{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-7gmj-67g7-phm9", "name": "tauri: GHSA-7gmj-67g7-phm9", "shortDescription": {"text": "tauri: GHSA-7gmj-67g7-phm9"}, "fullDescription": {"text": "Tauri has an Origin Confusion Issue that Allows Remote Pages to Invoke Local-Only IPC Commands"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3pv8-6f4r-ffg2", "name": "tar: GHSA-3pv8-6f4r-ffg2", "shortDescription": {"text": "tar: GHSA-3pv8-6f4r-ffg2"}, "fullDescription": {"text": "tar has a PAX header desynchronization issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xv59-967r-8726", "name": "openssl: GHSA-xv59-967r-8726", "shortDescription": {"text": "openssl: GHSA-xv59-967r-8726"}, "fullDescription": {"text": "rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-phqj-4mhp-q6mq", "name": "openssl: GHSA-phqj-4mhp-q6mq", "shortDescription": {"text": "openssl: GHSA-phqj-4mhp-q6mq"}, "fullDescription": {"text": "rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-93m4-6634-74q7", "name": "vite: GHSA-93m4-6634-74q7", "shortDescription": {"text": "vite: GHSA-93m4-6634-74q7"}, "fullDescription": {"text": "vite allows server.fs.deny bypass via backslash on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7rx3-28cr-v5wh", "name": "handlebars: GHSA-7rx3-28cr-v5wh", "shortDescription": {"text": "handlebars: GHSA-7rx3-28cr-v5wh"}, "fullDescription": {"text": "Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2qvq-rjwj-gvw9", "name": "handlebars: GHSA-2qvq-rjwj-gvw9", "shortDescription": {"text": "handlebars: GHSA-2qvq-rjwj-gvw9"}, "fullDescription": {"text": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vh25-5764-9wcr", "name": "@conventional-changelog/git-client: GHSA-vh25-5764-9wcr", "shortDescription": {"text": "@conventional-changelog/git-client: GHSA-vh25-5764-9wcr"}, "fullDescription": {"text": "@conventional-changelog/git-client has Argument Injection vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `jsdom` is 3 major version(s) behind (^26.1.0 -> 29.1.1)", "shortDescription": {"text": "npm package `jsdom` is 3 major version(s) behind (^26.1.0 -> 29.1.1)"}, "fullDescription": {"text": "`jsdom` is pinned/resolved at ^26.1.0 but the latest stable release on the npm registry is 29.1.1 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-xmgf-hq76-4vx2", "name": "openssl: GHSA-xmgf-hq76-4vx2", "shortDescription": {"text": "openssl: GHSA-xmgf-hq76-4vx2"}, "fullDescription": {"text": "rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-442j-39wm-28r2", "name": "handlebars: GHSA-442j-39wm-28r2", "shortDescription": {"text": "handlebars: GHSA-442j-39wm-28r2"}, "fullDescription": {"text": "Handlebars.js has a Property Access Validation Bypass in container.lookup"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.", "shortDescription": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0098", "name": "unic-ucd-version: RUSTSEC-2025-0098", "shortDescription": {"text": "unic-ucd-version: RUSTSEC-2025-0098"}, "fullDescription": {"text": "`unic-ucd-version` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0100", "name": "unic-ucd-ident: RUSTSEC-2025-0100", "shortDescription": {"text": "unic-ucd-ident: RUSTSEC-2025-0100"}, "fullDescription": {"text": "`unic-ucd-ident` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0080", "name": "unic-common: RUSTSEC-2025-0080", "shortDescription": {"text": "unic-common: RUSTSEC-2025-0080"}, "fullDescription": {"text": "`unic-common` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0075", "name": "unic-char-range: RUSTSEC-2025-0075", "shortDescription": {"text": "unic-char-range: RUSTSEC-2025-0075"}, "fullDescription": {"text": "`unic-char-range` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0081", "name": "unic-char-property: RUSTSEC-2025-0081", "shortDescription": {"text": "unic-char-property: RUSTSEC-2025-0081"}, "fullDescription": {"text": "`unic-char-property` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0009", "name": "time: RUSTSEC-2026-0009", "shortDescription": {"text": "time: RUSTSEC-2026-0009"}, "fullDescription": {"text": "Denial of Service via Stack Exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0068", "name": "tar: RUSTSEC-2026-0068", "shortDescription": {"text": "tar: RUSTSEC-2026-0068"}, "fullDescription": {"text": "tar-rs incorrectly ignores PAX size headers if header size is nonzero"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0067", "name": "tar: RUSTSEC-2026-0067", "shortDescription": {"text": "tar: RUSTSEC-2026-0067"}, "fullDescription": {"text": "`unpack_in` can chmod arbitrary directories by following symlinks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0104", "name": "rustls-webpki: RUSTSEC-2026-0104", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "fullDescription": {"text": "Reachable panic in certificate revocation list parsing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0099", "name": "rustls-webpki: RUSTSEC-2026-0099", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "fullDescription": {"text": "Name constraints were accepted for certificates asserting a wildcard name"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0098", "name": "rustls-webpki: RUSTSEC-2026-0098", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "fullDescription": {"text": "Name constraints for URI names were incorrectly accepted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0049", "name": "rustls-webpki: RUSTSEC-2026-0049", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0049"}, "fullDescription": {"text": "CRLs not considered authoritative by Distribution Point due to faulty matching logic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0001", "name": "rkyv: RUSTSEC-2026-0001", "shortDescription": {"text": "rkyv: RUSTSEC-2026-0001"}, "fullDescription": {"text": "Potential Undefined Behaviors in `Arc<T>`/`Rc<T>` impls of `from_value` on OOM"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0097", "name": "rand: RUSTSEC-2026-0097", "shortDescription": {"text": "rand: RUSTSEC-2026-0097"}, "fullDescription": {"text": "Rand is unsound with a custom logger using `rand::rng()`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0037", "name": "quinn-proto: RUSTSEC-2026-0037", "shortDescription": {"text": "quinn-proto: RUSTSEC-2026-0037"}, "fullDescription": {"text": "Denial of service in Quinn endpoints"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0370", "name": "proc-macro-error: RUSTSEC-2024-0370", "shortDescription": {"text": "proc-macro-error: RUSTSEC-2024-0370"}, "fullDescription": {"text": "proc-macro-error is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0436", "name": "paste: RUSTSEC-2024-0436", "shortDescription": {"text": "paste: RUSTSEC-2024-0436"}, "fullDescription": {"text": "paste - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xp3w-r5p5-63rr", "name": "openssl: GHSA-xp3w-r5p5-63rr", "shortDescription": {"text": "openssl: GHSA-xp3w-r5p5-63rr"}, "fullDescription": {"text": "rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pqf5-4pqq-29f5", "name": "openssl: GHSA-pqf5-4pqq-29f5", "shortDescription": {"text": "openssl: GHSA-pqf5-4pqq-29f5"}, "fullDescription": {"text": "rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hppc-g8h3-xhp3", "name": "openssl: GHSA-hppc-g8h3-xhp3", "shortDescription": {"text": "openssl: GHSA-hppc-g8h3-xhp3"}, "fullDescription": {"text": "rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ghm9-cr32-g9qj", "name": "openssl: GHSA-ghm9-cr32-g9qj", "shortDescription": {"text": "openssl: GHSA-ghm9-cr32-g9qj"}, "fullDescription": {"text": "rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8c75-8mhr-p7r9", "name": "openssl: GHSA-8c75-8mhr-p7r9", "shortDescription": {"text": "openssl: GHSA-8c75-8mhr-p7r9"}, "fullDescription": {"text": "rust-openssl has incorrect bounds assertion in aes key wrap"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0419", "name": "gtk3-macros: RUSTSEC-2024-0419", "shortDescription": {"text": "gtk3-macros: RUSTSEC-2024-0419"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0420", "name": "gtk-sys: RUSTSEC-2024-0420", "shortDescription": {"text": "gtk-sys: RUSTSEC-2024-0420"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0415", "name": "gtk: RUSTSEC-2024-0415", "shortDescription": {"text": "gtk: RUSTSEC-2024-0415"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0429", "name": "glib: RUSTSEC-2024-0429", "shortDescription": {"text": "glib: RUSTSEC-2024-0429"}, "fullDescription": {"text": "Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0414", "name": "gdkx11-sys: RUSTSEC-2024-0414", "shortDescription": {"text": "gdkx11-sys: RUSTSEC-2024-0414"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0417", "name": "gdkx11: RUSTSEC-2024-0417", "shortDescription": {"text": "gdkx11: RUSTSEC-2024-0417"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0411", "name": "gdkwayland-sys: RUSTSEC-2024-0411", "shortDescription": {"text": "gdkwayland-sys: RUSTSEC-2024-0411"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0418", "name": "gdk-sys: RUSTSEC-2024-0418", "shortDescription": {"text": "gdk-sys: RUSTSEC-2024-0418"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0412", "name": "gdk: RUSTSEC-2024-0412", "shortDescription": {"text": "gdk: RUSTSEC-2024-0412"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0057", "name": "fxhash: RUSTSEC-2025-0057", "shortDescription": {"text": "fxhash: RUSTSEC-2025-0057"}, "fullDescription": {"text": "fxhash - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2021-0141", "name": "dotenv: RUSTSEC-2021-0141", "shortDescription": {"text": "dotenv: RUSTSEC-2021-0141"}, "fullDescription": {"text": "dotenv is Unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0388", "name": "derivative: RUSTSEC-2024-0388", "shortDescription": {"text": "derivative: RUSTSEC-2024-0388"}, "fullDescription": {"text": "`derivative` is unmaintained; consider using an alternative"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0007", "name": "bytes: RUSTSEC-2026-0007", "shortDescription": {"text": "bytes: RUSTSEC-2026-0007"}, "fullDescription": {"text": "Integer overflow in `BytesMut::reserve`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0416", "name": "atk-sys: RUSTSEC-2024-0416", "shortDescription": {"text": "atk-sys: RUSTSEC-2024-0416"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0413", "name": "atk: RUSTSEC-2024-0413", "shortDescription": {"text": "atk: RUSTSEC-2024-0413"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9ff-h696-f583", "name": "vite: GHSA-p9ff-h696-f583", "shortDescription": {"text": "vite: GHSA-p9ff-h696-f583"}, "fullDescription": {"text": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r6q2-hw4h-h46w", "name": "tar: GHSA-r6q2-hw4h-h46w", "shortDescription": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "fullDescription": {"text": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qffp-2rhf-9h96", "name": "tar: GHSA-qffp-2rhf-9h96", "shortDescription": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "fullDescription": {"text": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9ppj-qmqm-q256", "name": "tar: GHSA-9ppj-qmqm-q256", "shortDescription": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "fullDescription": {"text": "node-tar Symlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8qq5-rm4j-mr97", "name": "tar: GHSA-8qq5-rm4j-mr97", "shortDescription": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "fullDescription": {"text": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-83g3-92jg-28cx", "name": "tar: GHSA-83g3-92jg-28cx", "shortDescription": {"text": "tar: GHSA-83g3-92jg-28cx"}, "fullDescription": {"text": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-34x7-hfp2-rc4v", "name": "tar: GHSA-34x7-hfp2-rc4v", "shortDescription": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "fullDescription": {"text": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xjpj-3mr7-gcpf", "name": "handlebars: GHSA-xjpj-3mr7-gcpf", "shortDescription": {"text": "handlebars: GHSA-xjpj-3mr7-gcpf"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xhpv-hc6g-r9c6", "name": "handlebars: GHSA-xhpv-hc6g-r9c6", "shortDescription": {"text": "handlebars: GHSA-xhpv-hc6g-r9c6"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9cx6-37pm-9jff", "name": "handlebars: GHSA-9cx6-37pm-9jff", "shortDescription": {"text": "handlebars: GHSA-9cx6-37pm-9jff"}, "fullDescription": {"text": "Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3mfm-83xf-c92r", "name": "handlebars: GHSA-3mfm-83xf-c92r", "shortDescription": {"text": "handlebars: GHSA-3mfm-83xf-c92r"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/upload-artifact` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-5xrq-8626-4rwp", "name": "vitest: GHSA-5xrq-8626-4rwp", "shortDescription": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "fullDescription": {"text": "When Vitest UI server is listening, arbitrary file can be read and executed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2w6w-674q-4c4q", "name": "handlebars: GHSA-2w6w-674q-4c4q", "shortDescription": {"text": "handlebars: GHSA-2w6w-674q-4c4q"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLAUDE_CODE_OAUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1391"}, "properties": {"repository": "moinulmoin/voicetypr", "repoUrl": "https://github.com/moinulmoin/voicetypr", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 142650, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 142649, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 142641, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-7gmj-67g7-phm9", "level": "warning", "message": {"text": "tauri: GHSA-7gmj-67g7-phm9"}, "properties": {"repobilityId": 142634, "scanner": "osv-scanner", "fingerprint": "c78fc3687b394ff4fda29827ee55e1c388be6be5a04b09af4eb1b9e60c4057e9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42184"], "package": "tauri", "rule_id": "GHSA-7gmj-67g7-phm9", "scanner": "osv-scanner", "correlation_key": "vuln|tauri|CVE-2026-42184|src-tauri/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3pv8-6f4r-ffg2", "level": "warning", "message": {"text": "tar: GHSA-3pv8-6f4r-ffg2"}, "properties": {"repobilityId": 142633, "scanner": "osv-scanner", "fingerprint": "6fbd7dfab701e3b4b7a312c0bbd208bb89d525a527aa9070ad2737365865e9df", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "tar", "rule_id": "GHSA-3pv8-6f4r-ffg2", "scanner": "osv-scanner", "correlation_key": "vuln|tar|GHSA-3PV8-6F4R-FFG2|src-tauri/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xv59-967r-8726", "level": "warning", "message": {"text": "openssl: GHSA-xv59-967r-8726"}, "properties": {"repobilityId": 142621, "scanner": "osv-scanner", "fingerprint": "deb0a495b7a3a9502dd968b4ee70248581288a8168edade878cc80bb4f4730bb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44662"], "package": "openssl", "rule_id": "GHSA-xv59-967r-8726", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-44662|src-tauri/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-phqj-4mhp-q6mq", "level": "warning", "message": {"text": "openssl: GHSA-phqj-4mhp-q6mq"}, "properties": {"repobilityId": 142617, "scanner": "osv-scanner", "fingerprint": "433e1cf6c278eb6881178110f22553b50230835f5e0b13d26e1a17d24dbfa206", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45784"], "package": "openssl", "rule_id": "GHSA-phqj-4mhp-q6mq", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-45784|src-tauri/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 142598, "scanner": "osv-scanner", "fingerprint": "d698c0969dae25e950d4f8b65b021df28bdeb91476dcc255cdcc9ca9ba3ee73e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-93m4-6634-74q7", "level": "warning", "message": {"text": "vite: GHSA-93m4-6634-74q7"}, "properties": {"repobilityId": 142595, "scanner": "osv-scanner", "fingerprint": "754b1d6626e72d8691f7883f12f3362d54578372edf4ba20a02fcff80a0e4f2a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-62522"], "package": "vite", "rule_id": "GHSA-93m4-6634-74q7", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-62522|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 142594, "scanner": "osv-scanner", "fingerprint": "a2c12e2b28152cf8b2318c26eb42f38e3894a8280e15146de8ce046c997d7d89", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 142586, "scanner": "osv-scanner", "fingerprint": "0b1dff5c952a767b7990e67b0d60cc580116a9b63b14cf0d44b920a59028efbf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 142584, "scanner": "osv-scanner", "fingerprint": "d9d26d972991fffb51a1613b08ac1e8e722be1c10191fb43cced54b770250e8d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 142580, "scanner": "osv-scanner", "fingerprint": "75f1cf8ff29d8d132d579513aad4027dbb5a93646863d8e7bc0c89343d3402ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 142578, "scanner": "osv-scanner", "fingerprint": "529a8e201067f66e4bcd0d6408bc6eece689220a5a65ec65438a230ab5b7cf66", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7rx3-28cr-v5wh", "level": "warning", "message": {"text": "handlebars: GHSA-7rx3-28cr-v5wh"}, "properties": {"repobilityId": 142574, "scanner": "osv-scanner", "fingerprint": "85ba8a8c3bb4acc6a3459d169d64d4879013e992d499c9208de8ad7a36084a86", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "handlebars", "rule_id": "GHSA-7rx3-28cr-v5wh", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|GHSA-7RX3-28CR-V5WH|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2qvq-rjwj-gvw9", "level": "warning", "message": {"text": "handlebars: GHSA-2qvq-rjwj-gvw9"}, "properties": {"repobilityId": 142570, "scanner": "osv-scanner", "fingerprint": "17e1798d1dbb31c5c850819b4d7b3cd310a7dda9641e1eea682fb1e6564e4af8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33916"], "package": "handlebars", "rule_id": "GHSA-2qvq-rjwj-gvw9", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33916|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 142567, "scanner": "osv-scanner", "fingerprint": "6ed3e11856b985dfd38b234bdeafe6eb9fdd6ace1789aa46a716324dba77d441", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 142566, "scanner": "osv-scanner", "fingerprint": "0b4075edd70eccc9e81ce84656b8a0c1040ecc83769ba1ed4fe7ce3796321c93", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vh25-5764-9wcr", "level": "warning", "message": {"text": "@conventional-changelog/git-client: GHSA-vh25-5764-9wcr"}, "properties": {"repobilityId": 142565, "scanner": "osv-scanner", "fingerprint": "7183dcee74186851c61f3c427d9286d192a255a38a9f93b35375437db945c1e2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-59433"], "package": "@conventional-changelog/git-client", "rule_id": "GHSA-vh25-5764-9wcr", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2025-59433|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 142563, "scanner": "repobility-threat-engine", "fingerprint": "95408b6d68ba0b2deb2f2837890e73b89fa839136f1e6c19c1d9786704926dc7", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open('https://voicetypr.com/#pricing', '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|144|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/contexts/LicenseContext.tsx"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 142562, "scanner": "repobility-threat-engine", "fingerprint": "e37b6f4d999a854c61a46945627a34a0153e79cac8b4837eceea7fc8bdf03b8f", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(provider.apiKeyUrl, \"_blank\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|250|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ProviderCard.tsx"}, "region": {"startLine": 250}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `jsdom` is 3 major version(s) behind (^26.1.0 -> 29.1.1)"}, "properties": {"repobilityId": 142530, "scanner": "repobility-dependency-currency", "fingerprint": "52f6ea76cbee4ca09302dd9a12129c66aae2a551f1d962353bbe2c2dbddabacf", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsdom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "29.1.1", "correlation_key": "fp|52f6ea76cbee4ca09302dd9a12129c66aae2a551f1d962353bbe2c2dbddabacf", "current_version": "^26.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitest/ui` is 1 major version(s) behind (^3.2.4 -> 4.1.8)"}, "properties": {"repobilityId": 142529, "scanner": "repobility-dependency-currency", "fingerprint": "b44535a0419316b544c0a735358ecb56d8a7d1b7eb1f4f6a86f99ced3f2069c2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/ui", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|b44535a0419316b544c0a735358ecb56d8a7d1b7eb1f4f6a86f99ced3f2069c2", "current_version": "^3.2.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitejs/plugin-react` is 2 major version(s) behind (^4.3.4 -> 6.0.2)"}, "properties": {"repobilityId": 142528, "scanner": "repobility-dependency-currency", "fingerprint": "06ee9dc2807564816fd431755bc8708fec7bfc400bebc84d19109f74903ee121", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.2", "correlation_key": "fp|06ee9dc2807564816fd431755bc8708fec7bfc400bebc84d19109f74903ee121", "current_version": "^4.3.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/react-dom` is 1 major version(s) behind (^18.3.1 -> 19.2.3)"}, "properties": {"repobilityId": 142527, "scanner": "repobility-dependency-currency", "fingerprint": "8b1925b03f2422d3ad7ad6f69b0e8c5c15d7d2c36abb22e36cc37bfeeadba277", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|8b1925b03f2422d3ad7ad6f69b0e8c5c15d7d2c36abb22e36cc37bfeeadba277", "current_version": "^18.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@eslint/js` is 1 major version(s) behind (^9.39.1 -> 10.0.1)"}, "properties": {"repobilityId": 142523, "scanner": "repobility-dependency-currency", "fingerprint": "9f1248262be2bd1c02e29da5f12f9c85854bb2f08df9cb2dac50eb6701a6e13e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|9f1248262be2bd1c02e29da5f12f9c85854bb2f08df9cb2dac50eb6701a6e13e", "current_version": "^9.39.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 142648, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 142647, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 142646, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 142645, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xmgf-hq76-4vx2", "level": "note", "message": {"text": "openssl: GHSA-xmgf-hq76-4vx2"}, "properties": {"repobilityId": 142619, "scanner": "osv-scanner", "fingerprint": "c831c2e3c9b950ace94cbd0a3c3f15d3d5f6d20e948b9dd195a962572b5fbbf8", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41677"], "package": "openssl", "rule_id": "GHSA-xmgf-hq76-4vx2", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-41677|src-tauri/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-442j-39wm-28r2", "level": "note", "message": {"text": "handlebars: GHSA-442j-39wm-28r2"}, "properties": {"repobilityId": 142573, "scanner": "osv-scanner", "fingerprint": "e21584bfcab1f4840fba0e3149d8014642fb9c5af8cc5ecf77af95826059b67b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "handlebars", "rule_id": "GHSA-442j-39wm-28r2", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|GHSA-442J-39WM-28R2|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tw-animate-css` is minor version(s) behind (^1.3.5 -> 1.4.0)"}, "properties": {"repobilityId": 142531, "scanner": "repobility-dependency-currency", "fingerprint": "9067cabba7eb05ef726089ea16cad0631ddfc3dd4fb607c762b44e996ad03f61", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tw-animate-css", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.4.0", "correlation_key": "fp|9067cabba7eb05ef726089ea16cad0631ddfc3dd4fb607c762b44e996ad03f61", "current_version": "^1.3.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@testing-library/jest-dom` is minor version(s) behind (^6.6.3 -> 6.9.1)"}, "properties": {"repobilityId": 142525, "scanner": "repobility-dependency-currency", "fingerprint": "1dedd64c567dca3bf4d79f1a768fb81c578d34d5aca334cb9ac26512555786a0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@testing-library/jest-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.9.1", "correlation_key": "fp|1dedd64c567dca3bf4d79f1a768fb81c578d34d5aca334cb9ac26512555786a0", "current_version": "^6.6.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/cli` is minor version(s) behind (^2 -> 2.11.2)"}, "properties": {"repobilityId": 142524, "scanner": "repobility-dependency-currency", "fingerprint": "e7b9055c7f88fdafec00143de3c6e52b3253e4741754e9ce5124bb9bbe44904f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.11.2", "correlation_key": "fp|e7b9055c7f88fdafec00143de3c6e52b3253e4741754e9ce5124bb9bbe44904f", "current_version": "^2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tailwind-merge` is minor version(s) behind (^3.3.1 -> 3.6.0)"}, "properties": {"repobilityId": 142520, "scanner": "repobility-dependency-currency", "fingerprint": "e1373d1886013d250bf74299d5e4beef9cfe76b0c36a071305560ff0b98a36fb", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tailwind-merge", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.6.0", "correlation_key": "fp|e1373d1886013d250bf74299d5e4beef9cfe76b0c36a071305560ff0b98a36fb", "current_version": "^3.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `react-error-boundary` is minor version(s) behind (^6.0.0 -> 6.1.2)"}, "properties": {"repobilityId": 142518, "scanner": "repobility-dependency-currency", "fingerprint": "380a150009f3d0d570f1f697f6065e781e37c800e4a22ebe3292751bb8a1cc4c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-error-boundary", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.1.2", "correlation_key": "fp|380a150009f3d0d570f1f697f6065e781e37c800e4a22ebe3292751bb8a1cc4c", "current_version": "^6.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/plugin-updater` is minor version(s) behind (^2.9.0 -> 2.10.1)"}, "properties": {"repobilityId": 142517, "scanner": "repobility-dependency-currency", "fingerprint": "21f3c39d5f6df6fd185a81161a43ad1e37b7545a55e77e204cacb35bad4e7f21", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-updater", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.10.1", "correlation_key": "fp|21f3c39d5f6df6fd185a81161a43ad1e37b7545a55e77e204cacb35bad4e7f21", "current_version": "^2.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/plugin-dialog` is minor version(s) behind (^2.3.0 -> 2.7.1)"}, "properties": {"repobilityId": 142512, "scanner": "repobility-dependency-currency", "fingerprint": "f4fb7e2e071a263276bc6929e1d707f26f736ee5bd5aeb510d7be85a112e4541", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-dialog", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.7.1", "correlation_key": "fp|f4fb7e2e071a263276bc6929e1d707f26f736ee5bd5aeb510d7be85a112e4541", "current_version": "^2.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/api` is minor version(s) behind (^2 -> 2.11.0)"}, "properties": {"repobilityId": 142510, "scanner": "repobility-dependency-currency", "fingerprint": "b54b2691ca3541f4d87589303ee57ec025df6e89612d64e8babe896f885c674d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.11.0", "correlation_key": "fp|b54b2691ca3541f4d87589303ee57ec025df6e89612d64e8babe896f885c674d", "current_version": "^2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 142482, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ee5a14a986430b2033fb1045bedcb2b8d617cfd6cb4c00ea2c02a2f5921eff2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/useAccessibilityPermission.ts", "duplicate_line": 46, "correlation_key": "fp|3ee5a14a986430b2033fb1045bedcb2b8d617cfd6cb4c00ea2c02a2f5921eff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/useMicrophonePermission.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 142481, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0d1c797465832825f29e1d6cf5af98753d0b2deeb5d18a35d7de11129ce0aa69", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/LanguageSelection.tsx", "duplicate_line": 2, "correlation_key": "fp|0d1c797465832825f29e1d6cf5af98753d0b2deeb5d18a35d7de11129ce0aa69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ui/combobox.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 142480, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae016d7918cda133a6b7304ff962660537fa970bf8d148c88a066bb7388d151b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/tabs/RecordingsTab.tsx", "duplicate_line": 15, "correlation_key": "fp|ae016d7918cda133a6b7304ff962660537fa970bf8d148c88a066bb7388d151b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/tabs/TabContainer.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 142479, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89ceb8c6330cc46d54c423c61f34f6fe7296e9bfd329ac14025e613a6cb1d5fa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/onboarding/OnboardingDesktop.tsx", "duplicate_line": 401, "correlation_key": "fp|89ceb8c6330cc46d54c423c61f34f6fe7296e9bfd329ac14025e613a6cb1d5fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/sections/ModelsSection.tsx"}, "region": {"startLine": 293}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 142478, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eab32f8ab3cde6534cac4a95b0487ad6fdf956c087f3fbcedef74fbb57f10257", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/LanguageSelection.tsx", "duplicate_line": 1, "correlation_key": "fp|eab32f8ab3cde6534cac4a95b0487ad6fdf956c087f3fbcedef74fbb57f10257"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/MicrophoneSelection.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 142477, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c200412d2cbbefb30e6ebbcc5c7b5589e840dbb146c082a8dbc02f79e1399e94", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src-tauri/src/ai/gemini.rs", "duplicate_line": 142, "correlation_key": "fp|c200412d2cbbefb30e6ebbcc5c7b5589e840dbb146c082a8dbc02f79e1399e94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/ai/openai.rs"}, "region": {"startLine": 167}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 142476, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d93514957947e73ca0d09b02f755a1b4a961f0af591e1f2414c9e046ba33e833", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src-tauri/src/ai/anthropic.rs", "duplicate_line": 51, "correlation_key": "fp|d93514957947e73ca0d09b02f755a1b4a961f0af591e1f2414c9e046ba33e833"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/ai/openai.rs"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 142475, "scanner": "repobility-ai-code-hygiene", "fingerprint": "77f06aaf9f01df55bc4785e253e9783395b55d618275a6b06cdf91a86c210afe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src-tauri/src/ai/anthropic.rs", "duplicate_line": 19, "correlation_key": "fp|77f06aaf9f01df55bc4785e253e9783395b55d618275a6b06cdf91a86c210afe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/ai/gemini.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 142559, "scanner": "repobility-threat-engine", "fingerprint": "976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "aggregated_count": 1}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 142558, "scanner": "repobility-threat-engine", "fingerprint": "16d0e100949bc2cfcf9aaf768e12a7cddf6b16fdcb74cdc8a99c1f90ce4e8b80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|16d0e100949bc2cfcf9aaf768e12a7cddf6b16fdcb74cdc8a99c1f90ce4e8b80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/useRecording.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 142557, "scanner": "repobility-threat-engine", "fingerprint": "1757603d59d28c6e964d2098df8a98f60fbd9bbde6a83f51a107cb7481dc2704", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1757603d59d28c6e964d2098df8a98f60fbd9bbde6a83f51a107cb7481dc2704"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/OpenAICompatConfigModal.tsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 142556, "scanner": "repobility-threat-engine", "fingerprint": "edbca9a7364a519f0b2bd79bc522210457d97c6e05967a74265e85f754a7a5b0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|edbca9a7364a519f0b2bd79bc522210457d97c6e05967a74265e85f754a7a5b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/EnhancementSettings.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 142555, "scanner": "repobility-threat-engine", "fingerprint": "71dee3edf5ac79dab13b3844e9f31b9ddf481124a7a6cf6446f43e072f5eb8e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|71dee3edf5ac79dab13b3844e9f31b9ddf481124a7a6cf6446f43e072f5eb8e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/AppContainer.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 142554, "scanner": "repobility-threat-engine", "fingerprint": "e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "aggregated_count": 1}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 142553, "scanner": "repobility-threat-engine", "fingerprint": "011e1fade48475afb7ec192091abebefe1dc27b2c8a78a2be8f87830a6bf4d6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|011e1fade48475afb7ec192091abebefe1dc27b2c8a78a2be8f87830a6bf4d6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ios-spinner.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 142552, "scanner": "repobility-threat-engine", "fingerprint": "98e54619c6904f0f60ebb8174cb6d559542c99bd5ef5c0c2bca7108649a05ad1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98e54619c6904f0f60ebb8174cb6d559542c99bd5ef5c0c2bca7108649a05ad1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/AudioDots.tsx"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 142551, "scanner": "repobility-threat-engine", "fingerprint": "baf7595172774787916477543ffd6995898768ec7954fd59238e06248e230b3e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|baf7595172774787916477543ffd6995898768ec7954fd59238e06248e230b3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ActivityGraph.tsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 142550, "scanner": "repobility-threat-engine", "fingerprint": "6d3d9aaa064098f535e19c9ba161acf307407bd910685b8bfe4bc311a751a060", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d3d9aaa064098f535e19c9ba161acf307407bd910685b8bfe4bc311a751a060"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/utils/display_watcher.rs"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 142549, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 142545, "scanner": "repobility-threat-engine", "fingerprint": "ca4371b49713f7f1e7396fca98393b27c11b076a93760a57240037a13ba79022", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca4371b49713f7f1e7396fca98393b27c11b076a93760a57240037a13ba79022"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/parakeet/sidecar.rs"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 142544, "scanner": "repobility-threat-engine", "fingerprint": "371613218c3836d665004f21239be737ab5e908efae5e10495d9c7169ab37b5f", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'spec\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|371613218c3836d665004f21239be737ab5e908efae5e10495d9c7169ab37b5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/audio/normalizer_tests.rs"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 142543, "scanner": "repobility-threat-engine", "fingerprint": "330e42929a5c248fc895cf635b2a2264c388d68f96eeee14bca3aae26f23cede", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|330e42929a5c248fc895cf635b2a2264c388d68f96eeee14bca3aae26f23cede", "aggregated_count": 7}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 142537, "scanner": "repobility-threat-engine", "fingerprint": "9b1e155263141a1a61b75cdada57d1618dec2cced3496f60bfbb306b79cc5818", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b1e155263141a1a61b75cdada57d1618dec2cced3496f60bfbb306b79cc5818"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/parakeet/sidecar.rs"}, "region": {"startLine": 250}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 142536, "scanner": "repobility-threat-engine", "fingerprint": "1c375acd314a6e187bd46bf389428571a4c67d00d98d079bc9bdbf3b925a3e58", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1c375acd314a6e187bd46bf389428571a4c67d00d98d079bc9bdbf3b925a3e58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/build.rs"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 142535, "scanner": "repobility-threat-engine", "fingerprint": "0544e6fe05f555556705d7f64dbdc12942be0f7ce56998ffde430121732b8770", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0544e6fe05f555556705d7f64dbdc12942be0f7ce56998ffde430121732b8770", "aggregated_count": 29}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 142534, "scanner": "repobility-threat-engine", "fingerprint": "3984ab79aa4b1ad60b70d8fbe9d7ddcfbbb6151081eac4b0382067d928a3efbe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3984ab79aa4b1ad60b70d8fbe9d7ddcfbbb6151081eac4b0382067d928a3efbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/CrashReportDialog.tsx"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 142533, "scanner": "repobility-threat-engine", "fingerprint": "b449265ac8ca0ad7c3539734794bb3dd0cc898e763a4485ccc1d04682a24fc68", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b449265ac8ca0ad7c3539734794bb3dd0cc898e763a4485ccc1d04682a24fc68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/AppContainer.tsx"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 142532, "scanner": "repobility-threat-engine", "fingerprint": "1872fa489f16aa4fbaf6428304953ddccf1c289e0bf826592452399104450e70", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1872fa489f16aa4fbaf6428304953ddccf1c289e0bf826592452399104450e70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/clear-license-cache.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@testing-library/react` is patch version(s) behind (^16.3.0 -> 16.3.2)"}, "properties": {"repobilityId": 142526, "scanner": "repobility-dependency-currency", "fingerprint": "1c5fb9b7cab4e4cb5035c89c36e5513cb2c4e05d7adac91f705668483ec6d4da", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@testing-library/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.3.2", "correlation_key": "fp|1c5fb9b7cab4e4cb5035c89c36e5513cb2c4e05d7adac91f705668483ec6d4da", "current_version": "^16.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@eslint/eslintrc` is patch version(s) behind (^3.3.1 -> 3.3.5)"}, "properties": {"repobilityId": 142522, "scanner": "repobility-dependency-currency", "fingerprint": "b1cd241a008574f9bb58d952bc80bd06de524ce4967e9ef7dc33d3e858566fcd", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/eslintrc", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.3.5", "correlation_key": "fp|b1cd241a008574f9bb58d952bc80bd06de524ce4967e9ef7dc33d3e858566fcd", "current_version": "^3.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `zustand` is patch version(s) behind (^5.0.8 -> 5.0.14)"}, "properties": {"repobilityId": 142521, "scanner": "repobility-dependency-currency", "fingerprint": "970bb44c533ac4f0ea75507ef0c2d5abcccb7d733ef2e733d824349abfcb9177", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "zustand", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.14", "correlation_key": "fp|970bb44c533ac4f0ea75507ef0c2d5abcccb7d733ef2e733d824349abfcb9177", "current_version": "^5.0.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `sonner` is patch version(s) behind (^2.0.6 -> 2.0.7)"}, "properties": {"repobilityId": 142519, "scanner": "repobility-dependency-currency", "fingerprint": "66936ac965964108a22c3fba5f19f27f786d2c9ff6aac27ddd2a7731c78b801a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "sonner", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.7", "correlation_key": "fp|66936ac965964108a22c3fba5f19f27f786d2c9ff6aac27ddd2a7731c78b801a", "current_version": "^2.0.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@tauri-apps/plugin-shell` is patch version(s) behind (^2.3.0 -> 2.3.5)"}, "properties": {"repobilityId": 142516, "scanner": "repobility-dependency-currency", "fingerprint": "96a92e948e5819b6e31fdfea0b42b30a72e1db6a23317b36f2be30534aaba8df", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-shell", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.3.5", "correlation_key": "fp|96a92e948e5819b6e31fdfea0b42b30a72e1db6a23317b36f2be30534aaba8df", "current_version": "^2.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@tauri-apps/plugin-process` is patch version(s) behind (^2.3.0 -> 2.3.1)"}, "properties": {"repobilityId": 142515, "scanner": "repobility-dependency-currency", "fingerprint": "21b7b32630ee6146da7e7b5540600838910cae527e654b6067af6fd30e4f3146", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-process", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.3.1", "correlation_key": "fp|21b7b32630ee6146da7e7b5540600838910cae527e654b6067af6fd30e4f3146", "current_version": "^2.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@tauri-apps/plugin-os` is patch version(s) behind (^2.3.0 -> 2.3.2)"}, "properties": {"repobilityId": 142514, "scanner": "repobility-dependency-currency", "fingerprint": "b9384fe00ff9975da94d7ba70fb7666498c64edc262dd18603cd4b15c693833c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-os", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.3.2", "correlation_key": "fp|b9384fe00ff9975da94d7ba70fb7666498c64edc262dd18603cd4b15c693833c", "current_version": "^2.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@tauri-apps/plugin-global-shortcut` is patch version(s) behind (^2.3.0 -> 2.3.2)"}, "properties": {"repobilityId": 142513, "scanner": "repobility-dependency-currency", "fingerprint": "cde8372b279a3da81331894eb9bace323f82f1fc2729940798ddc8235d02ddad", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-global-shortcut", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.3.2", "correlation_key": "fp|cde8372b279a3da81331894eb9bace323f82f1fc2729940798ddc8235d02ddad", "current_version": "^2.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@tauri-apps/plugin-autostart` is patch version(s) behind (^2.5.0 -> 2.5.1)"}, "properties": {"repobilityId": 142511, "scanner": "repobility-dependency-currency", "fingerprint": "a178d9c2bbe739d347e3c37504c19c74b4a91ad43c772690f90821aa4526a679", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-autostart", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.5.1", "correlation_key": "fp|a178d9c2bbe739d347e3c37504c19c74b4a91ad43c772690f90821aa4526a679", "current_version": "^2.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@radix-ui/react-slot` is patch version(s) behind (^1.2.3 -> 1.2.4)"}, "properties": {"repobilityId": 142509, "scanner": "repobility-dependency-currency", "fingerprint": "4f28d72a260775e71a13634537965abae0724cb0d63584a1ff56949a1b0fa898", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@radix-ui/react-slot", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.2.4", "correlation_key": "fp|4f28d72a260775e71a13634537965abae0724cb0d63584a1ff56949a1b0fa898", "current_version": "^1.2.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 142644, "scanner": "repobility-journey-contract", "fingerprint": "a5bf0b443a097de87a83fe7075703c1f5e89a43f32a15452383ff7e2e944d50a", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|142|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/OpenAICompatConfigModal.tsx"}, "region": {"startLine": 142}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 142643, "scanner": "repobility-journey-contract", "fingerprint": "66505d458cf7f7aa27b3f21ff35c134ce56c68061daf02f6997436ce1b8bb665", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|110|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ApiKeyModal.tsx"}, "region": {"startLine": 110}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 142642, "scanner": "repobility-journey-contract", "fingerprint": "ead59c1fdb46b9cf1741e62ee119e1b90abc5728603bcd3e94f02641f2837759", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|269|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 0}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/tabs/OverviewTab.tsx"}, "region": {"startLine": 269}}}]}, {"ruleId": "RUSTSEC-2025-0098", "level": "error", "message": {"text": "unic-ucd-version: RUSTSEC-2025-0098"}, "properties": {"repobilityId": 142640, "scanner": "osv-scanner", "fingerprint": "4591b2e40fb625ee960e40b825e792320d36cc2b67f21cf95d9380adf1051c2a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-ucd-version", "rule_id": "RUSTSEC-2025-0098", "scanner": "osv-scanner", "correlation_key": "fp|4591b2e40fb625ee960e40b825e792320d36cc2b67f21cf95d9380adf1051c2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0100", "level": "error", "message": {"text": "unic-ucd-ident: RUSTSEC-2025-0100"}, "properties": {"repobilityId": 142639, "scanner": "osv-scanner", "fingerprint": "8f0570f29425dacdaa9e6997abb4528c66840a88120ce791b63b3604083abd9c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-ucd-ident", "rule_id": "RUSTSEC-2025-0100", "scanner": "osv-scanner", "correlation_key": "fp|8f0570f29425dacdaa9e6997abb4528c66840a88120ce791b63b3604083abd9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0080", "level": "error", "message": {"text": "unic-common: RUSTSEC-2025-0080"}, "properties": {"repobilityId": 142638, "scanner": "osv-scanner", "fingerprint": "cf1566186549b3fdb16dd0298d40269c1157ccf6913d429e78a96348713d29af", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-common", "rule_id": "RUSTSEC-2025-0080", "scanner": "osv-scanner", "correlation_key": "fp|cf1566186549b3fdb16dd0298d40269c1157ccf6913d429e78a96348713d29af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0075", "level": "error", "message": {"text": "unic-char-range: RUSTSEC-2025-0075"}, "properties": {"repobilityId": 142637, "scanner": "osv-scanner", "fingerprint": "1739c48acc4fb0c76651621d921bf8f5d82aa101e665c4cebb325e7fc5351f98", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-char-range", "rule_id": "RUSTSEC-2025-0075", "scanner": "osv-scanner", "correlation_key": "fp|1739c48acc4fb0c76651621d921bf8f5d82aa101e665c4cebb325e7fc5351f98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0081", "level": "error", "message": {"text": "unic-char-property: RUSTSEC-2025-0081"}, "properties": {"repobilityId": 142636, "scanner": "osv-scanner", "fingerprint": "c4282273c2e617677882e3ba89a689c44b5af66009047606a9897a5334f5009f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-char-property", "rule_id": "RUSTSEC-2025-0081", "scanner": "osv-scanner", "correlation_key": "fp|c4282273c2e617677882e3ba89a689c44b5af66009047606a9897a5334f5009f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0009", "level": "error", "message": {"text": "time: RUSTSEC-2026-0009"}, "properties": {"repobilityId": 142635, "scanner": "osv-scanner", "fingerprint": "5a8933e040e68e66f54ca62157e1aedf3cb0e5f4a0b34c593de6b4b88ecfc25e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25727", "GHSA-r6v5-fh4h-64xc"], "package": "time", "rule_id": "RUSTSEC-2026-0009", "scanner": "osv-scanner", "correlation_key": "vuln|time|CVE-2026-25727|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r6v5-fh4h-64xc", "RUSTSEC-2026-0009"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5a8933e040e68e66f54ca62157e1aedf3cb0e5f4a0b34c593de6b4b88ecfc25e", "a8d05d590fa4719549db2b823def4f3ff417c2c126c0f9c795ea5fee7a20c7f3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0068", "level": "error", "message": {"text": "tar: RUSTSEC-2026-0068"}, "properties": {"repobilityId": 142632, "scanner": "osv-scanner", "fingerprint": "c4db76964541c3b5ffe182bc487327c30a5594123d23b2941cf775c555c43807", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33055", "GHSA-gchp-q4r4-x4ff"], "package": "tar", "rule_id": "RUSTSEC-2026-0068", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-33055|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-gchp-q4r4-x4ff", "RUSTSEC-2026-0068"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["402cc816bb49d03a93e8eaa159e82aacfc80e37a34002876bf2dbaf1e4b0b883", "c4db76964541c3b5ffe182bc487327c30a5594123d23b2941cf775c555c43807"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0067", "level": "error", "message": {"text": "tar: RUSTSEC-2026-0067"}, "properties": {"repobilityId": 142631, "scanner": "osv-scanner", "fingerprint": "126c0ddd175838630608dd53ed1c5ea421936099abaa6eae4f7882e928f5dcbd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33056", "GHSA-j4xf-2g29-59ph"], "package": "tar", "rule_id": "RUSTSEC-2026-0067", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-33056|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-j4xf-2g29-59ph", "RUSTSEC-2026-0067"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["126c0ddd175838630608dd53ed1c5ea421936099abaa6eae4f7882e928f5dcbd", "b8920ab8c66279e07d7c44e0fc4445fea8bcdcec32c6efab0aedd062fd567052"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0104", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "properties": {"repobilityId": 142630, "scanner": "osv-scanner", "fingerprint": "8d52f67d76752674951e11bd603b3cdeb195c2e6c59d3fa50cc5a03abd4f8e3c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-82j2-j2ch-gfr8"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0104", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-82J2-J2CH-GFR8|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-82j2-j2ch-gfr8", "RUSTSEC-2026-0104"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8d52f67d76752674951e11bd603b3cdeb195c2e6c59d3fa50cc5a03abd4f8e3c", "d003c636103f527d27e65d3a7b5ef3c379f08a0550dfb61e8561579389042350"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0099", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "properties": {"repobilityId": 142629, "scanner": "osv-scanner", "fingerprint": "0b9e266482653e01416e4ddc29252afa9e5342d08a97fa79f1c5126ad4729290", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-xgp8-3hg3-c2mh"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0099", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-XGP8-3HG3-C2MH|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xgp8-3hg3-c2mh", "RUSTSEC-2026-0099"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0b9e266482653e01416e4ddc29252afa9e5342d08a97fa79f1c5126ad4729290", "c6d50d0050e13ea94d8be1dd8450b02cb14df177717f0c88c5574762a648cd47"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0098", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "properties": {"repobilityId": 142628, "scanner": "osv-scanner", "fingerprint": "4e8ef62161c71f184600fe118f206f25db8a34d3566a3a3e6a6994f7db214688", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-965h-392x-2mh5"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0098", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-965H-392X-2MH5|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-965h-392x-2mh5", "RUSTSEC-2026-0098"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4e8ef62161c71f184600fe118f206f25db8a34d3566a3a3e6a6994f7db214688", "db0736601006d0fba48e9de64541359b29f54f86b3cf125523c1dca44b255d72"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0049", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0049"}, "properties": {"repobilityId": 142627, "scanner": "osv-scanner", "fingerprint": "71c40ac85574d09d9de1ea898c7f614d2f2f950300c42fa2ec8cc23b231d1dca", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-pwjx-qhcg-rvj4"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0049", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-PWJX-QHCG-RVJ4|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-pwjx-qhcg-rvj4", "RUSTSEC-2026-0049"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2759bc7cf7d91d3061b4fe7917c268b90ec14c58f0278d848c8b66ea93756927", "71c40ac85574d09d9de1ea898c7f614d2f2f950300c42fa2ec8cc23b231d1dca"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0001", "level": "error", "message": {"text": "rkyv: RUSTSEC-2026-0001"}, "properties": {"repobilityId": 142626, "scanner": "osv-scanner", "fingerprint": "18821a0f725254daf7e3bca7c296aec0796d0a71b6d60c1a566aacc965bc0998", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "rkyv", "rule_id": "RUSTSEC-2026-0001", "scanner": "osv-scanner", "correlation_key": "fp|18821a0f725254daf7e3bca7c296aec0796d0a71b6d60c1a566aacc965bc0998"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0097", "level": "error", "message": {"text": "rand: RUSTSEC-2026-0097"}, "properties": {"repobilityId": 142625, "scanner": "osv-scanner", "fingerprint": "c56ef8d145dd32f945400970aa791b54c3acb672a4180fac523999d598e218f7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-cq8v-f236-94qc"], "package": "rand", "rule_id": "RUSTSEC-2026-0097", "scanner": "osv-scanner", "correlation_key": "vuln|rand|GHSA-CQ8V-F236-94QC|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cq8v-f236-94qc", "RUSTSEC-2026-0097"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2f8c209f4e7730beb285c4c3f9d17b0ab5ebcd39d33650562e036f6550fa066c", "c56ef8d145dd32f945400970aa791b54c3acb672a4180fac523999d598e218f7"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0037", "level": "error", "message": {"text": "quinn-proto: RUSTSEC-2026-0037"}, "properties": {"repobilityId": 142624, "scanner": "osv-scanner", "fingerprint": "d15a592f4b4df385f73ef7fbb11f15c647252dddf0cf3847167c098ae9ea534f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-31812", "GHSA-6xvm-j4wr-6v98"], "package": "quinn-proto", "rule_id": "RUSTSEC-2026-0037", "scanner": "osv-scanner", "correlation_key": "vuln|quinn-proto|CVE-2026-31812|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-6xvm-j4wr-6v98", "RUSTSEC-2026-0037"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1986647ea8680721d9570e1f0cbbf804f7344f5ccebd2675be373cdecf13a513", "d15a592f4b4df385f73ef7fbb11f15c647252dddf0cf3847167c098ae9ea534f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0370", "level": "error", "message": {"text": "proc-macro-error: RUSTSEC-2024-0370"}, "properties": {"repobilityId": 142623, "scanner": "osv-scanner", "fingerprint": "a946e591a9b106b829dadcf373416f107496dfa41f7c884a9eb5fe91c9d29303", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "proc-macro-error", "rule_id": "RUSTSEC-2024-0370", "scanner": "osv-scanner", "correlation_key": "fp|a946e591a9b106b829dadcf373416f107496dfa41f7c884a9eb5fe91c9d29303"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0436", "level": "error", "message": {"text": "paste: RUSTSEC-2024-0436"}, "properties": {"repobilityId": 142622, "scanner": "osv-scanner", "fingerprint": "15430abc114bd39fb445d4755d2c4465106313ff59dfe71c606e6042f261651f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "paste", "rule_id": "RUSTSEC-2024-0436", "scanner": "osv-scanner", "correlation_key": "fp|15430abc114bd39fb445d4755d2c4465106313ff59dfe71c606e6042f261651f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xp3w-r5p5-63rr", "level": "error", "message": {"text": "openssl: GHSA-xp3w-r5p5-63rr"}, "properties": {"repobilityId": 142620, "scanner": "osv-scanner", "fingerprint": "b6fc16688c800a2689e601f4daeea81a8722f599551cb96e707c2bc889b30dd9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42327"], "package": "openssl", "rule_id": "GHSA-xp3w-r5p5-63rr", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-42327|src-tauri/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pqf5-4pqq-29f5", "level": "error", "message": {"text": "openssl: GHSA-pqf5-4pqq-29f5"}, "properties": {"repobilityId": 142618, "scanner": "osv-scanner", "fingerprint": "162fceec944822b21d6c1a8487ee08103e9f8d0de70c7e79f5bb15cb8b635da0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41676"], "package": "openssl", "rule_id": "GHSA-pqf5-4pqq-29f5", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-41676|src-tauri/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hppc-g8h3-xhp3", "level": "error", "message": {"text": "openssl: GHSA-hppc-g8h3-xhp3"}, "properties": {"repobilityId": 142616, "scanner": "osv-scanner", "fingerprint": "0f86093a835200549dc33b5b90cb10b4c2ff28884f85dac44f5dbf1d739862fb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41898"], "package": "openssl", "rule_id": "GHSA-hppc-g8h3-xhp3", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-41898|src-tauri/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ghm9-cr32-g9qj", "level": "error", "message": {"text": "openssl: GHSA-ghm9-cr32-g9qj"}, "properties": {"repobilityId": 142615, "scanner": "osv-scanner", "fingerprint": "185e77b828331034223acdccef7a0454e72a6ab912b582c5f9b89fa8c479447f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41681"], "package": "openssl", "rule_id": "GHSA-ghm9-cr32-g9qj", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-41681|src-tauri/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8c75-8mhr-p7r9", "level": "error", "message": {"text": "openssl: GHSA-8c75-8mhr-p7r9"}, "properties": {"repobilityId": 142614, "scanner": "osv-scanner", "fingerprint": "79547951059cc379f76c11631d82200a4e50f1fb8c6f3935d0f26990e1f98376", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41678"], "package": "openssl", "rule_id": "GHSA-8c75-8mhr-p7r9", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-41678|src-tauri/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0419", "level": "error", "message": {"text": "gtk3-macros: RUSTSEC-2024-0419"}, "properties": {"repobilityId": 142613, "scanner": "osv-scanner", "fingerprint": "d8ee85a3b65ad6c236b3364acf37a3cfd71b634b2985e8950d4f12a8333c55f1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gtk3-macros", "rule_id": "RUSTSEC-2024-0419", "scanner": "osv-scanner", "correlation_key": "fp|d8ee85a3b65ad6c236b3364acf37a3cfd71b634b2985e8950d4f12a8333c55f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0420", "level": "error", "message": {"text": "gtk-sys: RUSTSEC-2024-0420"}, "properties": {"repobilityId": 142612, "scanner": "osv-scanner", "fingerprint": "dad86a91b845630df60b3887105019f56ecd59f393a19c2c1074882dd9246bae", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gtk-sys", "rule_id": "RUSTSEC-2024-0420", "scanner": "osv-scanner", "correlation_key": "fp|dad86a91b845630df60b3887105019f56ecd59f393a19c2c1074882dd9246bae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0415", "level": "error", "message": {"text": "gtk: RUSTSEC-2024-0415"}, "properties": {"repobilityId": 142611, "scanner": "osv-scanner", "fingerprint": "f102cf6e31e88a89b5a7648432a15d8a74707411923c47fc595f726f53ddfb0b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gtk", "rule_id": "RUSTSEC-2024-0415", "scanner": "osv-scanner", "correlation_key": "fp|f102cf6e31e88a89b5a7648432a15d8a74707411923c47fc595f726f53ddfb0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0429", "level": "error", "message": {"text": "glib: RUSTSEC-2024-0429"}, "properties": {"repobilityId": 142610, "scanner": "osv-scanner", "fingerprint": "8e0b636579d6db65e04362a1f3db943898fb031f730dee047014d614ae23b5fc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-wrw7-89jp-8q8g"], "package": "glib", "rule_id": "RUSTSEC-2024-0429", "scanner": "osv-scanner", "correlation_key": "vuln|glib|GHSA-WRW7-89JP-8Q8G|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-wrw7-89jp-8q8g", "RUSTSEC-2024-0429"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["826f4ecf79dcb0900caa385023eb415e1dba3bdf8882d696e28b92157187682c", "8e0b636579d6db65e04362a1f3db943898fb031f730dee047014d614ae23b5fc"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0414", "level": "error", "message": {"text": "gdkx11-sys: RUSTSEC-2024-0414"}, "properties": {"repobilityId": 142609, "scanner": "osv-scanner", "fingerprint": "27f1934e9fe558a2814aaff63453589136512213166126accd0c2531b2b97835", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdkx11-sys", "rule_id": "RUSTSEC-2024-0414", "scanner": "osv-scanner", "correlation_key": "fp|27f1934e9fe558a2814aaff63453589136512213166126accd0c2531b2b97835"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0417", "level": "error", "message": {"text": "gdkx11: RUSTSEC-2024-0417"}, "properties": {"repobilityId": 142608, "scanner": "osv-scanner", "fingerprint": "f16c1876bd0ffe066d75b65d29d76013f2e0219f210745aca412690ca99e87c4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdkx11", "rule_id": "RUSTSEC-2024-0417", "scanner": "osv-scanner", "correlation_key": "fp|f16c1876bd0ffe066d75b65d29d76013f2e0219f210745aca412690ca99e87c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0411", "level": "error", "message": {"text": "gdkwayland-sys: RUSTSEC-2024-0411"}, "properties": {"repobilityId": 142607, "scanner": "osv-scanner", "fingerprint": "688438bed907f5016369a5e2c578bec7dec4f38e36787e18ddda72dbbf691231", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdkwayland-sys", "rule_id": "RUSTSEC-2024-0411", "scanner": "osv-scanner", "correlation_key": "fp|688438bed907f5016369a5e2c578bec7dec4f38e36787e18ddda72dbbf691231"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0418", "level": "error", "message": {"text": "gdk-sys: RUSTSEC-2024-0418"}, "properties": {"repobilityId": 142606, "scanner": "osv-scanner", "fingerprint": "62aab3b0b3810a34f98414e6c9fbd4d8f5dd932560fbd65bf83ea39855accee5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdk-sys", "rule_id": "RUSTSEC-2024-0418", "scanner": "osv-scanner", "correlation_key": "fp|62aab3b0b3810a34f98414e6c9fbd4d8f5dd932560fbd65bf83ea39855accee5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0412", "level": "error", "message": {"text": "gdk: RUSTSEC-2024-0412"}, "properties": {"repobilityId": 142605, "scanner": "osv-scanner", "fingerprint": "1ecbb5078ce8fd77234ed2090991d9019ba0fe27a152aeb065d47f60bfdbfdd7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdk", "rule_id": "RUSTSEC-2024-0412", "scanner": "osv-scanner", "correlation_key": "fp|1ecbb5078ce8fd77234ed2090991d9019ba0fe27a152aeb065d47f60bfdbfdd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0057", "level": "error", "message": {"text": "fxhash: RUSTSEC-2025-0057"}, "properties": {"repobilityId": 142604, "scanner": "osv-scanner", "fingerprint": "59bdf5b7cc1182430d698cadb9187dd16edac3f8754766268978c7ffc331de89", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "fxhash", "rule_id": "RUSTSEC-2025-0057", "scanner": "osv-scanner", "correlation_key": "fp|59bdf5b7cc1182430d698cadb9187dd16edac3f8754766268978c7ffc331de89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2021-0141", "level": "error", "message": {"text": "dotenv: RUSTSEC-2021-0141"}, "properties": {"repobilityId": 142603, "scanner": "osv-scanner", "fingerprint": "a49bc2631fc0a1b540f86fb34f8363e23aa4229ee01ff98475cedf81375b22f1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "dotenv", "rule_id": "RUSTSEC-2021-0141", "scanner": "osv-scanner", "correlation_key": "fp|a49bc2631fc0a1b540f86fb34f8363e23aa4229ee01ff98475cedf81375b22f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0388", "level": "error", "message": {"text": "derivative: RUSTSEC-2024-0388"}, "properties": {"repobilityId": 142602, "scanner": "osv-scanner", "fingerprint": "40a1d690e0a7d2d0f5e6e1d487f2fbeec2990f7b682cde442716f9dc6a507553", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "derivative", "rule_id": "RUSTSEC-2024-0388", "scanner": "osv-scanner", "correlation_key": "fp|40a1d690e0a7d2d0f5e6e1d487f2fbeec2990f7b682cde442716f9dc6a507553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0007", "level": "error", "message": {"text": "bytes: RUSTSEC-2026-0007"}, "properties": {"repobilityId": 142601, "scanner": "osv-scanner", "fingerprint": "9fa92eff25b1877987ae987ce9b00122bc60296fa3bad84c5705688af336e31b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25541", "GHSA-434x-w66g-qw3r"], "package": "bytes", "rule_id": "RUSTSEC-2026-0007", "scanner": "osv-scanner", "correlation_key": "vuln|bytes|CVE-2026-25541|src-tauri/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-434x-w66g-qw3r", "RUSTSEC-2026-0007"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5ac3ee19fd2a69edead24dfd49cb8fd44536158bc4bbea0d0ce1dafc323709fc", "9fa92eff25b1877987ae987ce9b00122bc60296fa3bad84c5705688af336e31b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0416", "level": "error", "message": {"text": "atk-sys: RUSTSEC-2024-0416"}, "properties": {"repobilityId": 142600, "scanner": "osv-scanner", "fingerprint": "e301b4bb4ad1df05f65fe1129121a3948e2fabee67a093f743d77a26f68e5e6b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "atk-sys", "rule_id": "RUSTSEC-2024-0416", "scanner": "osv-scanner", "correlation_key": "fp|e301b4bb4ad1df05f65fe1129121a3948e2fabee67a093f743d77a26f68e5e6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0413", "level": "error", "message": {"text": "atk: RUSTSEC-2024-0413"}, "properties": {"repobilityId": 142599, "scanner": "osv-scanner", "fingerprint": "efd9e04c6a947d85144a0f1407b4998bb55c41af8020d9b8dd1b9b64c4b66b3b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "atk", "rule_id": "RUSTSEC-2024-0413", "scanner": "osv-scanner", "correlation_key": "fp|efd9e04c6a947d85144a0f1407b4998bb55c41af8020d9b8dd1b9b64c4b66b3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 142596, "scanner": "osv-scanner", "fingerprint": "e4e3f54a4dc9146916e0304c9d50318b9ef24b5c1473da2baafc759d95054cac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r6q2-hw4h-h46w", "level": "error", "message": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "properties": {"repobilityId": 142593, "scanner": "osv-scanner", "fingerprint": "a506cfec32bc23a52abb3358a13699dbb757b022e3c233283203353a8826b593", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23950"], "package": "tar", "rule_id": "GHSA-r6q2-hw4h-h46w", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23950|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qffp-2rhf-9h96", "level": "error", "message": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "properties": {"repobilityId": 142592, "scanner": "osv-scanner", "fingerprint": "f8fa987aa9acadbb491ed96885533ab55d2a0afc9f4623918e86fa3756ca851f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29786"], "package": "tar", "rule_id": "GHSA-qffp-2rhf-9h96", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-29786|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9ppj-qmqm-q256", "level": "error", "message": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "properties": {"repobilityId": 142591, "scanner": "osv-scanner", "fingerprint": "69b2c0b2d95567c9d3ec0e13212c39d24902dceb82922feb24047ba7dfb846b6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31802"], "package": "tar", "rule_id": "GHSA-9ppj-qmqm-q256", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-31802|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8qq5-rm4j-mr97", "level": "error", "message": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "properties": {"repobilityId": 142590, "scanner": "osv-scanner", "fingerprint": "4f89d9b810881688457b80c49ab868f006943a84374041c9ede83f89d8996e2f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23745"], "package": "tar", "rule_id": "GHSA-8qq5-rm4j-mr97", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23745|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-83g3-92jg-28cx", "level": "error", "message": {"text": "tar: GHSA-83g3-92jg-28cx"}, "properties": {"repobilityId": 142589, "scanner": "osv-scanner", "fingerprint": "f024e3a8dade0f899aad4e013def341d786ed8b27d0ff31b6c56f7767e17e900", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26960"], "package": "tar", "rule_id": "GHSA-83g3-92jg-28cx", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-26960|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-34x7-hfp2-rc4v", "level": "error", "message": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "properties": {"repobilityId": 142588, "scanner": "osv-scanner", "fingerprint": "b6245b99f855ef4f5327cea1040dc6abd2e19916475c6aa3696f274c7c921329", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24842"], "package": "tar", "rule_id": "GHSA-34x7-hfp2-rc4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-24842|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 142587, "scanner": "osv-scanner", "fingerprint": "0425e8b734fe5759a8789ed8ef46f76963f44ca5145876702e82443bdd19a5ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 142585, "scanner": "osv-scanner", "fingerprint": "a3dd2390244022d96de63689cdd673fb906d1165f495d6a42a0980e956db632d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 142583, "scanner": "osv-scanner", "fingerprint": "c3482c8b051b710219b686b962c8edfcc83babb0e1e54a2b470ae7782dd0b574", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 142582, "scanner": "osv-scanner", "fingerprint": "2fd5e24a94dfd2116cfc5d9aeb4e4f584669c9b76d1795010331a7b69b3682a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 142581, "scanner": "osv-scanner", "fingerprint": "af7663e4c51288986bfb4927d06e33aa650fed364bb14d31804c3d4da5638193", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 142579, "scanner": "osv-scanner", "fingerprint": "853deeac541f0dc49600a5a4216f851e15bffd93ce8be267a82d13637ceb9e7d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xjpj-3mr7-gcpf", "level": "error", "message": {"text": "handlebars: GHSA-xjpj-3mr7-gcpf"}, "properties": {"repobilityId": 142577, "scanner": "osv-scanner", "fingerprint": "24ba3e0cc9cef82237817206aeed468834465fd459b16420bb67cc61a681a8ac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33941"], "package": "handlebars", "rule_id": "GHSA-xjpj-3mr7-gcpf", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33941|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xhpv-hc6g-r9c6", "level": "error", "message": {"text": "handlebars: GHSA-xhpv-hc6g-r9c6"}, "properties": {"repobilityId": 142576, "scanner": "osv-scanner", "fingerprint": "10d6b52a4d44532c79b9bafe359015930587a7e16fbbab09b528c0b860d1ad02", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33940"], "package": "handlebars", "rule_id": "GHSA-xhpv-hc6g-r9c6", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33940|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9cx6-37pm-9jff", "level": "error", "message": {"text": "handlebars: GHSA-9cx6-37pm-9jff"}, "properties": {"repobilityId": 142575, "scanner": "osv-scanner", "fingerprint": "ce9a0820457f11d7c2e22ef7f075232723135b46e0fa5f339e31671e43b99355", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33939"], "package": "handlebars", "rule_id": "GHSA-9cx6-37pm-9jff", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33939|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3mfm-83xf-c92r", "level": "error", "message": {"text": "handlebars: GHSA-3mfm-83xf-c92r"}, "properties": {"repobilityId": 142572, "scanner": "osv-scanner", "fingerprint": "bd8e1ad0e6b1841135a2cb8997374a71a1df7a2ac3600a33b76c596543096f07", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33938"], "package": "handlebars", "rule_id": "GHSA-3mfm-83xf-c92r", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33938|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 142569, "scanner": "osv-scanner", "fingerprint": "bb0508d8b81791b93a087ab900f213d85cb4d8a9469875be9a0c401a10ba6490", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 142568, "scanner": "osv-scanner", "fingerprint": "68dd2c69540d2eac4711f2087ccd7176bb1037726ae0451ddfe3dcae14fc6d75", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 142561, "scanner": "repobility-threat-engine", "fingerprint": "60e904c1b0536cf468e09e5ab00c0ed91714e8fc0c23d12f2eff58d566303dbf", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60e904c1b0536cf468e09e5ab00c0ed91714e8fc0c23d12f2eff58d566303dbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ShareStatsModal.tsx"}, "region": {"startLine": 171}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 142560, "scanner": "repobility-threat-engine", "fingerprint": "99e6db7ed73bf30d224f2f9b16f7077cac4d97314a4bd73cb886c88514e40d28", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|99e6db7ed73bf30d224f2f9b16f7077cac4d97314a4bd73cb886c88514e40d28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/OpenAICompatConfigModal.tsx"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 142548, "scanner": "repobility-threat-engine", "fingerprint": "80df2711fa533a92b4343cfa6492760a8b6568a3d3159f97d2d453297ded79f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80df2711fa533a92b4343cfa6492760a8b6568a3d3159f97d2d453297ded79f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/AppContainer.tsx"}, "region": {"startLine": 270}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 142547, "scanner": "repobility-threat-engine", "fingerprint": "4a200c2fb32c57149e048f9cc1ecda8cf28fdbcb5b60bbb1dff81f40c3bcf534", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "store.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a200c2fb32c57149e048f9cc1ecda8cf28fdbcb5b60bbb1dff81f40c3bcf534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/simple_cache.rs"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 142546, "scanner": "repobility-threat-engine", "fingerprint": "1c31b9fd73951624930a5ce625be91db9e0bbef8965a19e5ae7f262566d8d9cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "store.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1c31b9fd73951624930a5ce625be91db9e0bbef8965a19e5ae7f262566d8d9cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/secure_store.rs"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 142542, "scanner": "repobility-threat-engine", "fingerprint": "b525547ea1106b94bac174d145cca986b2664ebb016e5b32cedee6954ab92032", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b525547ea1106b94bac174d145cca986b2664ebb016e5b32cedee6954ab92032"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/audio/resampler.rs"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 142541, "scanner": "repobility-threat-engine", "fingerprint": "15ba994864dbe5327c51b05b27f957c49c7f4920ff304b584bc8dcc8ac419ba0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15ba994864dbe5327c51b05b27f957c49c7f4920ff304b584bc8dcc8ac419ba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/audio/normalizer_tests.rs"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 142540, "scanner": "repobility-threat-engine", "fingerprint": "e307150abd43ca24d0823421b761ab1b11aaab10cda8453a285217db8d570712", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e307150abd43ca24d0823421b761ab1b11aaab10cda8453a285217db8d570712"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/audio/converter_tests.rs"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 142539, "scanner": "repobility-threat-engine", "fingerprint": "32a8cfb060391ff8870dc0f2992d3a48f681592ee4bc05f545ca3ac9d41aba7f", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|26|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/audio/normalizer.rs"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 142538, "scanner": "repobility-threat-engine", "fingerprint": "8f0e5d27eff4b81fcf47ef3f1e1b298ce5ea6138a5d43b83d235bfa5ff72295b", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|34|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/audio/converter.rs"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142508, "scanner": "repobility-supply-chain", "fingerprint": "b33aec6aaf6e855411c7015841ad39a49a271d9eac06a2d7acf6fef558329423", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b33aec6aaf6e855411c7015841ad39a49a271d9eac06a2d7acf6fef558329423"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 142507, "scanner": "repobility-supply-chain", "fingerprint": "ab5cbb9fe13ecb6fdfa1d27fbb18a6752d37714b8e919ba6c3ad03ce83e4e347", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab5cbb9fe13ecb6fdfa1d27fbb18a6752d37714b8e919ba6c3ad03ce83e4e347"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 142506, "scanner": "repobility-supply-chain", "fingerprint": "13f9ca6a6a8e4d25f8a3130b2f143d8f8545f027a4caff9008585f1a2cd7e12a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13f9ca6a6a8e4d25f8a3130b2f143d8f8545f027a4caff9008585f1a2cd7e12a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 142505, "scanner": "repobility-supply-chain", "fingerprint": "603d0d6d65d97c9dda8fc9552c0c1724653d34a0456c575b2e6400987bced44a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|603d0d6d65d97c9dda8fc9552c0c1724653d34a0456c575b2e6400987bced44a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142504, "scanner": "repobility-supply-chain", "fingerprint": "475d0d19b4f687d751eebc964a2ade5df83ce3b9548cfdaaf65c17bc7703ff0d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|475d0d19b4f687d751eebc964a2ade5df83ce3b9548cfdaaf65c17bc7703ff0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142503, "scanner": "repobility-supply-chain", "fingerprint": "ceee4d57d6f4536b640411068fa6bf902c373a4bee0ced37ee2dc1e9e8d40674", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ceee4d57d6f4536b640411068fa6bf902c373a4bee0ced37ee2dc1e9e8d40674"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142502, "scanner": "repobility-supply-chain", "fingerprint": "301cc3eae3b22f386b32298245f40ec2feb8d3590089c9d270d7e81a19e84b9c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|301cc3eae3b22f386b32298245f40ec2feb8d3590089c9d270d7e81a19e84b9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `anthropics/claude-code-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 142501, "scanner": "repobility-supply-chain", "fingerprint": "4b6ee0aae6da4a53e262db45ab5605fa522c8e1899a5f365d90ee13d83d9fa25", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b6ee0aae6da4a53e262db45ab5605fa522c8e1899a5f365d90ee13d83d9fa25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142500, "scanner": "repobility-supply-chain", "fingerprint": "14e02bcf926b0da5d4a2677501979f74c3e7e9e84eccdd57f90d35b6d88bf96d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|14e02bcf926b0da5d4a2677501979f74c3e7e9e84eccdd57f90d35b6d88bf96d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142499, "scanner": "repobility-supply-chain", "fingerprint": "ed955283e2ee5d9c5c0c7d3a4774b0dc778f7473603f0aac7e25ffa4e37f8415", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed955283e2ee5d9c5c0c7d3a4774b0dc778f7473603f0aac7e25ffa4e37f8415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `jakoch/install-vulkan-sdk-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 142498, "scanner": "repobility-supply-chain", "fingerprint": "a26f34c77b61a7a61d26c4d53639b0c0f4af3a49c4da89b797f438011e32c745", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a26f34c77b61a7a61d26c4d53639b0c0f4af3a49c4da89b797f438011e32c745"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 142497, "scanner": "repobility-supply-chain", "fingerprint": "2f43b1131c0f4e191df61318eec37e637e13cbd859895d3e8cf79236073491cb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f43b1131c0f4e191df61318eec37e637e13cbd859895d3e8cf79236073491cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 142496, "scanner": "repobility-supply-chain", "fingerprint": "71901bd8cb7f00152cf3bbd6f628e6faf15ce942f426ce753105931f2c59dcfb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71901bd8cb7f00152cf3bbd6f628e6faf15ce942f426ce753105931f2c59dcfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142495, "scanner": "repobility-supply-chain", "fingerprint": "483663f552d3e99098f5bf5f728d0023854d43b26db8f05c114a76ded1782bfe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|483663f552d3e99098f5bf5f728d0023854d43b26db8f05c114a76ded1782bfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142494, "scanner": "repobility-supply-chain", "fingerprint": "5fa0d4a391460f72b21086ae229f166315ab7bb04954b21f9002887b128b766f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5fa0d4a391460f72b21086ae229f166315ab7bb04954b21f9002887b128b766f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142493, "scanner": "repobility-supply-chain", "fingerprint": "110cfd8a2dfa9e2ff620e0d46a778b524ffad41dc972971e8d46008d241be13b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|110cfd8a2dfa9e2ff620e0d46a778b524ffad41dc972971e8d46008d241be13b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 142492, "scanner": "repobility-supply-chain", "fingerprint": "0d8632b7e03519da40ff4b2a12dac7ede6fe9ba4d0ffa5dd0f3d0819490d762a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d8632b7e03519da40ff4b2a12dac7ede6fe9ba4d0ffa5dd0f3d0819490d762a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 142491, "scanner": "repobility-supply-chain", "fingerprint": "be1b5b50fa101251e6656d4b8df8bbbaae47a3f16d98d7afbf74053bd92a9540", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be1b5b50fa101251e6656d4b8df8bbbaae47a3f16d98d7afbf74053bd92a9540"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142490, "scanner": "repobility-supply-chain", "fingerprint": "903cf5ffc56e7d36a3b43fe89c04b7c192260bf75984632e6e93b6b3c6920545", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|903cf5ffc56e7d36a3b43fe89c04b7c192260bf75984632e6e93b6b3c6920545"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142489, "scanner": "repobility-supply-chain", "fingerprint": "ff9edecf0139c160c21eaa02cfce0b3892042550c2f96ce248c88fd5f5dcac34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff9edecf0139c160c21eaa02cfce0b3892042550c2f96ce248c88fd5f5dcac34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 142488, "scanner": "repobility-supply-chain", "fingerprint": "1382bd2ce4464a09e8d45d27927714bf0ddcc4c62388130448b495a015691975", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1382bd2ce4464a09e8d45d27927714bf0ddcc4c62388130448b495a015691975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142487, "scanner": "repobility-supply-chain", "fingerprint": "eff876886f59cd998fc9484037fedc2f7accd5aeb151d5937ce44d76e6e7ec9c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eff876886f59cd998fc9484037fedc2f7accd5aeb151d5937ce44d76e6e7ec9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142486, "scanner": "repobility-supply-chain", "fingerprint": "76bd6164d0a7c17fa02ee6f928d43667d989ad4a75753c09e4af6aae9918b86e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76bd6164d0a7c17fa02ee6f928d43667d989ad4a75753c09e4af6aae9918b86e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `anthropics/claude-code-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 142484, "scanner": "repobility-supply-chain", "fingerprint": "3e6feb5b8e19c82973332ebdda1787299151368b61fd824203ca5903cad58cd5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e6feb5b8e19c82973332ebdda1787299151368b61fd824203ca5903cad58cd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 142483, "scanner": "repobility-supply-chain", "fingerprint": "9f7af3380e4e5e59926fbcc8e6eb2845163d02b7657b9d81b9447201b902e4c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f7af3380e4e5e59926fbcc8e6eb2845163d02b7657b9d81b9447201b902e4c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "GHSA-5xrq-8626-4rwp", "level": "error", "message": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "properties": {"repobilityId": 142597, "scanner": "osv-scanner", "fingerprint": "0806fec4420135fab4b0c94dfe4a59c4faf5e0da4ecef5e379ff15a3f669b383", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47429"], "package": "vitest", "rule_id": "GHSA-5xrq-8626-4rwp", "scanner": "osv-scanner", "correlation_key": "vuln|vitest|CVE-2026-47429|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2w6w-674q-4c4q", "level": "error", "message": {"text": "handlebars: GHSA-2w6w-674q-4c4q"}, "properties": {"repobilityId": 142571, "scanner": "osv-scanner", "fingerprint": "ca56ed8ccfbc68b8f5bfaf84fad5737f0ade9208f726065cf9ecd4162ef86369", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33937"], "package": "handlebars", "rule_id": "GHSA-2w6w-674q-4c4q", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33937|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 142564, "scanner": "gitleaks", "fingerprint": "3acf680e5a77e81549637455a363110c9d6862d011876dc54c73ff4a689cf659", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "license_key\":\"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|18|license_key : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src-tauri/src/tests/log_commands_tests.rs"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 142485, "scanner": "repobility-supply-chain", "fingerprint": "5a5d2d089f5dc640eb9bdaee08f132798e8f269a463024d60349a25a1d042bb8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a5d2d089f5dc640eb9bdaee08f132798e8f269a463024d60349a25a1d042bb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 38}}}]}]}]}