{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DEPCUR-GHA", "name": "GitHub Action `actions/setup-node@v5` is 1 major version(s) behind (latest v6.4.0)", "shortDescription": {"text": "GitHub Action `actions/setup-node@v5` is 1 major version(s) behind (latest v6.4.0)"}, "fullDescription": {"text": "`uses: actions/setup-node@v5` is 1 major version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@earendil-works/pi-coding-agent` is minor version(s) behind (^0.74.0 -> 0.78.0)", "shortDescription": {"text": "npm package `@earendil-works/pi-coding-agent` is minor version(s) behind (^0.74.0 -> 0.78.0)"}, "fullDescription": {"text": "`@earendil-works/pi-coding-agent` is pinned/resolved at ^0.74.0 but the latest stable release on the npm registry is 0.78.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v5`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v5`"}, "fullDescription": {"text": "`uses: actions/setup-node@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/683"}, "properties": {"repository": "nicobailon/pi-subagents", "repoUrl": "https://github.com/nicobailon/pi-subagents.git", "branch": "main"}, "results": [{"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v5` is 1 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 52278, "scanner": "repobility-dependency-currency", "fingerprint": "f4d71004e42e6f308ba97766ee3e2f297b1c8cc7cdc8e71da6027067c98ac375", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|f4d71004e42e6f308ba97766ee3e2f297b1c8cc7cdc8e71da6027067c98ac375", "current_version": "v5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v5` is 1 major version(s) behind (latest v6.0.2)"}, "properties": {"repobilityId": 52277, "scanner": "repobility-dependency-currency", "fingerprint": "5b357808926ce4d160d0357146cca8cbfa9425462932689b01961bfca1e3bbbc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.2", "correlation_key": "fp|5b357808926ce4d160d0357146cca8cbfa9425462932689b01961bfca1e3bbbc", "current_version": "v5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v5` is 1 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 52276, "scanner": "repobility-dependency-currency", "fingerprint": "166c8f8c839aa7d55b07d53413ccdffd79245db362a7c757757a31257a19d8b9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|166c8f8c839aa7d55b07d53413ccdffd79245db362a7c757757a31257a19d8b9", "current_version": "v5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v5` is 1 major version(s) behind (latest v6.0.2)"}, "properties": {"repobilityId": 52275, "scanner": "repobility-dependency-currency", "fingerprint": "ca9b7478f0668cf59b6ddb33e7fbce9269d44398a13646bcb8e411130bdeca8f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.2", "correlation_key": "fp|ca9b7478f0668cf59b6ddb33e7fbce9269d44398a13646bcb8e411130bdeca8f", "current_version": "v5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@earendil-works/pi-coding-agent` is minor version(s) behind (^0.74.0 -> 0.78.0)"}, "properties": {"repobilityId": 52274, "scanner": "repobility-dependency-currency", "fingerprint": "d8b5eacd83c721288a18683ac55f5cf5ecafc56d607368864ccecbb76906d2df", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@earendil-works/pi-coding-agent", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.78.0", "correlation_key": "fp|d8b5eacd83c721288a18683ac55f5cf5ecafc56d607368864ccecbb76906d2df", "current_version": "^0.74.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@earendil-works/pi-ai` is minor version(s) behind (^0.74.0 -> 0.78.0)"}, "properties": {"repobilityId": 52273, "scanner": "repobility-dependency-currency", "fingerprint": "86cc5f0bd5e6800ed84eb350408b9d1889ebe3b7b9dcff5a6d251bae1db793db", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@earendil-works/pi-ai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.78.0", "correlation_key": "fp|86cc5f0bd5e6800ed84eb350408b9d1889ebe3b7b9dcff5a6d251bae1db793db", "current_version": "^0.74.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@earendil-works/pi-agent-core` is minor version(s) behind (^0.74.0 -> 0.78.0)"}, "properties": {"repobilityId": 52272, "scanner": "repobility-dependency-currency", "fingerprint": "a17fe6371a9d1ffdfe6d4965a3a8dfeab459f1d00249bbbc95bc2a0afc814107", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@earendil-works/pi-agent-core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.78.0", "correlation_key": "fp|a17fe6371a9d1ffdfe6d4965a3a8dfeab459f1d00249bbbc95bc2a0afc814107", "current_version": "^0.74.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@earendil-works/pi-tui` is minor version(s) behind (^0.74.0 -> 0.78.0)"}, "properties": {"repobilityId": 52270, "scanner": "repobility-dependency-currency", "fingerprint": "c8dfd28e8adf0b6609b519f661fbb055d1ba44ac5b851d419cd36bf463caf7c5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@earendil-works/pi-tui", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.78.0", "correlation_key": "fp|c8dfd28e8adf0b6609b519f661fbb055d1ba44ac5b851d419cd36bf463caf7c5", "current_version": "^0.74.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7d45e5d6d33979222c2c4a1580a76105785f1620e14dea735ef01e6cd0db83ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/slash/prompt-template-bridge.ts", "duplicate_line": 353, "correlation_key": "fp|7d45e5d6d33979222c2c4a1580a76105785f1620e14dea735ef01e6cd0db83ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/slash/slash-bridge.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9976511446d0ed1b06a8a0843d3186ae736003630379e2b3e75803dfc2abd78c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/intercom/result-intercom.ts", "duplicate_line": 99, "correlation_key": "fp|9976511446d0ed1b06a8a0843d3186ae736003630379e2b3e75803dfc2abd78c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runs/shared/nested-events.ts"}, "region": {"startLine": 726}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52263, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6820a9409279b99ef1115588288d41d7860a6a861b00119f2f1f7a569b65779", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/skills.ts", "duplicate_line": 177, "correlation_key": "fp|d6820a9409279b99ef1115588288d41d7860a6a861b00119f2f1f7a569b65779"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/intercom/intercom-bridge.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 52262, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bb094c2253f6a61838f15db44fc5b4c5027319fa9167facbf9dbd8ddbef8d8e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/extension/fanout-child.ts", "duplicate_line": 28, "correlation_key": "fp|bb094c2253f6a61838f15db44fc5b4c5027319fa9167facbf9dbd8ddbef8d8e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/extension/index.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 52261, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 52294, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 52290, "scanner": "repobility-threat-engine", "fingerprint": "d6ff52f326a217119b363f1aee474b58469492e74a7fc3a211d777ba7b2b5474", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d6ff52f326a217119b363f1aee474b58469492e74a7fc3a211d777ba7b2b5474", "aggregated_count": 2}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 52289, "scanner": "repobility-threat-engine", "fingerprint": "9806d8dbb00ea5bfcf17ab54c71e47a1753d80afbf015c301ac1d05432c886e0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9806d8dbb00ea5bfcf17ab54c71e47a1753d80afbf015c301ac1d05432c886e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runs/background/top-level-async.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 52288, "scanner": "repobility-threat-engine", "fingerprint": "929e0c68fe3821632fdbe27beee1ec13113bc73ed5394abc07f6e4adcac3b891", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|929e0c68fe3821632fdbe27beee1ec13113bc73ed5394abc07f6e4adcac3b891"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runs/background/result-watcher.ts"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 52287, "scanner": "repobility-threat-engine", "fingerprint": "aa44c2e6548c8fcda0a5e0ec2ab3ccac36d30af2db28100d4fa3042a6e87b54f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa44c2e6548c8fcda0a5e0ec2ab3ccac36d30af2db28100d4fa3042a6e87b54f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/chain-serializer.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 52286, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 52282, "scanner": "repobility-threat-engine", "fingerprint": "8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "aggregated_count": 1}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 52281, "scanner": "repobility-threat-engine", "fingerprint": "056d5f26affaff21b0a76f19c263097dd680615d7e5b9325126afda66b2c766e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|056d5f26affaff21b0a76f19c263097dd680615d7e5b9325126afda66b2c766e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/extension/fanout-child.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 52280, "scanner": "repobility-threat-engine", "fingerprint": "96e12b12e53fc4e83f43d5f419dd0ae7ed1d383a234659216d0779bd2ef3e9cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96e12b12e53fc4e83f43d5f419dd0ae7ed1d383a234659216d0779bd2ef3e9cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/extension/config.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 52279, "scanner": "repobility-threat-engine", "fingerprint": "3c09b04af737dfd9ff6881cb866d0c4cc076f7fe1539ac0d8e136b798ff67bc5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3c09b04af737dfd9ff6881cb866d0c4cc076f7fe1539ac0d8e136b798ff67bc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.mjs"}, "region": {"startLine": 24}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `typebox` is patch version(s) behind (^1.1.24 -> 1.1.39)"}, "properties": {"repobilityId": 52271, "scanner": "repobility-dependency-currency", "fingerprint": "eb28c2e480a43ba81c462aef423f1f3eaa69cf33dea2d24474575ec34b5c9181", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "typebox", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.1.39", "correlation_key": "fp|eb28c2e480a43ba81c462aef423f1f3eaa69cf33dea2d24474575ec34b5c9181", "current_version": "^1.1.24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 52298, "scanner": "repobility-threat-engine", "fingerprint": "dd3026e9fe5ed52c256b48ab8b08fde37a818a42089f1fe4a5cc12375fc72515", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dd3026e9fe5ed52c256b48ab8b08fde37a818a42089f1fe4a5cc12375fc72515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runs/shared/long-running-guard.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 52297, "scanner": "repobility-threat-engine", "fingerprint": "d9210b58e0fd6dd6861c65c4b7ed00fab9885621085beddd9333d4f8670e81fd", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(artifactsDir, `${base}_input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|src/shared/artifacts.ts|20|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/artifacts.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 52296, "scanner": "repobility-threat-engine", "fingerprint": "fc859fd977d044f40e69717b1c7e3f4c9343ff1de2ce67293882a65680109e21", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(runtimeCwd, request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|29|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runs/shared/single-output.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 52295, "scanner": "repobility-threat-engine", "fingerprint": "b217c6ee114bbcc03b230b9724fb74ee36fb0cb7baaa1e1b701d6ef8d2292489", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(input.expandTilde?.(input.request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|src/extension/doctor.ts|109|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/extension/doctor.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 52293, "scanner": "repobility-threat-engine", "fingerprint": "76c7c4947182f2c5f69e900f160ec8ebc8d46d5bd6f786062ee2c388249570df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pending.delete(file);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|76c7c4947182f2c5f69e900f160ec8ebc8d46d5bd6f786062ee2c388249570df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/file-coalescer.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 52292, "scanner": "repobility-threat-engine", "fingerprint": "fa2a51097b44ba6e649d0a826533238389a88f7d94114e49b39ed1250660ff4a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pendingResults.delete(request.requestId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fa2a51097b44ba6e649d0a826533238389a88f7d94114e49b39ed1250660ff4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/extension/fanout-child.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 52291, "scanner": "repobility-threat-engine", "fingerprint": "0b4e40de506fdb4438bf57013049fd5779465660e0fb6a2598dd860be5d0c15a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pending.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0b4e40de506fdb4438bf57013049fd5779465660e0fb6a2598dd860be5d0c15a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/extension/control-notices.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any