5758"}, "properties": {"repobilityId": 78623, "scanner": "osv-scanner", "fingerprint": "cb693bda54a38b47305c57915d671e4fec7e8595eb17860c0919230b8f1f3165", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68157"], "package": "webpack", "rule_id": "GHSA-38r7-794h-5758", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68157|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-52f5-9888-hmc6", "level": "note", "message": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "properties": {"repobilityId": 78620, "scanner": "osv-scanner", "fingerprint": "5003655454a65a37426e56993d1d8451b9df8dbc03f84f8701df78d520fd3ab5", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-54798"], "package": "tmp", "rule_id": "GHSA-52f5-9888-hmc6", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2025-54798|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w7fw-mjwx-w883", "level": "note", "message": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "properties": {"repobilityId": 78606, "scanner": "osv-scanner", "fingerprint": "f166fc9bedc798a4405ffae4db362d32e9e4c74b30e882f3e29ef038e180f732", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2391"], "package": "qs", "rule_id": "GHSA-w7fw-mjwx-w883", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-2391|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 78582, "scanner": "osv-scanner", "fingerprint": "2405e68ce7f62e11671ae9eb41fe554f754a22acc3d904b80f3e56e6f25eadd6", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xhjh-pmcv-23jw", "level": "note", "message": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "properties": {"repobilityId": 78574, "scanner": "osv-scanner", "fingerprint": "ac4cde2863facff6aec7b8b941ad5c0b93216a4d6e47c06e5de7098a0e1f38a9", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42040"], "package": "axios", "rule_id": "GHSA-xhjh-pmcv-23jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42040|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vpq2-c234-7xj6", "level": "note", "message": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "properties": {"repobilityId": 78539, "scanner": "osv-scanner", "fingerprint": "1c0f0148ace47ef33535c46cbabd2bb1ccd67f1c0e01bbf25c302172203fc655", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3449"], "package": "@tootallnate/once", "rule_id": "GHSA-vpq2-c234-7xj6", "scanner": "osv-scanner", "correlation_key": "vuln|tootallnate/once|CVE-2026-3449|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8fgc-7cc6-rx7x", "level": "note", "message": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "properties": {"repobilityId": 78531, "scanner": "osv-scanner", "fingerprint": "d3b7f12324f9166d979fc9743d18949a8d882adc6f54e883fae317fe49a9cd56", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-68458"], "package": "webpack", "rule_id": "GHSA-8fgc-7cc6-rx7x", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68458|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-8fgc-7cc6-rx7x"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["480b3dd45d5fbf1a472ca154d2ad70e376cf8afd0c32d68e856520f5fbfb5476", "d3b7f12324f9166d979fc9743d18949a8d882adc6f54e883fae317fe49a9cd56"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38r7-794h-5758", "level": "note", "message": {"text": "webpack: GHSA-38r7-794h-5758"}, "properties": {"repobilityId": 78529, "scanner": "osv-scanner", "fingerprint": "11c4e0e69403dcf9c5778860dce92fdb6f55f25722f29643048dffedb5f41026", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-68157"], "package": "webpack", "rule_id": "GHSA-38r7-794h-5758", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68157|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-38r7-794h-5758"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["11c4e0e69403dcf9c5778860dce92fdb6f55f25722f29643048dffedb5f41026", "92b8e5c833c281a98aeedc2b7abccf9f2437c672902a34e94754752b8afc928a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w7fw-mjwx-w883", "level": "note", "message": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "properties": {"repobilityId": 78526, "scanner": "osv-scanner", "fingerprint": "5aa19328fb55d18fef0a070044382248e6008b57e47a7e160fcdcf0dfab52706", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-2391"], "package": "qs", "rule_id": "GHSA-w7fw-mjwx-w883", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-2391|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-w7fw-mjwx-w883"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["17f19bbc0e6e67d024dc3ef05d1f6789cac03fcf4a741aa273110d91ddf53450", "5aa19328fb55d18fef0a070044382248e6008b57e47a7e160fcdcf0dfab52706", "7c38c3385c5119d931b3b4f0f3b22fb5129b39a4a334b513d6a4904e91b46a4f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qw6h-vgh9-j6wx", "level": "note", "message": {"text": "express: GHSA-qw6h-vgh9-j6wx"}, "properties": {"repobilityId": 78504, "scanner": "osv-scanner", "fingerprint": "f57f4377898a8cb4814fe69b25006d48b0aa9b9435cd2b884cf7142af261865c", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-43796"], "package": "express", "rule_id": "GHSA-qw6h-vgh9-j6wx", "scanner": "osv-scanner", "correlation_key": "vuln|express|CVE-2024-43796|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-qw6h-vgh9-j6wx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0d70bdc1ca9e0a15114cf453b95a90852af327f9fa36160f3a4b50e5b5fbf201", "2848cd682ab731a32d617a70428026e46b1b835d4af75e267a678ccb2b664cc5", "f57f4377898a8cb4814fe69b25006d48b0aa9b9435cd2b884cf7142af261865c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pxg6-pf52-xh8x", "level": "note", "message": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "properties": {"repobilityId": 78503, "scanner": "osv-scanner", "fingerprint": "ad97bb24accf5124bf7d4c7da909eff95154f9be7c0877a32c27ab0cc4cfac79", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-47764"], "package": "cookie", "rule_id": "GHSA-pxg6-pf52-xh8x", "scanner": "osv-scanner", "correlation_key": "vuln|cookie|CVE-2024-47764|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-pxg6-pf52-xh8x"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["37236d0edc5808b55647512ab5c7c4a7b68cffbd8946a344c4b4bc6d991caee4", "458144d95e9dceb2df3946d94e12cf32740b0699b88a6d131cc210a63c519d35", "ad97bb24accf5124bf7d4c7da909eff95154f9be7c0877a32c27ab0cc4cfac79"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cm22-4g7w-348p", "level": "note", "message": {"text": "serve-static: GHSA-cm22-4g7w-348p"}, "properties": {"repobilityId": 78497, "scanner": "osv-scanner", "fingerprint": "1a3251cf86f4c348a0e12781bc1238e8846560894bdc32b6edfaf7c40fe07021", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-43800"], "package": "serve-static", "rule_id": "GHSA-cm22-4g7w-348p", "scanner": "osv-scanner", "correlation_key": "vuln|serve-static|CVE-2024-43800|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-cm22-4g7w-348p"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1a3251cf86f4c348a0e12781bc1238e8846560894bdc32b6edfaf7c40fe07021", "416d3f86bb8fa0351f23e1055eb9d61657bc464b333fb2b4b024c1609c889583", "8a7acd5dc88eecb3a779ab5c4463f96b45d177e045afa6ea491f711d5b17d000", "dd736c107d6dc7ddfff37bf6cf1c01679147ea7a995320f829d1ad3d08d4c73c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m6fv-jmcg-4jfg", "level": "note", "message": {"text": "send: GHSA-m6fv-jmcg-4jfg"}, "properties": {"repobilityId": 78496, "scanner": "osv-scanner", "fingerprint": "1196f87d60c308eafbba64ad4b17a27137b945a3fb9ab0cbf3234545e60c34ca", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-43799"], "package": "send", "rule_id": "GHSA-m6fv-jmcg-4jfg", "scanner": "osv-scanner", "correlation_key": "vuln|send|CVE-2024-43799|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-m6fv-jmcg-4jfg"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1196f87d60c308eafbba64ad4b17a27137b945a3fb9ab0cbf3234545e60c34ca", "4c2731f05e077dd974a2bd314e4b953d27f0f805804d221cd9cce6b7a40ef5ec", "bec5787a3d94cf556c8d2c51f7c69123a0b32c209e83a7d24086c33c2c0ffe47", "dd6e61aa615c9de724a7f542eb1ce78a34b7503e7828a7f51a3b0d443d750c34"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-76c9-3jph-rj3q", "level": "note", "message": {"text": "on-headers: GHSA-76c9-3jph-rj3q"}, "properties": {"repobilityId": 78495, "scanner": "osv-scanner", "fingerprint": "e3ebf7054360c803c2cedd229641fad225e4ca7b124cb98012dc73e60d9f53c3", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-7339"], "package": "on-headers", "rule_id": "GHSA-76c9-3jph-rj3q", "scanner": "osv-scanner", "correlation_key": "vuln|on-headers|CVE-2025-7339|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-76c9-3jph-rj3q"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5af7f5ca8d00d73ff93cc16070b9be49f64d862bff50ffc560c0d4f2e9c4d1f9", "77415ce1c054dc2e1fbb9c3bbb595118e4aa30523d9db7e5b5220f48f6c69e28", "e3ebf7054360c803c2cedd229641fad225e4ca7b124cb98012dc73e60d9f53c3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fj3w-jwp8-x2g3", "level": "note", "message": {"text": "fast-xml-parser: GHSA-fj3w-jwp8-x2g3"}, "properties": {"repobilityId": 78483, "scanner": "osv-scanner", "fingerprint": "5977203c5037ef1b829ea544312f3c98e8e54a9f7473174882b2ffe611c6affb", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27942"], "package": "fast-xml-parser", "rule_id": "GHSA-fj3w-jwp8-x2g3", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-27942|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 78463, "scanner": "osv-scanner", "fingerprint": "67d90a9622809d9f1ca4aafc92d8e48a6fad4f3dca2105397a44fe607607e226", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-73rr-hh4g-fpgx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["44b8222091be8c6169fe74f4e7b3fdd16e9774156b1822c1764b848a5cb19569", "67d90a9622809d9f1ca4aafc92d8e48a6fad4f3dca2105397a44fe607607e226", "cc714e6ca5db59d1919306a5694f8382cc1dbfc72548f804448030e3047f4b3e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 78461, "scanner": "osv-scanner", "fingerprint": "434be414ec0b4187a2ae3dc2a35e29d97287f9a361a13d89d9f943680b892dec", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-v6h2-p8h4-qcjw"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["156cef2c133af61ea4a9273357abfcffffe27670159778e2bd2056091ce8f9ed", "434be414ec0b4187a2ae3dc2a35e29d97287f9a361a13d89d9f943680b892dec", "6b8d6ec3408bbfb99ee17c79759b95115c7eb35701612485ed7f9b0e8f9348e5", "a0ff339281f454fe9c0065adc503a759bb5f49d3816faaff14a24f379b54764e", "df6ef57a3f75976e1f9adf8e6aa6752aa1e2e61576907dd29009253fe5c02a80", "e2c9e535954206814775ea89496098e5bb99fae7239092f1909caab933f1de08"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78454, "scanner": "repobility-docker", "fingerprint": "96ffcc4c33181141cb64debc0a30c63e4d248d1f90a52fafb3b1e04855b5859e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "valkey", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|96ffcc4c33181141cb64debc0a30c63e4d248d1f90a52fafb3b1e04855b5859e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/compose.yaml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78453, "scanner": "repobility-docker", "fingerprint": "217056b590756dece4fb6767392febb7a56c1b8ef91aa0981a18d52dadaff388", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "valkey", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|217056b590756dece4fb6767392febb7a56c1b8ef91aa0981a18d52dadaff388"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/compose.yaml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78452, "scanner": "repobility-docker", "fingerprint": "99d8888771d5223e65401f679b50457eb4dd4f8acf000bcfb5064391d69df177", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis-cluster", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|99d8888771d5223e65401f679b50457eb4dd4f8acf000bcfb5064391d69df177"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/compose.yaml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78449, "scanner": "repobility-docker", "fingerprint": "119ea159977838edaf5d9cb190be85267bbb5e5155f36cd11eb860734245f69d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|119ea159977838edaf5d9cb190be85267bbb5e5155f36cd11eb860734245f69d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78442, "scanner": "repobility-docker", "fingerprint": "8a04e7142b190b5ff99f9939ccb5a194e78b09ed0e063d75ece21e51530768ea", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|8a04e7142b190b5ff99f9939ccb5a194e78b09ed0e063d75ece21e51530768ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-cluster-engine/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78439, "scanner": "repobility-docker", "fingerprint": "bc117f4883d3605a5be6d631fb070c39071db5efdd4e308bff7d5343206f4223", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|bc117f4883d3605a5be6d631fb070c39071db5efdd4e308bff7d5343206f4223"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/private-messaging/server/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78432, "scanner": "repobility-docker", "fingerprint": "2761bc3a6888b5a8348b5f8d835801f2f7ad23d0275597082d739e9554354d4b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2761bc3a6888b5a8348b5f8d835801f2f7ad23d0275597082d739e9554354d4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-traefik/docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78430, "scanner": "repobility-docker", "fingerprint": "3389afa063d09f6ce6a0a131abfdf949946327a90e298b9cfd1528bf988417f8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3389afa063d09f6ce6a0a131abfdf949946327a90e298b9cfd1528bf988417f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-traefik/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78429, "scanner": "repobility-docker", "fingerprint": "485bba0f295018be687035ac318ebb5a3af90e08369b1943d7a0d11b2a265716", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|485bba0f295018be687035ac318ebb5a3af90e08369b1943d7a0d11b2a265716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-traefik/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78427, "scanner": "repobility-docker", "fingerprint": "458fa718d09edf6b0161873af0df8840448c8e78e537c8e08835d158c18cbdc0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|458fa718d09edf6b0161873af0df8840448c8e78e537c8e08835d158c18cbdc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78425, "scanner": "repobility-docker", "fingerprint": "09fbe7b748488fb540452a927de5cbe3a08a69c7e0a1b643c13c9fd9388eb52f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "client", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|09fbe7b748488fb540452a927de5cbe3a08a69c7e0a1b643c13c9fd9388eb52f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78424, "scanner": "repobility-docker", "fingerprint": "b1e81a15f2ae2a22e316ab61ca23d5d3e9e5d9fb973dc921fe3d92accb62f783", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "client", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b1e81a15f2ae2a22e316ab61ca23d5d3e9e5d9fb973dc921fe3d92accb62f783"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78423, "scanner": "repobility-docker", "fingerprint": "55b98dab964f3ef59be2e090052db050b18313d9e1c6ba83054b1b6326f1597a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-ringo", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|55b98dab964f3ef59be2e090052db050b18313d9e1c6ba83054b1b6326f1597a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78422, "scanner": "repobility-docker", "fingerprint": "260f0ae7dba33709ac420cd9c10be66b6c61168a1dcaea4d36d20e55aadb4fc7", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-ringo", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|260f0ae7dba33709ac420cd9c10be66b6c61168a1dcaea4d36d20e55aadb4fc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78421, "scanner": "repobility-docker", "fingerprint": "d9630709fdf27f093482e39febd92f708dcda682aa7ad8a3745ae50f526f6705", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-george", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d9630709fdf27f093482e39febd92f708dcda682aa7ad8a3745ae50f526f6705"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78420, "scanner": "repobility-docker", "fingerprint": "dfb31f5d8b9f67e531f97af22e42cbb1eab48b124dfb391db644876aa9073855", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-george", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|dfb31f5d8b9f67e531f97af22e42cbb1eab48b124dfb391db644876aa9073855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78419, "scanner": "repobility-docker", "fingerprint": "3b4203b3e941f3600ed3e28e1424345fd0cb00140e38356cab925d1275c071ff", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-paul", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3b4203b3e941f3600ed3e28e1424345fd0cb00140e38356cab925d1275c071ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78418, "scanner": "repobility-docker", "fingerprint": "d18c4b0dad25ce640149b86e5284706d0d7f3e2adffc450618fc655abe80e861", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-paul", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d18c4b0dad25ce640149b86e5284706d0d7f3e2adffc450618fc655abe80e861"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78417, "scanner": "repobility-docker", "fingerprint": "68e930a48b73db058a30b1815dc2f91c3e8c39742b711c22d95cc424820c3018", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-john", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|68e930a48b73db058a30b1815dc2f91c3e8c39742b711c22d95cc424820c3018"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78416, "scanner": "repobility-docker", "fingerprint": "ee18629530d4adb510323931ef50030d86feffe812e3281e5ca624decef30417", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-john", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ee18629530d4adb510323931ef50030d86feffe812e3281e5ca624decef30417"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78415, "scanner": "repobility-docker", "fingerprint": "efd1925d00c667bb84364249068ad28c3028a5994cc9a04d43c00e2d11fc9295", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|efd1925d00c667bb84364249068ad28c3028a5994cc9a04d43c00e2d11fc9295"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78413, "scanner": "repobility-docker", "fingerprint": "6bffb302cedf0bc1e0221ffe5fd7be483f83981237dfe1b93668ecd897d20de2", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-ringo", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6bffb302cedf0bc1e0221ffe5fd7be483f83981237dfe1b93668ecd897d20de2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78412, "scanner": "repobility-docker", "fingerprint": "0befc4098b1b740a16b5ade891d9760d5677b97e53622b374789f3c075864d84", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-ringo", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0befc4098b1b740a16b5ade891d9760d5677b97e53622b374789f3c075864d84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78411, "scanner": "repobility-docker", "fingerprint": "a2f2839e5f64dce5001f2222c6e1fc4365ac5a56ee76f8c58d3339cdba49f11e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-george", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a2f2839e5f64dce5001f2222c6e1fc4365ac5a56ee76f8c58d3339cdba49f11e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78410, "scanner": "repobility-docker", "fingerprint": "a570975e010e50f07920d9c50be3782d32971c1b756f2fccc93fc54fc217043e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-george", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a570975e010e50f07920d9c50be3782d32971c1b756f2fccc93fc54fc217043e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78409, "scanner": "repobility-docker", "fingerprint": "2d4637f5b313cebb968614d0969aec659ee1e0d8d1a09c9d5cdc7770242ed7db", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-paul", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2d4637f5b313cebb968614d0969aec659ee1e0d8d1a09c9d5cdc7770242ed7db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78408, "scanner": "repobility-docker", "fingerprint": "8324a335f2505b34b3a9b148caeb80586f5f0ff4bc0745c84a3eae1c91b6ad3e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-paul", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8324a335f2505b34b3a9b148caeb80586f5f0ff4bc0745c84a3eae1c91b6ad3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78407, "scanner": "repobility-docker", "fingerprint": "8660d314e048fe40719fbb29c0b7ef318e96062d2c39b2a9dd6359273158d355", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-john", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8660d314e048fe40719fbb29c0b7ef318e96062d2c39b2a9dd6359273158d355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78406, "scanner": "repobility-docker", "fingerprint": "681f1dea14b5f384148a8cef01c02129cdb3c7460c4b5d110c8f7570fe341059", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-john", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|681f1dea14b5f384148a8cef01c02129cdb3c7460c4b5d110c8f7570fe341059"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78405, "scanner": "repobility-docker", "fingerprint": "81e8aa91cd12459963261e9894fef9297885665b76e16fbd76b0d9641f8fdbe3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "httpd", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|81e8aa91cd12459963261e9894fef9297885665b76e16fbd76b0d9641f8fdbe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78404, "scanner": "repobility-docker", "fingerprint": "4b911d908461bd90668085b3984cdd5ae2a54a63a73a1d2ddcd6cf5e1d5c2f3d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "httpd", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4b911d908461bd90668085b3984cdd5ae2a54a63a73a1d2ddcd6cf5e1d5c2f3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78403, "scanner": "repobility-docker", "fingerprint": "4c28cbd96f3de4f43808a0ee1de5e5cd8d7543da812551b080cc655b683ed5f7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|4c28cbd96f3de4f43808a0ee1de5e5cd8d7543da812551b080cc655b683ed5f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78401, "scanner": "repobility-docker", "fingerprint": "39197a2ffe417aca77cba8f65b532b2f42d3adfada3c6dd36d4eaa9c05b7bc38", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-ringo", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|39197a2ffe417aca77cba8f65b532b2f42d3adfada3c6dd36d4eaa9c05b7bc38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78400, "scanner": "repobility-docker", "fingerprint": "2d7060265019e573d6561a386247136aa68915afd71b739bc2a441d8344ef12f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-ringo", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2d7060265019e573d6561a386247136aa68915afd71b739bc2a441d8344ef12f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78399, "scanner": "repobility-docker", "fingerprint": "2a8ea97a2c0a092cbe9bc860e67ac50f4f4d23c3a86d432ad399b41bedc99479", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-george", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2a8ea97a2c0a092cbe9bc860e67ac50f4f4d23c3a86d432ad399b41bedc99479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78398, "scanner": "repobility-docker", "fingerprint": "a20964161d9376b0184eab37ff9a9a8f49e15c8ca08519b79235005e32d341eb", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-george", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a20964161d9376b0184eab37ff9a9a8f49e15c8ca08519b79235005e32d341eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78397, "scanner": "repobility-docker", "fingerprint": "2cc6281d6d79776901b990dca8706d66de7adc59b27b48668424803f99379a99", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-paul", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2cc6281d6d79776901b990dca8706d66de7adc59b27b48668424803f99379a99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78396, "scanner": "repobility-docker", "fingerprint": "3f5cdfa800a87ca213ee9a70f05e1ad40441ef4d069a29e4a5ccd8278a5cc5f3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-paul", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3f5cdfa800a87ca213ee9a70f05e1ad40441ef4d069a29e4a5ccd8278a5cc5f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78395, "scanner": "repobility-docker", "fingerprint": "b3562caa5c510b866114458b81389a1d8403724e072a09b60def2170245b70d4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server-john", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b3562caa5c510b866114458b81389a1d8403724e072a09b60def2170245b70d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78394, "scanner": "repobility-docker", "fingerprint": "f55d56545c0bf066e7fe124b835d7c00e8a627a4bf19bc837533e07584347391", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server-john", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f55d56545c0bf066e7fe124b835d7c00e8a627a4bf19bc837533e07584347391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78393, "scanner": "repobility-docker", "fingerprint": "ace03f2767ec683dfe5c5a39fc7ce88efdc687ae23a46e948b53bce7c37e6ed7", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "haproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ace03f2767ec683dfe5c5a39fc7ce88efdc687ae23a46e948b53bce7c37e6ed7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78392, "scanner": "repobility-docker", "fingerprint": "4a0cff175bb0680451d6ec5641328004b5ecc5b48c989e9b6ac4c3c0603c54ed", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "haproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4a0cff175bb0680451d6ec5641328004b5ecc5b48c989e9b6ac4c3c0603c54ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78391, "scanner": "repobility-docker", "fingerprint": "6d90e23d9cfd24e9de82c6bdb4d7bdd94e6c8ab1e109ea45ec308ea990d33852", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|6d90e23d9cfd24e9de82c6bdb4d7bdd94e6c8ab1e109ea45ec308ea990d33852"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-engine-redis/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 78370, "scanner": "repobility-threat-engine", "fingerprint": "b0f6dea5be12832f16cf65c5b764c641f55f379e8dc6d9557e79bc34f7eb7a81", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|37|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/public/index.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 78369, "scanner": "repobility-threat-engine", "fingerprint": "a0924ec295b380b7eb436f6f47122bc90b0346cb4654a9af17608cdb9f7b67b4", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'\\x1B[96mlistening on localhost:' + port + ' \\x1B[39m'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0924ec295b380b7eb436f6f47122bc90b0346cb4654a9af17608cdb9f7b67b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/index.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/pg` is minor version(s) behind (8.15.5 -> 8.20.0)"}, "properties": {"repobilityId": 78342, "scanner": "repobility-dependency-currency", "fingerprint": "7c7b6079b24e04224fed20d17aa38a4b8ac9515b651a38053e016ef50641289b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/pg", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.20.0", "correlation_key": "fp|7c7b6079b24e04224fed20d17aa38a4b8ac9515b651a38053e016ef50641289b", "current_version": "8.15.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@socket.io/redis-streams-adapter` is minor version(s) behind (0.2.2 -> 0.3.1)"}, "properties": {"repobilityId": 78339, "scanner": "repobility-dependency-currency", "fingerprint": "8af3382bdae11c6789a4fc3c9ada61f086a4d0846432d2ed5895550e85465543", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@socket.io/redis-streams-adapter", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.3.1", "correlation_key": "fp|8af3382bdae11c6789a4fc3c9ada61f086a4d0846432d2ed5895550e85465543", "current_version": "0.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@socket.io/postgres-adapter` is minor version(s) behind (0.1.1 -> 0.5.0)"}, "properties": {"repobilityId": 78338, "scanner": "repobility-dependency-currency", "fingerprint": "25d52c64f710da9841cb308ec60a157fefb17ea8955e7f87bfa920d2dc29162d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@socket.io/postgres-adapter", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.0", "correlation_key": "fp|25d52c64f710da9841cb308ec60a157fefb17ea8955e7f87bfa920d2dc29162d", "current_version": "0.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@fails-components/webtransport-transport-http3-quiche` is minor version(s) behind (1.5.1 -> 1.6.3)"}, "properties": {"repobilityId": 78332, "scanner": "repobility-dependency-currency", "fingerprint": "0d895eb01a01fbc90ee6569881226de3cb8c8f76523b2bab3acb7ed58aa5b0fc", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@fails-components/webtransport-transport-http3-quiche", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.6.3", "correlation_key": "fp|0d895eb01a01fbc90ee6569881226de3cb8c8f76523b2bab3acb7ed58aa5b0fc", "current_version": "1.5.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@fails-components/webtransport` is minor version(s) behind (1.5.1 -> 1.6.3)"}, "properties": {"repobilityId": 78331, "scanner": "repobility-dependency-currency", "fingerprint": "20e54e5ce785c9df962fc3517a8d5b236c5f3327e1edd51f5300a347c306cad1", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@fails-components/webtransport", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.6.3", "correlation_key": "fp|20e54e5ce785c9df962fc3517a8d5b236c5f3327e1edd51f5300a347c306cad1", "current_version": "1.5.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/register` is minor version(s) behind (7.24.6 -> 7.29.7)"}, "properties": {"repobilityId": 78330, "scanner": "repobility-dependency-currency", "fingerprint": "d72e1decb13ec71dfbc5f1fff2f4f4862e729eafb98980a06514a51987cb2e9a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/register", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|d72e1decb13ec71dfbc5f1fff2f4f4862e729eafb98980a06514a51987cb2e9a", "current_version": "7.24.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/preset-env` is minor version(s) behind (7.24.7 -> 7.29.7)"}, "properties": {"repobilityId": 78329, "scanner": "repobility-dependency-currency", "fingerprint": "e630dd8fb5cc35c013a939205ca9f15aa4c5b76d632b0b63d768f8f1807ef9e3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/preset-env", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|e630dd8fb5cc35c013a939205ca9f15aa4c5b76d632b0b63d768f8f1807ef9e3", "current_version": "7.24.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/plugin-transform-object-assign` is minor version(s) behind (7.24.7 -> 7.29.7)"}, "properties": {"repobilityId": 78328, "scanner": "repobility-dependency-currency", "fingerprint": "458a8d337723c60f74dadefe8e6e8d4fba286cd71f595b4805a2f19cdc88f5e2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/plugin-transform-object-assign", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|458a8d337723c60f74dadefe8e6e8d4fba286cd71f595b4805a2f19cdc88f5e2", "current_version": "7.24.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/core` is minor version(s) behind (7.24.7 -> 7.29.7)"}, "properties": {"repobilityId": 78327, "scanner": "repobility-dependency-currency", "fingerprint": "9a3d0aa26d62ed6ceabccd9b111b7686ab3a0c3f8ea40153f98caf9203986190", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|9a3d0aa26d62ed6ceabccd9b111b7686ab3a0c3f8ea40153f98caf9203986190", "current_version": "7.24.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78272, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0d4327732b0b18374cc059ef7c5dcb1d69063ceee2f47f0c51fc2513a2064c2d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/socket.io-client/lib/socket.ts", "duplicate_line": 470, "correlation_key": "fp|0d4327732b0b18374cc059ef7c5dcb1d69063ceee2f47f0c51fc2513a2064c2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io/lib/socket.ts"}, "region": {"startLine": 412}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab7af262f0a4d949a3adc59eaff942f3a67d739db2f0a305913dd4504f620f7f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/socket.io-postgres-emitter/lib/index.ts", "duplicate_line": 13, "correlation_key": "fp|ab7af262f0a4d949a3adc59eaff942f3a67d739db2f0a305913dd4504f620f7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/lib/util.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78270, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1df0e0f1285da987a3cde2532dde11107b4132a9d7c282bc9620040ac0168751", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/socket.io-postgres-emitter/lib/typed-events.ts", "duplicate_line": 1, "correlation_key": "fp|1df0e0f1285da987a3cde2532dde11107b4132a9d7c282bc9620040ac0168751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/lib/typed-events.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1aa0c7e66e25556f73ab41b94dcaffa2b10abd4f8b2e0d9e3eab5ceb2da90e77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/socket.io-postgres-emitter/lib/index.ts", "duplicate_line": 126, "correlation_key": "fp|1aa0c7e66e25556f73ab41b94dcaffa2b10abd4f8b2e0d9e3eab5ceb2da90e77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/lib/index.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78268, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d08719bc9ba78bff7fb01c9c3bd5b3e1dee6c0ba180b0cbd1a4c330ed9604660", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/socket.io-adapter/lib/cluster-adapter.ts", "duplicate_line": 24, "correlation_key": "fp|d08719bc9ba78bff7fb01c9c3bd5b3e1dee6c0ba180b0cbd1a4c330ed9604660"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/lib/adapter-types.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e19016def5315750f33318c21dbbb92088d9d74e0cc808f04a5667607f9b9873", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/socket.io-client/wdio.conf.js", "duplicate_line": 7, "correlation_key": "fp|e19016def5315750f33318c21dbbb92088d9d74e0cc808f04a5667607f9b9873"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-parser/wdio.conf.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88a99c81a2386e079856b0697bbd93bde26f783718fe1b6130b3e1292e78dc08", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/socket.io-component-emitter/lib/cjs/index.js", "duplicate_line": 3, "correlation_key": "fp|88a99c81a2386e079856b0697bbd93bde26f783718fe1b6130b3e1292e78dc08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-component-emitter/lib/esm/index.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2ab1c7008264cfcddd15c29a237996f10cee1d3e4c4b9872451dd8be48be5b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/socket.io-cluster-engine/lib/cluster.ts", "duplicate_line": 19, "correlation_key": "fp|b2ab1c7008264cfcddd15c29a237996f10cee1d3e4c4b9872451dd8be48be5b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-cluster-engine/lib/redis.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "160909a0904e054410a48f326ed401b088a99a6dcc154d526c8d53374ebac0be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/socket.io-client/support/rollup.config.esm.js", "duplicate_line": 11, "correlation_key": "fp|160909a0904e054410a48f326ed401b088a99a6dcc154d526c8d53374ebac0be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-client/support/rollup.config.umd.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78263, "scanner": "repobility-ai-code-hygiene", "fingerprint": "311cad873db0801c3f0912f1da12e593090e18e74e165089a48df65942635e42", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/engine.io-client/support/rollup.config.umd.js", "duplicate_line": 14, "correlation_key": "fp|311cad873db0801c3f0912f1da12e593090e18e74e165089a48df65942635e42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-client/support/rollup.config.umd.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78262, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2aa7dd2a78113000bd63f5360dbd67d5719b22ee87cf3e408158bb0e68f28601", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/engine.io-client/support/bundle-size.js", "duplicate_line": 12, "correlation_key": "fp|2aa7dd2a78113000bd63f5360dbd67d5719b22ee87cf3e408158bb0e68f28601"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-client/support/bundle-size.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78261, "scanner": "repobility-ai-code-hygiene", "fingerprint": "868a2ebe0a96022efa09154a0ce83215a5e1a3bcf6957e8055d50d36c5d019e1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/engine.io/lib/transports-uws/polling.ts", "duplicate_line": 145, "correlation_key": "fp|868a2ebe0a96022efa09154a0ce83215a5e1a3bcf6957e8055d50d36c5d019e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/lib/transports/polling.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78260, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b9a348ce7369a421cd5dced07137495187a71792bbe83f62b3efb287a0c5b57", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/engine.io-parser/lib/decodePacket.browser.ts", "duplicate_line": 10, "correlation_key": "fp|0b9a348ce7369a421cd5dced07137495187a71792bbe83f62b3efb287a0c5b57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io-parser/lib/decodePacket.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78259, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c66563dd6f260a6c4bd28e86e47139ad73bd7ff2a3b2665a7728224b55f1f84d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/engine.io-client/support/rollup.config.esm.js", "duplicate_line": 10, "correlation_key": "fp|c66563dd6f260a6c4bd28e86e47139ad73bd7ff2a3b2665a7728224b55f1f84d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io-client/support/rollup.config.umd.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 78371, "scanner": "repobility-threat-engine", "fingerprint": "9cc2fda805b18a43502a7c48fbff7e4843647943274ce244c5e5ffaa4d563ce1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9cc2fda805b18a43502a7c48fbff7e4843647943274ce244c5e5ffaa4d563ce1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/public/index.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 78365, "scanner": "repobility-threat-engine", "fingerprint": "0e6e1eba61c6534138b0e996edff7f84d3befe0034fc817c7ee20f69e696ce17", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0e6e1eba61c6534138b0e996edff7f84d3befe0034fc817c7ee20f69e696ce17"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 78360, "scanner": "repobility-threat-engine", "fingerprint": "82e4e08165268051f5d760d9768c3624fecfc76a1206cf584eeb9189ed8a34dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|82e4e08165268051f5d760d9768c3624fecfc76a1206cf584eeb9189ed8a34dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/nextjs-pages-router/server.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 78359, "scanner": "repobility-threat-engine", "fingerprint": "d7430e716c7793741fca349448c3d7f1f001602d529177f34c5a4af354a758b2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7430e716c7793741fca349448c3d7f1f001602d529177f34c5a4af354a758b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/nextjs-app-router/server.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 78358, "scanner": "repobility-threat-engine", "fingerprint": "638d69b5f271f49fde06d639f6acc60477c7c52f67f3ba4e01a048eefb9e0255", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|638d69b5f271f49fde06d639f6acc60477c7c52f67f3ba4e01a048eefb9e0255"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/nginx.conf"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 78357, "scanner": "repobility-threat-engine", "fingerprint": "b0c4c4e75e7063339c0dfb90d24c67efa48410f5f2acd52b1adaf1b7aeb8c902", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0c4c4e75e7063339c0dfb90d24c67efa48410f5f2acd52b1adaf1b7aeb8c902"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/passport-example/ts/index.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 78356, "scanner": "repobility-threat-engine", "fingerprint": "58d71706df52a7915fcd17c4f52d28f449b74dba7ad7cfdba35ec8b10b947a6f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58d71706df52a7915fcd17c4f52d28f449b74dba7ad7cfdba35ec8b10b947a6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/angular-client/src/app/store.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 60 more): Same pattern found in 60 additional files. Review if needed."}, "properties": {"repobilityId": 78355, "scanner": "repobility-threat-engine", "fingerprint": "6f52362bf21b7ec7cc868ebf67f7a4501cb8e33d8fbe078d4a5a3640fdff316b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 60 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6f52362bf21b7ec7cc868ebf67f7a4501cb8e33d8fbe078d4a5a3640fdff316b", "aggregated_count": 60}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 78354, "scanner": "repobility-threat-engine", "fingerprint": "e1fa94c926941f9a3b74e98143fe5f1676fe59c3a0713c2f9dd8e679111f0120", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e1fa94c926941f9a3b74e98143fe5f1676fe59c3a0713c2f9dd8e679111f0120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/angular-client/src/main.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 78353, "scanner": "repobility-threat-engine", "fingerprint": "b4d5e53c2a498270fa9d6c454121c139661852f6339f19e8277be8edfea1d467", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b4d5e53c2a498270fa9d6c454121c139661852f6339f19e8277be8edfea1d467"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/angular-todomvc/src/main.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 78352, "scanner": "repobility-threat-engine", "fingerprint": "c5a396603deb7b9230618425ec70f94eddd1267aee9b58176a78f1e206328c6c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5a396603deb7b9230618425ec70f94eddd1267aee9b58176a78f1e206328c6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/server/index.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/mocha` is patch version(s) behind (10.0.7 -> 10.0.10)"}, "properties": {"repobilityId": 78341, "scanner": "repobility-dependency-currency", "fingerprint": "31cbb549390898d732dc9c0d0e242ea4d8d171ca383e4f59b33f085f71a630b0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/mocha", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.10", "correlation_key": "fp|31cbb549390898d732dc9c0d0e242ea4d8d171ca383e4f59b33f085f71a630b0", "current_version": "10.0.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/debug` is patch version(s) behind (4.1.12 -> 4.1.13)"}, "properties": {"repobilityId": 78340, "scanner": "repobility-dependency-currency", "fingerprint": "df8df38d0245f248bec1bffb36dfed8a577dd45c414a7ab44df281a6087cac20", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/debug", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.13", "correlation_key": "fp|df8df38d0245f248bec1bffb36dfed8a577dd45c414a7ab44df281a6087cac20", "current_version": "4.1.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vj76-c3g6-qr5v", "level": "error", "message": {"text": "tar-fs: GHSA-vj76-c3g6-qr5v"}, "properties": {"repobilityId": 78638, "scanner": "osv-scanner", "fingerprint": "292045228bd660a2c7306be52760876e386b74c94a5c7a36f0d3194fcbc463a5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-59343"], "package": "tar-fs", "rule_id": "GHSA-vj76-c3g6-qr5v", "scanner": "osv-scanner", "correlation_key": "vuln|tar-fs|CVE-2025-59343|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/memory-usage-webtransport/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pq67-2wwv-3xjx", "level": "error", "message": {"text": "tar-fs: GHSA-pq67-2wwv-3xjx"}, "properties": {"repobilityId": 78637, "scanner": "osv-scanner", "fingerprint": "001d2ab3c12b5f2fe254cd1f745c61953e3e0537356c1a75c70f39ab50236b2d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-12905"], "package": "tar-fs", "rule_id": "GHSA-pq67-2wwv-3xjx", "scanner": "osv-scanner", "correlation_key": "vuln|tar-fs|CVE-2024-12905|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/memory-usage-webtransport/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8cj5-5rvv-wf4v", "level": "error", "message": {"text": "tar-fs: GHSA-8cj5-5rvv-wf4v"}, "properties": {"repobilityId": 78636, "scanner": "osv-scanner", "fingerprint": "35e671870f2d54c394a0cac06ff25c4482f4d14e65eac70cd8752f6ee5ed0a80", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-48387"], "package": "tar-fs", "rule_id": "GHSA-8cj5-5rvv-wf4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar-fs|CVE-2025-48387|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/memory-usage-webtransport/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c9f4-xj24-8jqx", "level": "error", "message": {"text": "uglify-js: GHSA-c9f4-xj24-8jqx"}, "properties": {"repobilityId": 78635, "scanner": "osv-scanner", "fingerprint": "7d0c3a18dd10bbc612506d9c69d36f492e62276859ca8122847cf20bde8af03b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2015-8858"], "package": "uglify-js", "rule_id": "GHSA-c9f4-xj24-8jqx", "scanner": "osv-scanner", "correlation_key": "vuln|uglify-js|CVE-2015-8858|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hxm2-r34f-qmc5", "level": "error", "message": {"text": "minimatch: GHSA-hxm2-r34f-qmc5"}, "properties": {"repobilityId": 78628, "scanner": "osv-scanner", "fingerprint": "6c16be4838bfdebdede172f44bc224bfb53c3fe3145dd57d0eccc618d9fa5d88", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2016-10540"], "package": "minimatch", "rule_id": "GHSA-hxm2-r34f-qmc5", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2016-10540|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wrvr-8mpx-r7pp", "level": "error", "message": {"text": "mime: GHSA-wrvr-8mpx-r7pp"}, "properties": {"repobilityId": 78627, "scanner": "osv-scanner", "fingerprint": "82b9a311c85f4e252a803729ea40f867aac7cb35bd5baf00baafc91371114546", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2017-16138"], "package": "mime", "rule_id": "GHSA-wrvr-8mpx-r7pp", "scanner": "osv-scanner", "correlation_key": "vuln|mime|CVE-2017-16138|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9vvw-cc9w-f27h", "level": "error", "message": {"text": "debug: GHSA-9vvw-cc9w-f27h"}, "properties": {"repobilityId": 78625, "scanner": "osv-scanner", "fingerprint": "88af0fba75551ee3fd97c6b698a6abdaaeee4a0b63360e564fb40752a644f075", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2017-20165"], "package": "debug", "rule_id": "GHSA-9vvw-cc9w-f27h", "scanner": "osv-scanner", "correlation_key": "vuln|debug|CVE-2017-20165|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 78621, "scanner": "osv-scanner", "fingerprint": "98d9d97f3f550caba1f6df39b82415945caad2b866cb40a32a12f4041deb865a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vj76-c3g6-qr5v", "level": "error", "message": {"text": "tar-fs: GHSA-vj76-c3g6-qr5v"}, "properties": {"repobilityId": 78619, "scanner": "osv-scanner", "fingerprint": "d1bbd4c811bcbf00fa5331e829226c5c448b19e344dc6fa300543001a65ab7cb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-59343"], "package": "tar-fs", "rule_id": "GHSA-vj76-c3g6-qr5v", "scanner": "osv-scanner", "correlation_key": "vuln|tar-fs|CVE-2025-59343|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pq67-2wwv-3xjx", "level": "error", "message": {"text": "tar-fs: GHSA-pq67-2wwv-3xjx"}, "properties": {"repobilityId": 78618, "scanner": "osv-scanner", "fingerprint": "86a7ec73cfde12437ee84d6adc533dad2a4f78bd85fd785219374e00ef1ff99f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-12905"], "package": "tar-fs", "rule_id": "GHSA-pq67-2wwv-3xjx", "scanner": "osv-scanner", "correlation_key": "vuln|tar-fs|CVE-2024-12905|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8cj5-5rvv-wf4v", "level": "error", "message": {"text": "tar-fs: GHSA-8cj5-5rvv-wf4v"}, "properties": {"repobilityId": 78617, "scanner": "osv-scanner", "fingerprint": "341bfe29a9dfcaef7d9356485e4f6269a6c4b76989bc53a00534ab6cdc221953", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-48387"], "package": "tar-fs", "rule_id": "GHSA-8cj5-5rvv-wf4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar-fs|CVE-2025-48387|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r6q2-hw4h-h46w", "level": "error", "message": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "properties": {"repobilityId": 78616, "scanner": "osv-scanner", "fingerprint": "7db5bbfb918ed38d76af37cf80e02b458b9801396cf65c517393e3e27f2027ff", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23950"], "package": "tar", "rule_id": "GHSA-r6q2-hw4h-h46w", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23950|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qffp-2rhf-9h96", "level": "error", "message": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "properties": {"repobilityId": 78615, "scanner": "osv-scanner", "fingerprint": "0cadc968d5f09288d0f7e175f9e57c30558d40af97a63675a0cdc5aac733c050", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29786"], "package": "tar", "rule_id": "GHSA-qffp-2rhf-9h96", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-29786|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9ppj-qmqm-q256", "level": "error", "message": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "properties": {"repobilityId": 78614, "scanner": "osv-scanner", "fingerprint": "be8780a0a337b6985f59beb6a9f4e6b68128dc76f9275db9e1b8b2c403e73a5f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31802"], "package": "tar", "rule_id": "GHSA-9ppj-qmqm-q256", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-31802|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8qq5-rm4j-mr97", "level": "error", "message": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "properties": {"repobilityId": 78613, "scanner": "osv-scanner", "fingerprint": "2abe8462acdc01bfb64182b348b938234ee8eb1feef4654aa599072f3d832a43", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23745"], "package": "tar", "rule_id": "GHSA-8qq5-rm4j-mr97", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23745|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-83g3-92jg-28cx", "level": "error", "message": {"text": "tar: GHSA-83g3-92jg-28cx"}, "properties": {"repobilityId": 78612, "scanner": "osv-scanner", "fingerprint": "8871680d469755dbb1f4b307b09f46b798a88f8175f3caace198cbfab90a9031", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26960"], "package": "tar", "rule_id": "GHSA-83g3-92jg-28cx", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-26960|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-34x7-hfp2-rc4v", "level": "error", "message": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "properties": {"repobilityId": 78611, "scanner": "osv-scanner", "fingerprint": "827b1e133b1d1fae4bbe3a6bec8b3421b9bdabd2fca4b92f5a0562718d9eabf3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24842"], "package": "tar", "rule_id": "GHSA-34x7-hfp2-rc4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-24842|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-677m-j7p3-52f9", "level": "error", "message": {"text": "socket.io-parser: GHSA-677m-j7p3-52f9"}, "properties": {"repobilityId": 78610, "scanner": "osv-scanner", "fingerprint": "27006bae0c86b343ea3189cc4e3939891c3f4b371fd79c7cea3cd4f8e609cb38", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33151"], "package": "socket.io-parser", "rule_id": "GHSA-677m-j7p3-52f9", "scanner": "osv-scanner", "correlation_key": "vuln|socket.io-parser|CVE-2026-33151|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 78608, "scanner": "osv-scanner", "fingerprint": "7f2d30dd9b8a0eda6d87deac04527ff692eca0ea143a54f9b4184ad2b283ffa3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 78607, "scanner": "osv-scanner", "fingerprint": "45eb15dbc950ecc73cdbba5f5c1bf13da272afb36602ddfcb04a26485063e743", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 78603, "scanner": "osv-scanner", "fingerprint": "3cd93794643bff3fd4328203c06c842a2d7c54c53b7a77b0e6bc61b44cf4e561", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37ch-88jc-xwx2", "level": "error", "message": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "properties": {"repobilityId": 78601, "scanner": "osv-scanner", "fingerprint": "0553c735e6885cddd69fe125815eaa685a866283e1d2919fec632afa55cb94a7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4867"], "package": "path-to-regexp", "rule_id": "GHSA-37ch-88jc-xwx2", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4867|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q67f-28xg-22rw", "level": "error", "message": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "properties": {"repobilityId": 78599, "scanner": "osv-scanner", "fingerprint": "fdb04ce43ba71d52990eaf717554b031ed0dd534075f79e3fd2989e6616cc8a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33895"], "package": "node-forge", "rule_id": "GHSA-q67f-28xg-22rw", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33895|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ppp5-5v6c-4jwp", "level": "error", "message": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "properties": {"repobilityId": 78598, "scanner": "osv-scanner", "fingerprint": "e2442db9c881e288c61856c4c232148baaba28d5873908677833469480ead93e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33894"], "package": "node-forge", "rule_id": "GHSA-ppp5-5v6c-4jwp", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33894|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5m6q-g25r-mvwx", "level": "error", "message": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "properties": {"repobilityId": 78596, "scanner": "osv-scanner", "fingerprint": "5221fba3cfbea0a987adcb0df92157aeb212d115ff461bb7b51188b3df375991", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33891"], "package": "node-forge", "rule_id": "GHSA-5m6q-g25r-mvwx", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33891|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5gfm-wpxj-wjgq", "level": "error", "message": {"text": "node-forge: GHSA-5gfm-wpxj-wjgq"}, "properties": {"repobilityId": 78595, "scanner": "osv-scanner", "fingerprint": "86d5a3e14e585b522cc03f4caacba15d57f222b3869d82c1c808cc97e2d9ed4d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-12816"], "package": "node-forge", "rule_id": "GHSA-5gfm-wpxj-wjgq", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-12816|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-554w-wpv2-vw27", "level": "error", "message": {"text": "node-forge: GHSA-554w-wpv2-vw27"}, "properties": {"repobilityId": 78594, "scanner": "osv-scanner", "fingerprint": "699e24a9a0d3f4a36a78db264371b8eab314e07d23959d64c61488d2aa0de14c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66031"], "package": "node-forge", "rule_id": "GHSA-554w-wpv2-vw27", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-66031|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2328-f5f3-gj25", "level": "error", "message": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "properties": {"repobilityId": 78593, "scanner": "osv-scanner", "fingerprint": "87e656f76b46a65b335374ceca974578eb42fa7ca15aa3ea0392c3dbbe33badb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33896"], "package": "node-forge", "rule_id": "GHSA-2328-f5f3-gj25", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33896|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 78592, "scanner": "osv-scanner", "fingerprint": "eefef250e5a6e239df447b5946f207cdb0dd68151255b2332fb8ba8f476755c1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 78591, "scanner": "osv-scanner", "fingerprint": "51db4fe99f02113d5057e54849a1514660f72202efa765a619a8195e282ff31f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 78590, "scanner": "osv-scanner", "fingerprint": "f4f398661d95064420cba5942b7bc163815b09d09751c05f0247afa0ed407b54", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 78588, "scanner": "osv-scanner", "fingerprint": "069f9bb4f0a38c36ca2992b2ffe11f999b2e5befc1dec86319fea7bbf65a679b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5j98-mcp5-4vw2", "level": "error", "message": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "properties": {"repobilityId": 78584, "scanner": "osv-scanner", "fingerprint": "eb490bd1b89973ff050f29fea98c6d9f88110605102c7a249218d08c2cfd6d73", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64756"], "package": "glob", "rule_id": "GHSA-5j98-mcp5-4vw2", "scanner": "osv-scanner", "correlation_key": "vuln|glob|CVE-2025-64756|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4c3q-x735-j3r5", "level": "error", "message": {"text": "compressing: GHSA-4c3q-x735-j3r5"}, "properties": {"repobilityId": 78581, "scanner": "osv-scanner", "fingerprint": "496f13fe959546331dad472c82acecc16347a9e3c8099419bbda7e5ba6b1d6be", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-40931"], "package": "compressing", "rule_id": "GHSA-4c3q-x735-j3r5", "scanner": "osv-scanner", "correlation_key": "vuln|compressing|CVE-2026-24884|package-lock.json", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-4c3q-x735-j3r5", "GHSA-cc8f-xg8v-72m3"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["496f13fe959546331dad472c82acecc16347a9e3c8099419bbda7e5ba6b1d6be", "96f332be22216004f0b0fbdd5652c69129707de45e616e073c383a79ab5b5962"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rpmf-866q-6p89", "level": "error", "message": {"text": "basic-ftp: GHSA-rpmf-866q-6p89"}, "properties": {"repobilityId": 78579, "scanner": "osv-scanner", "fingerprint": "0ac6731d638ce81d00e122a556a1b9bbc4348aabfb5343bffc8c32fd58d7e023", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44240"], "package": "basic-ftp", "rule_id": "GHSA-rpmf-866q-6p89", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|CVE-2026-44240|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rp42-5vxx-qpwr", "level": "error", "message": {"text": "basic-ftp: GHSA-rp42-5vxx-qpwr"}, "properties": {"repobilityId": 78578, "scanner": "osv-scanner", "fingerprint": "0c9fb19e1cd5df58df27b944a7d040ac9d0b9365aad61e92782d2b63ff5b5787", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41324"], "package": "basic-ftp", "rule_id": "GHSA-rp42-5vxx-qpwr", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|CVE-2026-41324|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6v7q-wjvx-w8wg", "level": "error", "message": {"text": "basic-ftp: GHSA-6v7q-wjvx-w8wg"}, "properties": {"repobilityId": 78577, "scanner": "osv-scanner", "fingerprint": "537b00f3adec9d006c42ad6ff2331a26cc1e97534e6adc05cf952997a24ba722", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "basic-ftp", "rule_id": "GHSA-6v7q-wjvx-w8wg", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|GHSA-6V7Q-WJVX-W8WG|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8qp-cvcw-x6jj", "level": "error", "message": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "properties": {"repobilityId": 78571, "scanner": "osv-scanner", "fingerprint": "227360aed11ec8bdb889d76e79a95312b59f3197640206e03d2f2bf06a607670", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42264"], "package": "axios", "rule_id": "GHSA-q8qp-cvcw-x6jj", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42264|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pf86-5x62-jrwf", "level": "error", "message": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "properties": {"repobilityId": 78570, "scanner": "osv-scanner", "fingerprint": "85231d16fa0670b64ae9f8132cf7c08e1fdfbd3e2d0d6d52e3b4f18fcf41140d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42033"], "package": "axios", "rule_id": "GHSA-pf86-5x62-jrwf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42033|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p92q-9vqr-4j8v", "level": "error", "message": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "properties": {"repobilityId": 78569, "scanner": "osv-scanner", "fingerprint": "db661ef3efd6ae15f09e8cb75e1d440d922b39de4793cfc737ed0754eca534ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44487"], "package": "axios", "rule_id": "GHSA-p92q-9vqr-4j8v", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44487|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j5f8-grm9-p9fc", "level": "error", "message": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "properties": {"repobilityId": 78567, "scanner": "osv-scanner", "fingerprint": "ed7033fc0c9299b56ea00c92631f81ed72ec873142f864f792ab8b0cede67c2f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44486"], "package": "axios", "rule_id": "GHSA-j5f8-grm9-p9fc", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44486|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hfxv-24rg-xrqf", "level": "error", "message": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "properties": {"repobilityId": 78566, "scanner": "osv-scanner", "fingerprint": "3a1a1d65de131fd423fbc959231b59156b65c45d65668fe2f857f475aba62a80", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44496"], "package": "axios", "rule_id": "GHSA-hfxv-24rg-xrqf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44496|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-777c-7fjr-54vf", "level": "error", "message": {"text": "axios: GHSA-777c-7fjr-54vf"}, "properties": {"repobilityId": 78563, "scanner": "osv-scanner", "fingerprint": "59a250c97b1e71652419bc7d1715d1574255c84ea0b98401688c8d00b7cdd35b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44488"], "package": "axios", "rule_id": "GHSA-777c-7fjr-54vf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44488|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6chq-wfr3-2hj9", "level": "error", "message": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "properties": {"repobilityId": 78562, "scanner": "osv-scanner", "fingerprint": "0163353f19ab7429440b05a23b295e76326681ed071d11603964579ea2cf98ca", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42035"], "package": "axios", "rule_id": "GHSA-6chq-wfr3-2hj9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42035|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-43fc-jf86-j433", "level": "error", "message": {"text": "axios: GHSA-43fc-jf86-j433"}, "properties": {"repobilityId": 78558, "scanner": "osv-scanner", "fingerprint": "1fc3739d30e46cbed4acf7c149d6dabee1314a891de9b2f08484e0b75cc24c6d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25639"], "package": "axios", "rule_id": "GHSA-43fc-jf86-j433", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-25639|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjwm-pj3p-43mv", "level": "error", "message": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "properties": {"repobilityId": 78556, "scanner": "osv-scanner", "fingerprint": "a687f86314a62c9c73eab486dfb458616263bea26dbbefe9cae8473e8efb3071", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44492"], "package": "axios", "rule_id": "GHSA-pjwm-pj3p-43mv", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2025-62718|package-lock.json", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-3p68-rc4w-qgx5", "GHSA-pjwm-pj3p-43mv", "GHSA-pmwg-cvhr-8vh7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["249424ea52d1680c90188a3009a5089eca8b7c3d4358b7cb0d9a3ce6eed688cd", "352ef1cd474b601fa456ed0f288719e41b7b4a8bda1ee8fd4003083d6cb57ea4", "a687f86314a62c9c73eab486dfb458616263bea26dbbefe9cae8473e8efb3071"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3g43-6gmg-66jw", "level": "error", "message": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "properties": {"repobilityId": 78555, "scanner": "osv-scanner", "fingerprint": "b5c421280bf74d1ec2fdb6a0fdc96df80fa8eb9206e2916a9891b6414df8b155", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44495"], "package": "axios", "rule_id": "GHSA-3g43-6gmg-66jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44495|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-35jp-ww65-95wh", "level": "error", "message": {"text": "axios: GHSA-35jp-ww65-95wh"}, "properties": {"repobilityId": 78554, "scanner": "osv-scanner", "fingerprint": "3588119f3e3a3569888076b3b7dda23c8c3a97e0038f21a03c294eba6757dbf6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44494"], "package": "axios", "rule_id": "GHSA-35jp-ww65-95wh", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44494|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fv7c-fp4j-7gwp", "level": "error", "message": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "properties": {"repobilityId": 78552, "scanner": "osv-scanner", "fingerprint": "ad52739427efbb114a916176e346643bbd15d1155c76f28185e965208050ec44", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44728"], "package": "@babel/plugin-transform-modules-systemjs", "rule_id": "GHSA-fv7c-fp4j-7gwp", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44728|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2qf-rxjj-qqgw", "level": "error", "message": {"text": "semver: GHSA-c2qf-rxjj-qqgw"}, "properties": {"repobilityId": 78546, "scanner": "osv-scanner", "fingerprint": "2d078efa7718ff7f1c7af4b2beb0be8448fc45475446988ef183cb5515ee9389", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-25883"], "package": "semver", "rule_id": "GHSA-c2qf-rxjj-qqgw", "scanner": "osv-scanner", "correlation_key": "vuln|semver|CVE-2022-25883|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 78545, "scanner": "osv-scanner", "fingerprint": "b77fccc90b83dbc4c313ed06dc2a5523877f13e5c6262236c31391b4bc2e701b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gcx4-mw62-g8wm", "level": "error", "message": {"text": "rollup: GHSA-gcx4-mw62-g8wm"}, "properties": {"repobilityId": 78544, "scanner": "osv-scanner", "fingerprint": "1e89aacfae760e261cdc3b8587fdf7834fff1895978dc610e01af0142e5d1aa0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47068"], "package": "rollup", "rule_id": "GHSA-gcx4-mw62-g8wm", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2024-47068|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rp65-9cf3-cjxr", "level": "error", "message": {"text": "nth-check: GHSA-rp65-9cf3-cjxr"}, "properties": {"repobilityId": 78543, "scanner": "osv-scanner", "fingerprint": "fe7ae107ad73b3e803595824678431a59ab008e9e407afd1036c01cc7fe95350", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2021-3803"], "package": "nth-check", "rule_id": "GHSA-rp65-9cf3-cjxr", "scanner": "osv-scanner", "correlation_key": "vuln|nth-check|CVE-2021-3803|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wr3j-pwj9-hqq6", "level": "error", "message": {"text": "webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6"}, "properties": {"repobilityId": 78532, "scanner": "osv-scanner", "fingerprint": "7eb9f05a1e78570ae55762a1560ee0359f740c012e09cd541002d7f7fc102fa6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-29180"], "package": "webpack-dev-middleware", "rule_id": "GHSA-wr3j-pwj9-hqq6", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-middleware|CVE-2024-29180|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-wr3j-pwj9-hqq6"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["70ea35d36c170a458c8b631ff1ea95f0999924b1e7d7c23afa4f9a32f055e860", "7eb9f05a1e78570ae55762a1560ee0359f740c012e09cd541002d7f7fc102fa6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xpqw-6gx7-v673", "level": "error", "message": {"text": "svgo: GHSA-xpqw-6gx7-v673"}, "properties": {"repobilityId": 78527, "scanner": "osv-scanner", "fingerprint": "195c83a0b5cc3a30c791e21a9a43ffc6101daa64120e0417126c1875b47fe690", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-29074"], "package": "svgo", "rule_id": "GHSA-xpqw-6gx7-v673", "scanner": "osv-scanner", "correlation_key": "vuln|svgo|CVE-2026-29074|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xpqw-6gx7-v673"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["195c83a0b5cc3a30c791e21a9a43ffc6101daa64120e0417126c1875b47fe690", "c41a69cca6d65d33a793ebf7bf8033b1870ac69a1f387d68792b04865fda1b98"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rhx6-c78j-4q9w", "level": "error", "message": {"text": "path-to-regexp: GHSA-rhx6-c78j-4q9w"}, "properties": {"repobilityId": 78522, "scanner": "osv-scanner", "fingerprint": "fb73ab4fd95bd2686bc87ee3fb9fb100e2ae7dda1cf9e6b43ac2fc17f84d15a4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-52798"], "package": "path-to-regexp", "rule_id": "GHSA-rhx6-c78j-4q9w", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2024-52798|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-rhx6-c78j-4q9w"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["64bf642046977f17c58e895a576fcf1dcb0f4867abbcdf0f23cfa1411a7b5807", "b793f410444f3d384b04775c75e4798c0b74304d6e687be8f1bcf995086982c4", "fb73ab4fd95bd2686bc87ee3fb9fb100e2ae7dda1cf9e6b43ac2fc17f84d15a4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wv6-86v2-598j", "level": "error", "message": {"text": "path-to-regexp: GHSA-9wv6-86v2-598j"}, "properties": {"repobilityId": 78521, "scanner": "osv-scanner", "fingerprint": "3b29b933b325844c197a9e11db897bd44bd2962de26f68c778077cad7f4132a2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-45296"], "package": "path-to-regexp", "rule_id": "GHSA-9wv6-86v2-598j", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2024-45296|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-9wv6-86v2-598j"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["302bcd2ad7510c25adaca4cfa6fe5b43e97a3789432cd85def970f20e7837468", "3b29b933b325844c197a9e11db897bd44bd2962de26f68c778077cad7f4132a2", "7231f0b8432c3973e4a12dc8d26130cade1937fbacb36a30c07652d55a0db546"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37ch-88jc-xwx2", "level": "error", "message": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "properties": {"repobilityId": 78520, "scanner": "osv-scanner", "fingerprint": "9368a14ce02085a4af3284cc367b3de500b789cb7fcec71f03a8c96700f7f649", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-4867"], "package": "path-to-regexp", "rule_id": "GHSA-37ch-88jc-xwx2", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4867|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-37ch-88jc-xwx2"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["9368a14ce02085a4af3284cc367b3de500b789cb7fcec71f03a8c96700f7f649", "da92478138dc2b9ca9bf77561e177ebf5cb4f9cafe985180c30c2e751f3a9ca5", "f746097b9beb96c89d8828c71d5dc2f6e943761c0180ebbc4ca3037a95b68501"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q67f-28xg-22rw", "level": "error", "message": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "properties": {"repobilityId": 78519, "scanner": "osv-scanner", "fingerprint": "464b9840e894907cba0219d3f35c2b96bede29d900571689b22423372e245c07", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33895"], "package": "node-forge", "rule_id": "GHSA-q67f-28xg-22rw", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33895|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-q67f-28xg-22rw"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["464b9840e894907cba0219d3f35c2b96bede29d900571689b22423372e245c07", "f09b9f9aceb5a43eff98c346283605a456ca1e4f2784f78a0e2f274337ae606b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ppp5-5v6c-4jwp", "level": "error", "message": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "properties": {"repobilityId": 78518, "scanner": "osv-scanner", "fingerprint": "ea371d16782edc8421892c2696d19198402fc01a2c23d432d1121bc84e4fc960", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33894"], "package": "node-forge", "rule_id": "GHSA-ppp5-5v6c-4jwp", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33894|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-ppp5-5v6c-4jwp"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0b74492ef90c88fc680086c071d3626cad1283bc299703870649895d334d4e4f", "ea371d16782edc8421892c2696d19198402fc01a2c23d432d1121bc84e4fc960"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5m6q-g25r-mvwx", "level": "error", "message": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "properties": {"repobilityId": 78516, "scanner": "osv-scanner", "fingerprint": "5f4642dd4fd4c617075d43c58ce86bd495d3043504febbc7aa5e8955368e6969", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33891"], "package": "node-forge", "rule_id": "GHSA-5m6q-g25r-mvwx", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33891|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-5m6q-g25r-mvwx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5f4642dd4fd4c617075d43c58ce86bd495d3043504febbc7aa5e8955368e6969", "b76d1e45643da774913151bc52b7508d1c96ac0146e3a008368523fdf2e3a022"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5gfm-wpxj-wjgq", "level": "error", "message": {"text": "node-forge: GHSA-5gfm-wpxj-wjgq"}, "properties": {"repobilityId": 78515, "scanner": "osv-scanner", "fingerprint": "6d533fd864520925d5edce9d3e339c9ab62e1c7a04a91a793290b0766e086a10", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-12816"], "package": "node-forge", "rule_id": "GHSA-5gfm-wpxj-wjgq", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-12816|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-5gfm-wpxj-wjgq"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6b7ae221e4895139c9bf1082042a7a055154712d715c1e66abd12422af2ffe20", "6d533fd864520925d5edce9d3e339c9ab62e1c7a04a91a793290b0766e086a10"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-554w-wpv2-vw27", "level": "error", "message": {"text": "node-forge: GHSA-554w-wpv2-vw27"}, "properties": {"repobilityId": 78514, "scanner": "osv-scanner", "fingerprint": "938a2bb544a8525f15dce846de10eedde33f8eaa8c98652e1c74ced4d81d6c85", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-66031"], "package": "node-forge", "rule_id": "GHSA-554w-wpv2-vw27", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-66031|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-554w-wpv2-vw27"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["7efd5ca7ec6795b3d5a0cef87bb899fd81c16d5f431e466ae6bf7ab9ccc022d3", "938a2bb544a8525f15dce846de10eedde33f8eaa8c98652e1c74ced4d81d6c85"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2328-f5f3-gj25", "level": "error", "message": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "properties": {"repobilityId": 78513, "scanner": "osv-scanner", "fingerprint": "5b1acd4b47922964f67eded6b70302c12f31abcfe7916d806f616bad1c0b0873", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33896"], "package": "node-forge", "rule_id": "GHSA-2328-f5f3-gj25", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33896|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-2328-f5f3-gj25"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["52da27c808c0d886cc38f97755b6772e212115775c3ed8b21a6c759468d15a6d", "5b1acd4b47922964f67eded6b70302c12f31abcfe7916d806f616bad1c0b0873"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c27g-q93r-2cwf", "level": "error", "message": {"text": "launch-editor: GHSA-c27g-q93r-2cwf"}, "properties": {"repobilityId": 78512, "scanner": "osv-scanner", "fingerprint": "f4e6790675bdd49dd44f40a99f07cd2c5439e849e0596c36d0065dfe23b0f7f4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-52011"], "package": "launch-editor", "rule_id": "GHSA-c27g-q93r-2cwf", "scanner": "osv-scanner", "correlation_key": "vuln|launch-editor|CVE-2024-52011|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c7qv-q95q-8v27", "level": "error", "message": {"text": "http-proxy-middleware: GHSA-c7qv-q95q-8v27"}, "properties": {"repobilityId": 78511, "scanner": "osv-scanner", "fingerprint": "d1d247e4d2a825cc7ee6b2f807656582635e43d3fa0c7a6f8fe411e9957b0267", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-21536"], "package": "http-proxy-middleware", "rule_id": "GHSA-c7qv-q95q-8v27", "scanner": "osv-scanner", "correlation_key": "vuln|http-proxy-middleware|CVE-2024-21536|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-c7qv-q95q-8v27"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["d1d247e4d2a825cc7ee6b2f807656582635e43d3fa0c7a6f8fe411e9957b0267", "d78fe98e2afb9d3cbe9dfe240cb9f9eb09b1631dfe48e5eed5439967ff8bf400"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qwcr-r2fm-qrc7", "level": "error", "message": {"text": "body-parser: GHSA-qwcr-r2fm-qrc7"}, "properties": {"repobilityId": 78502, "scanner": "osv-scanner", "fingerprint": "1077253651f946091235e339b261ca43e2880eab375a093dcd35c1ba588f0fa3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-45590"], "package": "body-parser", "rule_id": "GHSA-qwcr-r2fm-qrc7", "scanner": "osv-scanner", "correlation_key": "vuln|body-parser|CVE-2024-45590|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-qwcr-r2fm-qrc7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1077253651f946091235e339b261ca43e2880eab375a093dcd35c1ba588f0fa3", "c2d63b375edbabf6da68080434e9e8231d8b5209799c68cc4b251ce1c6ac6cd4", "d8297b28c3d0671d7b0bfe0b1aba1ca165bb09695b88d33dc0c69e83834cdc95"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/vue-client/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3h5v-q93c-6h6q", "level": "error", "message": {"text": "ws: GHSA-3h5v-q93c-6h6q"}, "properties": {"repobilityId": 78499, "scanner": "osv-scanner", "fingerprint": "b3d38f5cd5d15711b6b5f818306b9405b8c69a4105de9680f013d59abe2bcb71", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-37890"], "package": "ws", "rule_id": "GHSA-3h5v-q93c-6h6q", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2024-37890|token", "duplicate_count": 4, "duplicate_rule_ids": ["GHSA-3h5v-q93c-6h6q"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["351da1e990e74c3f819e32bdf97c8dded832baceeeece51943a8b6a34ff5d4ec", "5cb8291711afc960849cbe98cbe312db3f9151ca641d93e15b435b2fba6b1612", "5d029e60ae1af9953c34486234552b2dc8b2db65ce79463c9cf84a04641efdc7", "7e8eceb1a25b996504397c74d800a65d9b0e0d3ad69b1c2cb0778ed80c233331", "b3d38f5cd5d15711b6b5f818306b9405b8c69a4105de9680f013d59abe2bcb71"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-677m-j7p3-52f9", "level": "error", "message": {"text": "socket.io-parser: GHSA-677m-j7p3-52f9"}, "properties": {"repobilityId": 78498, "scanner": "osv-scanner", "fingerprint": "efb5e91c4d81b4924d61ff1b9b983f9882cf2963373960679cd4337a12ff7166", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33151"], "package": "socket.io-parser", "rule_id": "GHSA-677m-j7p3-52f9", "scanner": "osv-scanner", "correlation_key": "vuln|socket.io-parser|CVE-2026-33151|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-677m-j7p3-52f9"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6d587c2d49f6aa28fb2790c8fc5e3e1105771822e451459d36fa91aa8ba92a32", "e2ef5f57bcc8a4291282c059f16aac9847bdf6c6a24b5539ed36b92d56775910", "efb5e91c4d81b4924d61ff1b9b983f9882cf2963373960679cd4337a12ff7166"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 78492, "scanner": "osv-scanner", "fingerprint": "39adbca326d5cbd63c1b465ba52a644c0013b5e43a25b7529336f9705fbd72f1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-r5fr-rjxr-66jc"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["39adbca326d5cbd63c1b465ba52a644c0013b5e43a25b7529336f9705fbd72f1", "3b3992f6f7338b1f2b05f816b55ced71950ad8fab22b3180d9de105b013b21f5", "d6dc80331c7fdaf075ea42e7297365ede03ab4634cb363313673d60bc65a20d7"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m5qc-5hw7-8vg7", "level": "error", "message": {"text": "image-size: GHSA-m5qc-5hw7-8vg7"}, "properties": {"repobilityId": 78490, "scanner": "osv-scanner", "fingerprint": "5689dcfc0a340b56ebcbc277627524db5258e55cc2361184204781bbaf4733f5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "image-size", "rule_id": "GHSA-m5qc-5hw7-8vg7", "scanner": "osv-scanner", "correlation_key": "vuln|image-size|GHSA-M5QC-5HW7-8VG7|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 78489, "scanner": "osv-scanner", "fingerprint": "24b52d8a3b6824115972a69902e956718bba8eb59f50810e48984ac41c4043a0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-rf6f-7fwh-wjgh"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["24b52d8a3b6824115972a69902e956718bba8eb59f50810e48984ac41c4043a0", "91b158723b0f79391089e4a6d915653fabb47c5a7a8721e46fcd032d014d091a", "a8dcfd13374937a41f187b6091df4c6cfd76c271216296e6ef144f312e0dda17"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 78488, "scanner": "osv-scanner", "fingerprint": "8cc7f8f1a5e2b1937f44e91ed5e6e8e526dc6624218e71392f5dbd20b1f0bb1d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-25h7-pfq9-p65f"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["43ca8737f659385a65cf8cfec63e761d4166f32693a345ede68fcf050177e0b0", "7b6e9c7b118b29c390c130c13c8ba6113638b9b7a2df5b06f382a265fcb27561", "8cc7f8f1a5e2b1937f44e91ed5e6e8e526dc6624218e71392f5dbd20b1f0bb1d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mpg4-rc92-vx8v", "level": "error", "message": {"text": "fast-xml-parser: GHSA-mpg4-rc92-vx8v"}, "properties": {"repobilityId": 78487, "scanner": "osv-scanner", "fingerprint": "fccc08001ea5e1e95a702b19821157a8f4e1ee3d4a7296cad70cef929696c8a5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-41818"], "package": "fast-xml-parser", "rule_id": "GHSA-mpg4-rc92-vx8v", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2024-41818|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8gc5-j5rx-235r", "level": "error", "message": {"text": "fast-xml-parser: GHSA-8gc5-j5rx-235r"}, "properties": {"repobilityId": 78482, "scanner": "osv-scanner", "fingerprint": "99f684013203a4d9add33b131f8e30dd206131e1857c314cfc5e6ffc703c2338", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33036"], "package": "fast-xml-parser", "rule_id": "GHSA-8gc5-j5rx-235r", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-26278|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-8gc5-j5rx-235r", "GHSA-jmr7-xgp7-cmfj"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["99f684013203a4d9add33b131f8e30dd206131e1857c314cfc5e6ffc703c2338", "cc8f8a57f71979e7fef3decc617ed9a9ac3977f7f535a640ec900c5af114c175"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3xgq-45jj-v275", "level": "error", "message": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "properties": {"repobilityId": 78481, "scanner": "osv-scanner", "fingerprint": "a99fc68cc04dce0330837c57ce228b13b62be6fb0f7016979daa02101470f6d2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-21538"], "package": "cross-spawn", "rule_id": "GHSA-3xgq-45jj-v275", "scanner": "osv-scanner", "correlation_key": "vuln|cross-spawn|CVE-2024-21538|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-3xgq-45jj-v275"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["43926aae60cc166333449441ac7877f3d5d2de72fb3d64d408954765a934c5f1", "a99fc68cc04dce0330837c57ce228b13b62be6fb0f7016979daa02101470f6d2", "eb00e92e14cd96e79e8ebd069f04a30004cceb0b9d42841dc686d8d1616f94b1"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fv7c-fp4j-7gwp", "level": "error", "message": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "properties": {"repobilityId": 78478, "scanner": "osv-scanner", "fingerprint": "c7e266f3a0a4541b471ca07228c386f209ccae8f7c14b90617a7017452043790", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44728"], "package": "@babel/plugin-transform-modules-systemjs", "rule_id": "GHSA-fv7c-fp4j-7gwp", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44728|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-fv7c-fp4j-7gwp"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["789fff948bebb88ab11f306418b5c0d0ee70c6c2606c150664e9434037f3d733", "c7e266f3a0a4541b471ca07228c386f209ccae8f7c14b90617a7017452043790", "d5ff462dace0a5a312677505575fc10911d8fb982617d241f19b6537ebd83231"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 78474, "scanner": "osv-scanner", "fingerprint": "1dd1866098422624ebbd2fc7cd55ccc208ba317f0355aed9964d5984dc9e03d9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|token", "duplicate_count": 4, "duplicate_rule_ids": ["GHSA-5c6j-r48x-rmvq"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1dd1866098422624ebbd2fc7cd55ccc208ba317f0355aed9964d5984dc9e03d9", "89861ab84fffbff5a473d88264d8032d728a7ca4dcc9084b8e6b1126b18714b1", "92ef210eb617879ac4e1a89a72785f483f3385965e17b1ab273ed1fed7579318", "bc2b48110174f54c82c057cdad8f5650ca8e129027a70695e481444a5a83a763", "d59781eecc9e8897434ab5f8b3aadc6d65bb7386e79fe03382e2d6708199e23f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 78473, "scanner": "osv-scanner", "fingerprint": "9c40d85a3e2ef17a6209cc193d41e24f95e3d5d56e3a4fb82238fa643c9db97c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-c2c7-rcm5-vvqj"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["18c7ff20ace55be12b3207986721e5643558ff27a55069818bf4758ae5539a3f", "71565bd8b4e7d45f2cf59403223f5a10e4f1b5fb2a98805e90238fc45899c689", "963e7e328a04fd1a278442c3e5ac7d32f0a69e76a8df48efc7de3ae7a060fc70", "9c40d85a3e2ef17a6209cc193d41e24f95e3d5d56e3a4fb82238fa643c9db97c", "c6d4ddfa481a37e4cae8de9893c989409c7bac45d7aed412e2ab0a18da409578", "d4c9136b091b3904bfa65df4f51667f9482eba4edab203f17f79ca51f50ce931"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f8q6-p94x-37v3", "level": "error", "message": {"text": "minimatch: GHSA-f8q6-p94x-37v3"}, "properties": {"repobilityId": 78469, "scanner": "osv-scanner", "fingerprint": "3304100d6753e2795d33e22c5a13dde4cab36b6e74bb3b08faf82d74f7145e61", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2022-3517"], "package": "minimatch", "rule_id": "GHSA-f8q6-p94x-37v3", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2022-3517|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-f8q6-p94x-37v3"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3304100d6753e2795d33e22c5a13dde4cab36b6e74bb3b08faf82d74f7145e61", "4bf31743d08c6bfbd6165610aad35a0ef08e337f7d1a75a999b8c8fbf6adf488", "aa909a62f6d40efca0f1fd05f181f41cc64439efd6080efc24188a3d879533df", "b4980bf5ecd681df931306f692bc97b90a271f9c11bc82b7f5126922b5e47155"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 78468, "scanner": "osv-scanner", "fingerprint": "d91e45569bb18036472b849ca69299d872d98516a30c6ad1dc3ecbc0e563be05", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 6 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|token", "duplicate_count": 6, "duplicate_rule_ids": ["GHSA-7r86-cg39-jmmj"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["005eaa81da7fe6ac7d2d9141da1c987b179d6fcf6cb5df367cc11c9231fa3212", "10954086961762a50214afd77ab41dfabaeaddedd0164bdb77554835fe8b2856", "223bf93f407c73a7ee88407bde7d27e0ffdab0057ba2a9bbbee9e9eca560831b", "7daf64b38e2663cdce492a0e196c155e00a8221c0c43dede5132d8fdd57b62d5", "ba9d9cc109285fdba2b7dc3e0e5ab57332fd494242828e7a4dc0f42e4a0a696b", "d61fb0e1d89927f21ed559d2c20fb3f88a78733a8450b3a9e0f5f5bf930a3876", "d91e45569bb18036472b849ca69299d872d98516a30c6ad1dc3ecbc0e563be05"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 78467, "scanner": "osv-scanner", "fingerprint": "45255d551d72bb3eb4ea1668e26d12e80dff9d30cad9921d517e2e77fa223393", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 6 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|token", "duplicate_count": 6, "duplicate_rule_ids": ["GHSA-3ppc-4f35-3m26"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["175e8f851dff9b2bdee234dd42494b389462e9bf05b6bc3255644e0697ce7309", "45255d551d72bb3eb4ea1668e26d12e80dff9d30cad9921d517e2e77fa223393", "6b52bf25008e07be50da656415fc0045493885027a1f710fcd70b5f357cb7248", "8710c7ab7c53ee77d4e1000e5f8afe7f13068062cf8a2f783b7556a6010af879", "cf5609d5f4627d38f5b4fd99d5e4a783c783bfa47e5b6d9f2837d5ebc9eca650", "d91bb14bc8b66c86a471a76796dcda949245372926b2afa08121dabd000e8198", "ec7d1e8b68ce0ec17a1a2d921dded15e23d6ff877b69e35778e56fad57bf6a18"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 78466, "scanner": "osv-scanner", "fingerprint": "0a9ac37216313d2563f4133515c3b810c0d4c9f1558b14035a8070d2ff2be8f8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 6 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|token", "duplicate_count": 6, "duplicate_rule_ids": ["GHSA-23c5-xmqv-rm74"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0a9ac37216313d2563f4133515c3b810c0d4c9f1558b14035a8070d2ff2be8f8", "1bbf7d0c1c826c66543c35b0238dae796670f45037c35e724637ad2039fc13d2", "1de99eddc6b3be8f1cb63584ca0ee51a428fccaadb2bad2a320931d3622ec7bb", "543bdee265cde91e79c6ffd51392926fefb46f15984b3d99c8859d635470509c", "6a87884804404d988c248b2689db97f14f5cb6a999a5367b80917aab0e3390bc", "9eb95efe7c1a4fa01d5972153892cbab25107eabe5ed1c887e483cc830f62087", "c7dec4b080d675705a8a47f48e14c36c47050175b98ca28dff769bb53907e74f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4q6p-r6v2-jvc5", "level": "error", "message": {"text": "get-func-name: GHSA-4q6p-r6v2-jvc5"}, "properties": {"repobilityId": 78464, "scanner": "osv-scanner", "fingerprint": "d5647a2af8a627254a0819050e03fc19bb5deff80b493dc816d026c327320387", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-43646"], "package": "get-func-name", "rule_id": "GHSA-4q6p-r6v2-jvc5", "scanner": "osv-scanner", "correlation_key": "vuln|get-func-name|CVE-2023-43646|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-4q6p-r6v2-jvc5"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8e3bb3086b6ec548a4e2b6d3d5f1450af1a8aefb123b76e1e69b9772ec7f6119", "c249f24be32097683f048b1295ea1968c4e6f41084652ba925229dc738bf988f", "d5647a2af8a627254a0819050e03fc19bb5deff80b493dc816d026c327320387"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-grv7-fg5c-xmjg", "level": "error", "message": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "properties": {"repobilityId": 78462, "scanner": "osv-scanner", "fingerprint": "0b9fc9c6ad05132482d06339330fcb106bac7d255f325cfbfe7d30bfdd750ee6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-4068"], "package": "braces", "rule_id": "GHSA-grv7-fg5c-xmjg", "scanner": "osv-scanner", "correlation_key": "vuln|braces|CVE-2024-4068|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-grv7-fg5c-xmjg"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0b9fc9c6ad05132482d06339330fcb106bac7d255f325cfbfe7d30bfdd750ee6", "56578fab683905f4cf2e2277619534503ff8b719dfb013ed3c9b6357bb1ecc48", "8045ba48db5471fbf51640e61f578d7cf306504abf0d0d3f18fac452669885bf", "8afd89ceb412de402af6b4f6d1513c48fb4a3503ee2e10b2045ef4d49c1e33f7", "bd5e79e3c717d9c34390f2df3295204cb9870f77adb32025a41709f453969f7c", "f3c3332d43304ccf9a130c01651d3b1c01a663b65e973ea8610988c4f0fc316e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/engine.io-protocol/v3-test-suite/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78450, "scanner": "repobility-docker", "fingerprint": "76e775078212a2683b2a208b7809e666bac950c542902fa852c32328b75d92f8", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "7000-7005:7000-7005", "target": "7000-7005", "host_ip": "", "published": "7000-7005"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis-cluster", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|76e775078212a2683b2a208b7809e666bac950c542902fa852c32328b75d92f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/compose.yaml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78447, "scanner": "repobility-docker", "fingerprint": "02b9e7de4c74ce8533da4d1dc3783a9401971ce5139c32c0b7ac247254147678", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|02b9e7de4c74ce8533da4d1dc3783a9401971ce5139c32c0b7ac247254147678"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-redis-streams-emitter/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78445, "scanner": "repobility-docker", "fingerprint": "db99988b6cc8f819eff262c61b761956023533f9ea51fb579e5c8ad0d8e113e7", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|db99988b6cc8f819eff262c61b761956023533f9ea51fb579e5c8ad0d8e113e7", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-postgres-emitter/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78444, "scanner": "repobility-docker", "fingerprint": "e0f7a890f636e1407ea6334f62cc1c5caeed393911a94f8370e55a1611a4c365", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|e0f7a890f636e1407ea6334f62cc1c5caeed393911a94f8370e55a1611a4c365"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-postgres-emitter/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78440, "scanner": "repobility-docker", "fingerprint": "869c91a4e5e3bd440eb7b7f1d04286bc24174dd46df5c6c738e3e74ca69cb4af", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|869c91a4e5e3bd440eb7b7f1d04286bc24174dd46df5c6c738e3e74ca69cb4af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-cluster-engine/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78437, "scanner": "repobility-docker", "fingerprint": "639c73abdd927a0efb40d11ff0620d88e4de36da11d1474f2f1f8dc2ee90975c", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|639c73abdd927a0efb40d11ff0620d88e4de36da11d1474f2f1f8dc2ee90975c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/private-messaging/server/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78435, "scanner": "repobility-docker", "fingerprint": "4110a46e186f3dc3f0f9d1a3b48897608c173f72af0a2c3430a5908ad4c82945", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|4110a46e186f3dc3f0f9d1a3b48897608c173f72af0a2c3430a5908ad4c82945", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/postgres-adapter-example/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78434, "scanner": "repobility-docker", "fingerprint": "061cf6f1fadee919dc5cd20dddf5a9a3bc03334d43388a475003010e02aef364", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|061cf6f1fadee919dc5cd20dddf5a9a3bc03334d43388a475003010e02aef364"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/postgres-adapter-example/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78389, "scanner": "repobility-docker", "fingerprint": "60c666de7d62bd1fe4dec39e23cab86f6508bca184bf81555bd3a0f95c4225f1", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|60c666de7d62bd1fe4dec39e23cab86f6508bca184bf81555bd3a0f95c4225f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-engine-redis/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78387, "scanner": "repobility-docker", "fingerprint": "cdb3a4beb0f0c1209ca8a161f0a899ba333f80fb74851407d4d4e96bdc110c7f", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|cdb3a4beb0f0c1209ca8a161f0a899ba333f80fb74851407d4d4e96bdc110c7f", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/server-postgres-cluster/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78386, "scanner": "repobility-docker", "fingerprint": "3f5f6c9a213cf8f39c3ef2d4a637c2ea8241196b1ff144cae7631ac2930f14af", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|3f5f6c9a213cf8f39c3ef2d4a637c2ea8241196b1ff144cae7631ac2930f14af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-crud-application/server-postgres-cluster/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 78381, "scanner": "repobility-docker", "fingerprint": "7c38ba62579d7ff92feb34d8e01d957edf3a7ccff9fef7fa974ae1399d1ae3a8", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7c38ba62579d7ff92feb34d8e01d957edf3a7ccff9fef7fa974ae1399d1ae3a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-traefik/server/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 78379, "scanner": "repobility-docker", "fingerprint": "22826e4d6209a26d97bc42f19bdf9413eeac1b824ebb46989949f4d47bd8261e", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|22826e4d6209a26d97bc42f19bdf9413eeac1b824ebb46989949f4d47bd8261e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/server/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 78377, "scanner": "repobility-docker", "fingerprint": "0145f4c2f4a05810780b344052dfbaab97edcabe73771b9f8cf33466c1c13b3e", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|0145f4c2f4a05810780b344052dfbaab97edcabe73771b9f8cf33466c1c13b3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/client/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 78375, "scanner": "repobility-docker", "fingerprint": "5f9b16b25ed146dd640f0994fa19dd3baf304384f52dddc50321f5db700ac964", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5f9b16b25ed146dd640f0994fa19dd3baf304384f52dddc50321f5db700ac964"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/server/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 78372, "scanner": "repobility-docker", "fingerprint": "8ae9200c4d5e68b36e39390002d4e1c6af7f0483d108a2b2574a124c2e750eaa", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8ae9200c4d5e68b36e39390002d4e1c6af7f0483d108a2b2574a124c2e750eaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/server/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 78364, "scanner": "repobility-threat-engine", "fingerprint": "030f3b4646930add8edae62ba6b0bd00413b8bd4f74eddb7c322788684f27a06", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/incr\", (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|030f3b4646930add8edae62ba6b0bd00413b8bd4f74eddb7c322788684f27a06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/express-session-example/ts/index.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 78363, "scanner": "repobility-threat-engine", "fingerprint": "a1df6497dcf7ed861766bcb5434d14581acdf75d13e16252b32bee3525cf4b27", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/incr\", (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a1df6497dcf7ed861766bcb5434d14581acdf75d13e16252b32bee3525cf4b27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/express-session-example/esm/index.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 78362, "scanner": "repobility-threat-engine", "fingerprint": "2559b8dfd1cb0be834d12804d3bdbe08a93a6fa612d665efd51db3eb0df3b304", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/incr\", (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2559b8dfd1cb0be834d12804d3bdbe08a93a6fa612d665efd51db3eb0df3b304"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/express-session-example/cjs/index.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 78361, "scanner": "repobility-threat-engine", "fingerprint": "b6d9758acdf73a8059cfe0eb272bb70f5d05ef3ef4acea8efc22c54e9e05f1a8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6d9758acdf73a8059cfe0eb272bb70f5d05ef3ef4acea8efc22c54e9e05f1a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/src/serviceWorker.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `examples/ReactNativeExample/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 78326, "scanner": "repobility-supply-chain", "fingerprint": "fc4b60d08f6cf576ff59188cb036498667044303f750e490be8e69c1b1b8ecd6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc4b60d08f6cf576ff59188cb036498667044303f750e490be8e69c1b1b8ecd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78325, "scanner": "repobility-supply-chain", "fingerprint": "90078d53ec0329e1a7f216cd018aa8f22fa9dd3ce4610105963a70dabc978845", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90078d53ec0329e1a7f216cd018aa8f22fa9dd3ce4610105963a70dabc978845"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redis:7` unpinned"}, "properties": {"repobilityId": 78324, "scanner": "repobility-supply-chain", "fingerprint": "031bc46d563a0eaeb6919c1f1bec25cfeac59c9aa59fa29d597a5a7ed4fa8c49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|031bc46d563a0eaeb6919c1f1bec25cfeac59c9aa59fa29d597a5a7ed4fa8c49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-redis-streams-emitter.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78323, "scanner": "repobility-supply-chain", "fingerprint": "f8bb463cc93736802844a627603cbdfdc8dca9c165d607b3b88fe5deb940ce51", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8bb463cc93736802844a627603cbdfdc8dca9c165d607b3b88fe5deb940ce51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-redis-streams-emitter.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78322, "scanner": "repobility-supply-chain", "fingerprint": "df72e823f04b6570e5bc1e099dd733e9723bab0ecfed3abc95c585b3f823ca7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df72e823f04b6570e5bc1e099dd733e9723bab0ecfed3abc95c585b3f823ca7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-redis-streams-emitter.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78319, "scanner": "repobility-supply-chain", "fingerprint": "599a4c7ba08def8006369eea16ce52af7a00f59e856e3d766742d374763aa221", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|599a4c7ba08def8006369eea16ce52af7a00f59e856e3d766742d374763aa221"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-parser.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78318, "scanner": "repobility-supply-chain", "fingerprint": "930b1037a57f29e967facdf494e7fadcbe215f060d6344c10835fef7ddff9640", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|930b1037a57f29e967facdf494e7fadcbe215f060d6344c10835fef7ddff9640"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-parser.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78315, "scanner": "repobility-supply-chain", "fingerprint": "0e839c8b31f412979b6684f78fc5ec2f687b8f503c69f3c48652d3f0305f8859", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e839c8b31f412979b6684f78fc5ec2f687b8f503c69f3c48652d3f0305f8859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-client.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78314, "scanner": "repobility-supply-chain", "fingerprint": "0fccc04febcf71bd4f51a9ceb7d66f6f66c6ce79629b209d526862afeec295c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fccc04febcf71bd4f51a9ceb7d66f6f66c6ce79629b209d526862afeec295c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-client.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78311, "scanner": "repobility-supply-chain", "fingerprint": "2d11804c9d7f98b95620e238bbe536dfdd108d851d6099dd2ef8dcb76ae67ddb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d11804c9d7f98b95620e238bbe536dfdd108d851d6099dd2ef8dcb76ae67ddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-engine.io-client.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78310, "scanner": "repobility-supply-chain", "fingerprint": "3bdc323271cef9f97ebc077447b25e25fd5f4e7885178246b8ba0aa40df8bcb6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3bdc323271cef9f97ebc077447b25e25fd5f4e7885178246b8ba0aa40df8bcb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-engine.io-client.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `postgres:14` unpinned"}, "properties": {"repobilityId": 78309, "scanner": "repobility-supply-chain", "fingerprint": "4d0c776f7fa8a4f4881a701007e3f2ec52ac2f3f9414aaf239249052bfe2c601", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d0c776f7fa8a4f4881a701007e3f2ec52ac2f3f9414aaf239249052bfe2c601"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-postgres-emitter.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78308, "scanner": "repobility-supply-chain", "fingerprint": "f61f6eaa28a6e44292e3f59a6777d7e3cd4aef2b908049cd59a9f769d6ee741e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f61f6eaa28a6e44292e3f59a6777d7e3cd4aef2b908049cd59a9f769d6ee741e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-postgres-emitter.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78307, "scanner": "repobility-supply-chain", "fingerprint": "081d60ebbc6c5deb9187e5f472c9bb25f08088666e6dc1eea0f454d5fc828708", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|081d60ebbc6c5deb9187e5f472c9bb25f08088666e6dc1eea0f454d5fc828708"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-postgres-emitter.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redis:7` unpinned"}, "properties": {"repobilityId": 78306, "scanner": "repobility-supply-chain", "fingerprint": "df6bea9ce90fddc9ecfd7340b1cf77c6f87d5683f5900ab5dcd1be4ee3288843", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df6bea9ce90fddc9ecfd7340b1cf77c6f87d5683f5900ab5dcd1be4ee3288843"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-cluster-engine.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78305, "scanner": "repobility-supply-chain", "fingerprint": "f919ed598e5ed49cf7f9f87cdb0467c6c2d16df647035b60c04927eaed00243c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f919ed598e5ed49cf7f9f87cdb0467c6c2d16df647035b60c04927eaed00243c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-cluster-engine.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78304, "scanner": "repobility-supply-chain", "fingerprint": "f9ae66976ba1943f113b7b604790ba669efb52939e7ec3a2cfff2256088bc95a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9ae66976ba1943f113b7b604790ba669efb52939e7ec3a2cfff2256088bc95a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-cluster-engine.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78303, "scanner": "repobility-supply-chain", "fingerprint": "5a57de876c18af3991b127886935a448b42398a0e5432bdc7f502c527d4aef06", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a57de876c18af3991b127886935a448b42398a0e5432bdc7f502c527d4aef06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-examples.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78302, "scanner": "repobility-supply-chain", "fingerprint": "4f68241faff96de47f72dcfd5b7985dbd3a858eb1eed6fa80f29028ddce35423", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f68241faff96de47f72dcfd5b7985dbd3a858eb1eed6fa80f29028ddce35423"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-examples.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78301, "scanner": "repobility-supply-chain", "fingerprint": "8445b139c65a18e56a32b94dfe4a8a761e18bc14982ed176bfcb67ce668c82d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8445b139c65a18e56a32b94dfe4a8a761e18bc14982ed176bfcb67ce668c82d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-adapter.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78300, "scanner": "repobility-supply-chain", "fingerprint": "02ee93cea392677b5fa7ee8ad1dc1ac268d19c9e6b40260f0f74561273926ac3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02ee93cea392677b5fa7ee8ad1dc1ac268d19c9e6b40260f0f74561273926ac3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-adapter.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78299, "scanner": "repobility-supply-chain", "fingerprint": "859d9413ffe27bab40a03aea071652c6033db2fcf4a198ea041d94db8343334f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|859d9413ffe27bab40a03aea071652c6033db2fcf4a198ea041d94db8343334f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-cluster-adapter.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78298, "scanner": "repobility-supply-chain", "fingerprint": "1209d6c46307c01708127fe6afa65e8d090016f4b6847ff5342abe910ece2bc6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1209d6c46307c01708127fe6afa65e8d090016f4b6847ff5342abe910ece2bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-cluster-adapter.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78295, "scanner": "repobility-supply-chain", "fingerprint": "072410f9c0e0b80348c92099c8cf4ce745e342ce5b58ae9e6ae4acdce332a4b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|072410f9c0e0b80348c92099c8cf4ce745e342ce5b58ae9e6ae4acdce332a4b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-engine.io-parser.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78294, "scanner": "repobility-supply-chain", "fingerprint": "6babb80d736c323d281ec234d2dfa32b152c235e6293c55a0d1ddf4d0d0c645c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6babb80d736c323d281ec234d2dfa32b152c235e6293c55a0d1ddf4d0d0c645c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-engine.io-parser.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78293, "scanner": "repobility-supply-chain", "fingerprint": "fbdca6c8d025dd8da7d07ea473d3e130aa1d25d73d9fdcd227bf43c4476f978e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbdca6c8d025dd8da7d07ea473d3e130aa1d25d73d9fdcd227bf43c4476f978e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-engine.io.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78292, "scanner": "repobility-supply-chain", "fingerprint": "6dc27a59e5adcc1e729b6a5b00d953362d83ef1e6b8d5be100342a05a61a2ef8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6dc27a59e5adcc1e729b6a5b00d953362d83ef1e6b8d5be100342a05a61a2ef8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-engine.io.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78291, "scanner": "repobility-supply-chain", "fingerprint": "ded5395cfae33d0b0a496e96690b23766638f54a36a51b02fda4656ab88a0e33", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ded5395cfae33d0b0a496e96690b23766638f54a36a51b02fda4656ab88a0e33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-component-emitter.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 78290, "scanner": "repobility-supply-chain", "fingerprint": "968726a2410f408f349b9035c41e4642731fd1440a8d236e1100033d684c7cce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|968726a2410f408f349b9035c41e4642731fd1440a8d236e1100033d684c7cce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-component-emitter.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:14-alpine` not pinned by digest"}, "properties": {"repobilityId": 78289, "scanner": "repobility-supply-chain", "fingerprint": "d0a23e0f1a67ee22674629c76bcaae9987a59c579b55f1934c01ed54d3323a98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0a23e0f1a67ee22674629c76bcaae9987a59c579b55f1934c01ed54d3323a98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-httpd/server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:20-bullseye` not pinned by digest"}, "properties": {"repobilityId": 78288, "scanner": "repobility-supply-chain", "fingerprint": "24e6b63076dfcba3cde6607c63558fd89f4cf419ac2f1aff09cb1c24d2547c4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24e6b63076dfcba3cde6607c63558fd89f4cf419ac2f1aff09cb1c24d2547c4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/connection-state-recovery-example/cjs/.codesandbox/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:20-bullseye` not pinned by digest"}, "properties": {"repobilityId": 78287, "scanner": "repobility-supply-chain", "fingerprint": "4b429744da60124413f1037d88d845ca8b79b5ca86d95f61a2973c62f7e73260", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b429744da60124413f1037d88d845ca8b79b5ca86d95f61a2973c62f7e73260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/connection-state-recovery-example/esm/.codesandbox/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:14-alpine` not pinned by digest"}, "properties": {"repobilityId": 78286, "scanner": "repobility-supply-chain", "fingerprint": "70b40413f97de2649fab8aae5b7647f8722a283e760de93e45f45ce1074c8966", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70b40413f97de2649fab8aae5b7647f8722a283e760de93e45f45ce1074c8966"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-traefik/server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:14-alpine` not pinned by digest"}, "properties": {"repobilityId": 78285, "scanner": "repobility-supply-chain", "fingerprint": "8bc26c0250289e65cecc2de322474e294a9642851998d94953c048f5587d6154", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8bc26c0250289e65cecc2de322474e294a9642851998d94953c048f5587d6154"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-haproxy/server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:14-alpine` not pinned by digest"}, "properties": {"repobilityId": 78284, "scanner": "repobility-supply-chain", "fingerprint": "0755e1acd7075e1901cf7132e62f81405568be7e75bff03a256c9b62978de090", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0755e1acd7075e1901cf7132e62f81405568be7e75bff03a256c9b62978de090"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/client/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:14-alpine` not pinned by digest"}, "properties": {"repobilityId": 78283, "scanner": "repobility-supply-chain", "fingerprint": "b12dc38903e1f7fdb9f897db3c4e37f94523efa792c93a1929ed5cfa15045644", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b12dc38903e1f7fdb9f897db3c4e37f94523efa792c93a1929ed5cfa15045644"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-nginx/server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `uWebSockets.js` pulled from URL/Git"}, "properties": {"repobilityId": 78282, "scanner": "repobility-supply-chain", "fingerprint": "0664832c2ea15778af311baaf686113fd9750a0ac63357cd64dfbe0100a89826", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0664832c2ea15778af311baaf686113fd9750a0ac63357cd64dfbe0100a89826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /login has no auth"}, "properties": {"repobilityId": 78281, "scanner": "repobility-route-auth", "fingerprint": "be8abdec361955ce6c1e66a05c8c5e58ff2676af9c7911adb7e2cc1209880a7b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|be8abdec361955ce6c1e66a05c8c5e58ff2676af9c7911adb7e2cc1209880a7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/passport-jwt-example/esm/index.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /login has no auth"}, "properties": {"repobilityId": 78280, "scanner": "repobility-route-auth", "fingerprint": "07fc2f93c77cfb4a823d3a5796f5a557dc511b3836607d08d614157fd78a1d3f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|07fc2f93c77cfb4a823d3a5796f5a557dc511b3836607d08d614157fd78a1d3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/passport-jwt-example/cjs/index.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /logout has no auth"}, "properties": {"repobilityId": 78279, "scanner": "repobility-route-auth", "fingerprint": "a372cfb6c06010eb40081c864558251947013848ffd416fc53840452686266a0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a372cfb6c06010eb40081c864558251947013848ffd416fc53840452686266a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/express-session-example/esm/index.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /incr has no auth"}, "properties": {"repobilityId": 78278, "scanner": "repobility-route-auth", "fingerprint": "93393ec7b55b50a390336a1f8377abb89dadd141c3a7326bceda68be9cd745b3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|93393ec7b55b50a390336a1f8377abb89dadd141c3a7326bceda68be9cd745b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/express-session-example/esm/index.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /logout has no auth"}, "properties": {"repobilityId": 78277, "scanner": "repobility-route-auth", "fingerprint": "11519c4d53890a693a413854b63d5557c4144b8b8f1e78ba2688ad65eb4275c6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|11519c4d53890a693a413854b63d5557c4144b8b8f1e78ba2688ad65eb4275c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/express-session-example/cjs/index.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /incr has no auth"}, "properties": {"repobilityId": 78276, "scanner": "repobility-route-auth", "fingerprint": "4cdff8aa2f15d34c106d8e36f53fd1f08320e74681b7c7cd198751495d18a4be", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4cdff8aa2f15d34c106d8e36f53fd1f08320e74681b7c7cd198751495d18a4be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/express-session-example/cjs/index.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /login has no auth"}, "properties": {"repobilityId": 78275, "scanner": "repobility-route-auth", "fingerprint": "52ae59331f16018b554d1ed9a86d8fdbae71bff61249e2ebb9b1bcf17842c763", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|52ae59331f16018b554d1ed9a86d8fdbae71bff61249e2ebb9b1bcf17842c763"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/passport-jwt-example/ts/index.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /logout has no auth"}, "properties": {"repobilityId": 78274, "scanner": "repobility-route-auth", "fingerprint": "52a1ab2739f7f479b7c39f81d9c39b32100d2a27dea8b24270afe8ec597bcfd0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|52a1ab2739f7f479b7c39f81d9c39b32100d2a27dea8b24270afe8ec597bcfd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/express-session-example/ts/index.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /incr has no auth"}, "properties": {"repobilityId": 78273, "scanner": "repobility-route-auth", "fingerprint": "af601001f3b8394f761f31ff61fb8d7cc0a5b633cf7900876d7c60476d38d181", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|af601001f3b8394f761f31ff61fb8d7cc0a5b633cf7900876d7c60476d38d181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/express-session-example/ts/index.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "GHSA-34r7-q49f-h37c", "level": "error", "message": {"text": "uglify-js: GHSA-34r7-q49f-h37c"}, "properties": {"repobilityId": 78634, "scanner": "osv-scanner", "fingerprint": "7014e6fd87a3cd9546e5b9a6f97592b51743a5316fd0393d6206440046f39c5f", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2015-8857"], "package": "uglify-js", "rule_id": "GHSA-34r7-q49f-h37c", "scanner": "osv-scanner", "correlation_key": "vuln|uglify-js|CVE-2015-8857|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qg8p-v9q4-gh34", "level": "error", "message": {"text": "shell-quote: GHSA-qg8p-v9q4-gh34"}, "properties": {"repobilityId": 78633, "scanner": "osv-scanner", "fingerprint": "2c76764157eecc21115e87c96f05da2dac5d5b6d0bf690cf73ad4c330161c7bb", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2016-10541"], "package": "shell-quote", "rule_id": "GHSA-qg8p-v9q4-gh34", "scanner": "osv-scanner", "correlation_key": "vuln|shell-quote|CVE-2016-10541|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xvch-5gv4-984h", "level": "error", "message": {"text": "minimist: GHSA-xvch-5gv4-984h"}, "properties": {"repobilityId": 78630, "scanner": "osv-scanner", "fingerprint": "d9b408520d46721701e388005bf2edfcb3cf2eae8caeade5321aecced31ef1a5", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2021-44906"], "package": "minimist", "rule_id": "GHSA-xvch-5gv4-984h", "scanner": "osv-scanner", "correlation_key": "vuln|minimist|CVE-2021-44906|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/examples/latency/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5rq4-664w-9x2c", "level": "error", "message": {"text": "basic-ftp: GHSA-5rq4-664w-9x2c"}, "properties": {"repobilityId": 78576, "scanner": "osv-scanner", "fingerprint": "449aaeba80973eabca21e3ccf6cb3085ee324a816f38ce76d4b7c25e4a9e7016", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27699"], "package": "basic-ftp", "rule_id": "GHSA-5rq4-664w-9x2c", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|CVE-2026-27699|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hc6q-2mpp-qw7j", "level": "error", "message": {"text": "webpack: GHSA-hc6q-2mpp-qw7j"}, "properties": {"repobilityId": 78550, "scanner": "osv-scanner", "fingerprint": "d06f19f04ae89648127018a069bbf429afb02b70a22fb864256e9feab1f2a0e1", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-28154"], "package": "webpack", "rule_id": "GHSA-hc6q-2mpp-qw7j", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2023-28154|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fjxv-7rqg-78g4", "level": "error", "message": {"text": "form-data: GHSA-fjxv-7rqg-78g4"}, "properties": {"repobilityId": 78542, "scanner": "osv-scanner", "fingerprint": "6dc984e02158806c2acbb5550232e5b155024d07ba75119c73d2aef3fa06b0ec", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-7783"], "package": "form-data", "rule_id": "GHSA-fjxv-7rqg-78g4", "scanner": "osv-scanner", "correlation_key": "vuln|form-data|CVE-2025-7783|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67hx-6x53-jw92", "level": "error", "message": {"text": "@babel/traverse: GHSA-67hx-6x53-jw92"}, "properties": {"repobilityId": 78538, "scanner": "osv-scanner", "fingerprint": "e8b29458108fefb56260db5b2c8639b3b6d191360af78410e545678aca4f016f", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-45133"], "package": "@babel/traverse", "rule_id": "GHSA-67hx-6x53-jw92", "scanner": "osv-scanner", "correlation_key": "vuln|babel/traverse|CVE-2023-45133|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/create-react-app-example/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m7jm-9gc2-mpf2", "level": "error", "message": {"text": "fast-xml-parser: GHSA-m7jm-9gc2-mpf2"}, "properties": {"repobilityId": 78486, "scanner": "osv-scanner", "fingerprint": "a2378a9aeec2ccd46608313212f1fe1b66709f1dd8c2f278fea1afec31181ac4", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25896"], "package": "fast-xml-parser", "rule_id": "GHSA-m7jm-9gc2-mpf2", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-25896|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ReactNativeExample/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 78459, "scanner": "gitleaks", "fingerprint": "62184815601f0e537cb69b929ab8fd92ea71957501ccafb3ed40e1db92659068", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Sec-WebSocket-Key\", \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|20|sec-websocket-key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/test/server.js"}, "region": {"startLine": 204}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 78458, "scanner": "gitleaks", "fingerprint": "9fac396239b429b2990e0294fb13ca85aeb52d0e735d326c5f01f5b12355accd", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Sec-WebSocket-Key\", \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|18|sec-websocket-key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/test/server.js"}, "region": {"startLine": 182}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 78457, "scanner": "gitleaks", "fingerprint": "eb8fedec6f13b989adbf568923b65a3494b7348754ff295f0cd08bf97dfd56b0", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/nestjs-example/README.md"}, "region": {"startLine": 5}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 78456, "scanner": "gitleaks", "fingerprint": "550c78f430cd1ddd2b82155ee58ba30fc15d6370b9064b1c587a797ecd95e16a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|1|redacted", "duplicate_count": 2, "duplicate_rule_ids": ["private-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["350f91a06fa6bb9cebac825e4b09248352ea28d6edfdc3209932f31ad0bb0317", "550c78f430cd1ddd2b82155ee58ba30fc15d6370b9064b1c587a797ecd95e16a", "e5ceb0b7dda70eedc0f883bbc208d19d974cafbf87649ec86a4e36984b22feab"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/test/fixtures/client.key"}, "region": {"startLine": 1}}}]}, {"ruleId": "pkcs12-file", "level": "error", "message": {"text": "Found a PKCS #12 file, which commonly contain bundled private keys."}, "properties": {"repobilityId": 78455, "scanner": "gitleaks", "fingerprint": "65ede49fd7404b07f89ea58f14be864cbb5820b0904c4f2a378153cd90a9ed70", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTEDfREDACTEDiREDACTEDlREDACTEDeREDACTED REDACTEDdREDACTEDeREDACTEDtREDACTEDeREDACTEDcREDACTEDtREDACTEDeREDACTEDdREDACTED:REDACTED REDACTED/REDACTEDtREDACTEDmREDACTEDpREDACTED/REDACTEDrREDACTEDeREDACTEDpREDACTEDoREDACTEDbREDACTEDiREDACTEDlREDACTEDiREDACTEDtREDACTEDyREDACTED-REDACTEDaREDACTEDnRED", "rule_id": "pkcs12-file", "scanner": "gitleaks", "detector": "pkcs12-file", "correlation_key": "secret|token||token token token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/engine.io/test/fixtures/client.pfx"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 78443, "scanner": "repobility-docker", "fingerprint": "90f6c5fe62e5e756044c4ecbc91ce7335bb90a9d58139bb302edc6036a6fca43", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|90f6c5fe62e5e756044c4ecbc91ce7335bb90a9d58139bb302edc6036a6fca43", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/socket.io-postgres-emitter/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 78428, "scanner": "repobility-docker", "fingerprint": "4b27ad24bcd1e8e34a5ece794f8d26af4ac56b4bb642484e5de9e70334f733ca", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "traefik", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4b27ad24bcd1e8e34a5ece794f8d26af4ac56b4bb642484e5de9e70334f733ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cluster-traefik/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SAUCE_ACCESS_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 78321, "scanner": "repobility-supply-chain", "fingerprint": "f18e5cbb704e8365be33d0376c52408e53bb3a6462bdcf13b96f4d23b2452409", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f18e5cbb704e8365be33d0376c52408e53bb3a6462bdcf13b96f4d23b2452409"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-parser.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SAUCE_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 78320, "scanner": "repobility-supply-chain", "fingerprint": "3090f1886061c2f58b7d86113398de94f964717cd923c0ba89b2865a69be22e0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3090f1886061c2f58b7d86113398de94f964717cd923c0ba89b2865a69be22e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-parser.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SAUCE_ACCESS_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 78317, "scanner": "repobility-supply-chain", "fingerprint": "a83a9e2b7eddd54ef21de20427ea598068f203076202b90f278e2b20fcfab4ba", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a83a9e2b7eddd54ef21de20427ea598068f203076202b90f278e2b20fcfab4ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-client.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SAUCE_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 78316, "scanner": "repobility-supply-chain", "fingerprint": "5f680498312dde6e123d77c158ed9b64a7e1a42c4f66b9b854fc356805be35b7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f680498312dde6e123d77c158ed9b64a7e1a42c4f66b9b854fc356805be35b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-socket.io-client.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SAUCE_ACCESS_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 78313, "scanner": "repobility-supply-chain", "fingerprint": "c3ea1fb9fb412769d69c2de012fba5cc3ac11cf99ebbbef2c2a6896893075337", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3ea1fb9fb412769d69c2de012fba5cc3ac11cf99ebbbef2c2a6896893075337"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-engine.io-client.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SAUCE_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 78312, "scanner": "repobility-supply-chain", "fingerprint": "c1a55006c74938ddadd8dc836ffc27f221f1fb760764ca6b0a0190a8f1ae9254", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1a55006c74938ddadd8dc836ffc27f221f1fb760764ca6b0a0190a8f1ae9254"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-engine.io-client.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SAUCE_ACCESS_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 78297, "scanner": "repobility-supply-chain", "fingerprint": "7f39fd21716d2195490350eb91af8eaa5618da306c31a5fc632360813caaa3b5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7f39fd21716d2195490350eb91af8eaa5618da306c31a5fc632360813caaa3b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-engine.io-parser.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SAUCE_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 78296, "scanner": "repobility-supply-chain", "fingerprint": "22dfd43a5f9676bcf0cee66e26d88c3be1996a80325ccbe0ff810c8d1c6b8871", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22dfd43a5f9676bcf0cee66e26d88c3be1996a80325ccbe0ff810c8d1c6b8871"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-engine.io-parser.yml"}, "region": {"startLine": 48}}}]}]}]}