{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wp5r-2gw5-m7q7", "name": "vm2: GHSA-wp5r-2gw5-m7q7", "shortDescription": {"text": "vm2: GHSA-wp5r-2gw5-m7q7"}, "fullDescription": {"text": "vm2's Transformer Fast-Path Bypass Exposes Internal State Variable"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v27g-jcqj-v8rw", "name": "vm2: GHSA-v27g-jcqj-v8rw", "shortDescription": {"text": "vm2: GHSA-v27g-jcqj-v8rw"}, "fullDescription": {"text": "vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mpf8-4hx2-7cjg", "name": "vm2: GHSA-mpf8-4hx2-7cjg", "shortDescription": {"text": "vm2: GHSA-mpf8-4hx2-7cjg"}, "fullDescription": {"text": "vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9g8x-92q2-p28f", "name": "vm2: GHSA-9g8x-92q2-p28f", "shortDescription": {"text": "vm2: GHSA-9g8x-92q2-p28f"}, "fullDescription": {"text": "NodeVM observability builtins leak host process and HTTP request data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2cm2-m3w5-gp2f", "name": "vm2: GHSA-2cm2-m3w5-gp2f", "shortDescription": {"text": "vm2: GHSA-2cm2-m3w5-gp2f"}, "fullDescription": {"text": "vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-72xf-g2v4-qvf3", "name": "tough-cookie: GHSA-72xf-g2v4-qvf3", "shortDescription": {"text": "tough-cookie: GHSA-72xf-g2v4-qvf3"}, "fullDescription": {"text": "tough-cookie Prototype Pollution vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f5x3-32g6-xq36", "name": "tar: GHSA-f5x3-32g6-xq36", "shortDescription": {"text": "tar: GHSA-f5x3-32g6-xq36"}, "fullDescription": {"text": "Denial of service while parsing a tar file due to lack of folders count validation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-76p7-773f-r4q5", "name": "serialize-javascript: GHSA-76p7-773f-r4q5", "shortDescription": {"text": "serialize-javascript: GHSA-76p7-773f-r4q5"}, "fullDescription": {"text": "Cross-site Scripting (XSS) in serialize-javascript"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p8p7-x288-28g6", "name": "request: GHSA-p8p7-x288-28g6", "shortDescription": {"text": "request: GHSA-p8p7-x288-28g6"}, "fullDescription": {"text": "Server-Side Request Forgery in Request"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6rw7-vpxm-498p", "name": "qs: GHSA-6rw7-vpxm-498p", "shortDescription": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "fullDescription": {"text": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-952p-6rrq-rcjv", "name": "micromatch: GHSA-952p-6rrq-rcjv", "shortDescription": {"text": "micromatch: GHSA-952p-6rrq-rcjv"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in micromatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7rx3-28cr-v5wh", "name": "handlebars: GHSA-7rx3-28cr-v5wh", "shortDescription": {"text": "handlebars: GHSA-7rx3-28cr-v5wh"}, "fullDescription": {"text": "Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2qvq-rjwj-gvw9", "name": "handlebars: GHSA-2qvq-rjwj-gvw9", "shortDescription": {"text": "handlebars: GHSA-2qvq-rjwj-gvw9"}, "fullDescription": {"text": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pfrx-2q88-qq97", "name": "got: GHSA-pfrx-2q88-qq97", "shortDescription": {"text": "got: GHSA-pfrx-2q88-qq97"}, "fullDescription": {"text": "Got allows a redirect to a UNIX socket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-378v-28hj-76wf", "name": "bn.js: GHSA-378v-28hj-76wf", "shortDescription": {"text": "bn.js: GHSA-378v-28hj-76wf"}, "fullDescription": {"text": "bn.js affected by an infinite loop"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v88g-cgmw-v5xw", "name": "ajv: GHSA-v88g-cgmw-v5xw", "shortDescription": {"text": "ajv: GHSA-v88g-cgmw-v5xw"}, "fullDescription": {"text": "Prototype Pollution in Ajv"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xx4v-prfh-6cgc", "name": "@octokit/request-error: GHSA-xx4v-prfh-6cgc", "shortDescription": {"text": "@octokit/request-error: GHSA-xx4v-prfh-6cgc"}, "fullDescription": {"text": "@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rmvr-2pp2-xj38", "name": "@octokit/request: GHSA-rmvr-2pp2-xj38", "shortDescription": {"text": "@octokit/request: GHSA-rmvr-2pp2-xj38"}, "fullDescription": {"text": "@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h5c3-5r3r-rr8q", "name": "@octokit/plugin-paginate-rest: GHSA-h5c3-5r3r-rr8q", "shortDescription": {"text": "@octokit/plugin-paginate-rest: GHSA-h5c3-5r3r-rr8q"}, "fullDescription": {"text": "@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-968p-4wvh-cqc8", "name": "@babel/runtime: GHSA-968p-4wvh-cqc8", "shortDescription": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "fullDescription": {"text": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `gulp` is 1 major version(s) behind (4.0.2 -> 5.0.1)", "shortDescription": {"text": "npm package `gulp` is 1 major version(s) behind (4.0.2 -> 5.0.1)"}, "fullDescription": {"text": "`gulp` is pinned/resolved at 4.0.2 but the latest stable release on the npm registry is 5.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3fm-4wcw-g57x", "name": "vm2: GHSA-q3fm-4wcw-g57x", "shortDescription": {"text": "vm2: GHSA-q3fm-4wcw-g57x"}, "fullDescription": {"text": "vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-52f5-9888-hmc6", "name": "tmp: GHSA-52f5-9888-hmc6", "shortDescription": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "fullDescription": {"text": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4x5v-gmq8-25ch", "name": "semver-regex: GHSA-4x5v-gmq8-25ch", "shortDescription": {"text": "semver-regex: GHSA-4x5v-gmq8-25ch"}, "fullDescription": {"text": "Regular expression denial of service in semver-regex"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w7fw-mjwx-w883", "name": "qs: GHSA-w7fw-mjwx-w883", "shortDescription": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "fullDescription": {"text": "qs's arrayLimit bypass in comma parsing allows denial of service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-78xj-cgh5-2h22", "name": "ip: GHSA-78xj-cgh5-2h22", "shortDescription": {"text": "ip: GHSA-78xj-cgh5-2h22"}, "fullDescription": {"text": "NPM IP package incorrectly identifies some private IP addresses as public"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-442j-39wm-28r2", "name": "handlebars: GHSA-442j-39wm-28r2", "shortDescription": {"text": "handlebars: GHSA-442j-39wm-28r2"}, "fullDescription": {"text": "Handlebars.js has a Property Access Validation Bypass in container.lookup"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-75v8-2h7p-7m2m", "name": "formidable: GHSA-75v8-2h7p-7m2m", "shortDescription": {"text": "formidable: GHSA-75v8-2h7p-7m2m"}, "fullDescription": {"text": "Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4gmj-3p3h-gm8h", "name": "es5-ext: GHSA-4gmj-3p3h-gm8h", "shortDescription": {"text": "es5-ext: GHSA-4gmj-3p3h-gm8h"}, "fullDescription": {"text": "es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-848j-6mx2-7j84", "name": "elliptic: GHSA-848j-6mx2-7j84", "shortDescription": {"text": "elliptic: GHSA-848j-6mx2-7j84"}, "fullDescription": {"text": "Elliptic Uses a Cryptographic Primitive with a Risky Implementation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-3h5v-q93c-6h6q", "name": "ws: GHSA-3h5v-q93c-6h6q", "shortDescription": {"text": "ws: GHSA-3h5v-q93c-6h6q"}, "fullDescription": {"text": "ws affected by a DoS when handling a request with many HTTP headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r9pm-gxmw-wv6p", "name": "vm2: GHSA-r9pm-gxmw-wv6p", "shortDescription": {"text": "vm2: GHSA-r9pm-gxmw-wv6p"}, "fullDescription": {"text": "NodeVM network builtin exclusions bypass via internal _http_client and _http_server"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m5q2-4fm3-vfqp", "name": "vm2: GHSA-m5q2-4fm3-vfqp", "shortDescription": {"text": "vm2: GHSA-m5q2-4fm3-vfqp"}, "fullDescription": {"text": "vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hw58-p9xv-2mjh", "name": "vm2: GHSA-hw58-p9xv-2mjh", "shortDescription": {"text": "vm2: GHSA-hw58-p9xv-2mjh"}, "fullDescription": {"text": "vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c4cf-2hgv-2qv6", "name": "vm2: GHSA-c4cf-2hgv-2qv6", "shortDescription": {"text": "vm2: GHSA-c4cf-2hgv-2qv6"}, "fullDescription": {"text": "vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6785-pvv7-mvg7", "name": "vm2: GHSA-6785-pvv7-mvg7", "shortDescription": {"text": "vm2: GHSA-6785-pvv7-mvg7"}, "fullDescription": {"text": "vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r6q2-hw4h-h46w", "name": "tar: GHSA-r6q2-hw4h-h46w", "shortDescription": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "fullDescription": {"text": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qffp-2rhf-9h96", "name": "tar: GHSA-qffp-2rhf-9h96", "shortDescription": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "fullDescription": {"text": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9ppj-qmqm-q256", "name": "tar: GHSA-9ppj-qmqm-q256", "shortDescription": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "fullDescription": {"text": "node-tar Symlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8qq5-rm4j-mr97", "name": "tar: GHSA-8qq5-rm4j-mr97", "shortDescription": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "fullDescription": {"text": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-83g3-92jg-28cx", "name": "tar: GHSA-83g3-92jg-28cx", "shortDescription": {"text": "tar: GHSA-83g3-92jg-28cx"}, "fullDescription": {"text": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5955-9wpr-37jh", "name": "tar: GHSA-5955-9wpr-37jh", "shortDescription": {"text": "tar: GHSA-5955-9wpr-37jh"}, "fullDescription": {"text": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3jfq-g458-7qm9", "name": "tar: GHSA-3jfq-g458-7qm9", "shortDescription": {"text": "tar: GHSA-3jfq-g458-7qm9"}, "fullDescription": {"text": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-34x7-hfp2-rc4v", "name": "tar: GHSA-34x7-hfp2-rc4v", "shortDescription": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "fullDescription": {"text": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-677m-j7p3-52f9", "name": "socket.io-parser: GHSA-677m-j7p3-52f9", "shortDescription": {"text": "socket.io-parser: GHSA-677m-j7p3-52f9"}, "fullDescription": {"text": "socket.io allows an unbounded number of binary attachments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-44c6-4v22-4mhx", "name": "semver-regex: GHSA-44c6-4v22-4mhx", "shortDescription": {"text": "semver-regex: GHSA-44c6-4v22-4mhx"}, "fullDescription": {"text": "semver-regex Regular Expression Denial of Service (ReDOS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2qf-rxjj-qqgw", "name": "semver: GHSA-c2qf-rxjj-qqgw", "shortDescription": {"text": "semver: GHSA-c2qf-rxjj-qqgw"}, "fullDescription": {"text": "semver vulnerable to Regular Expression Denial of Service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gcx4-mw62-g8wm", "name": "rollup: GHSA-gcx4-mw62-g8wm", "shortDescription": {"text": "rollup: GHSA-gcx4-mw62-g8wm"}, "fullDescription": {"text": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wv6-86v2-598j", "name": "path-to-regexp: GHSA-9wv6-86v2-598j", "shortDescription": {"text": "path-to-regexp: GHSA-9wv6-86v2-598j"}, "fullDescription": {"text": "path-to-regexp outputs backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rhx6-c78j-4q9w", "name": "path-to-regexp: GHSA-rhx6-c78j-4q9w", "shortDescription": {"text": "path-to-regexp: GHSA-rhx6-c78j-4q9w"}, "fullDescription": {"text": "path-to-regexp contains a ReDoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37ch-88jc-xwx2", "name": "path-to-regexp: GHSA-37ch-88jc-xwx2", "shortDescription": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q67f-28xg-22rw", "name": "node-forge: GHSA-q67f-28xg-22rw", "shortDescription": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "fullDescription": {"text": "Forge has signature forgery in Ed25519 due to missing S > L check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ppp5-5v6c-4jwp", "name": "node-forge: GHSA-ppp5-5v6c-4jwp", "shortDescription": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "fullDescription": {"text": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field  "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5m6q-g25r-mvwx", "name": "node-forge: GHSA-5m6q-g25r-mvwx", "shortDescription": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "fullDescription": {"text": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2328-f5f3-gj25", "name": "node-forge: GHSA-2328-f5f3-gj25", "shortDescription": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "fullDescription": {"text": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xf7r-hgr6-v32p", "name": "multer: GHSA-xf7r-hgr6-v32p", "shortDescription": {"text": "multer: GHSA-xf7r-hgr6-v32p"}, "fullDescription": {"text": "Multer vulnerable to Denial of Service via incomplete cleanup"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v52c-386h-88mc", "name": "multer: GHSA-v52c-386h-88mc", "shortDescription": {"text": "multer: GHSA-v52c-386h-88mc"}, "fullDescription": {"text": "Multer vulnerable to Denial of Service via resource exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g5hg-p3ph-g8qg", "name": "multer: GHSA-g5hg-p3ph-g8qg", "shortDescription": {"text": "multer: GHSA-g5hg-p3ph-g8qg"}, "fullDescription": {"text": "Multer vulnerable to Denial of Service via unhandled exception"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fjgf-rc76-4x9p", "name": "multer: GHSA-fjgf-rc76-4x9p", "shortDescription": {"text": "multer: GHSA-fjgf-rc76-4x9p"}, "fullDescription": {"text": "Multer vulnerable to Denial of Service via unhandled exception from malformed request"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5528-5vmv-3xc2", "name": "multer: GHSA-5528-5vmv-3xc2", "shortDescription": {"text": "multer: GHSA-5528-5vmv-3xc2"}, "fullDescription": {"text": "Multer Vulnerable to Denial of Service via Uncontrolled Recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4pg4-qvpc-4q3h", "name": "multer: GHSA-4pg4-qvpc-4q3h", "shortDescription": {"text": "multer: GHSA-4pg4-qvpc-4q3h"}, "fullDescription": {"text": "Multer vulnerable to Denial of Service from maliciously crafted requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-44fp-w29j-9vj5", "name": "multer: GHSA-44fp-w29j-9vj5", "shortDescription": {"text": "multer: GHSA-44fp-w29j-9vj5"}, "fullDescription": {"text": "Multer vulnerable to Denial of Service via memory leaks from unclosed streams"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2p57-rm9w-gvfp", "name": "ip: GHSA-2p57-rm9w-gvfp", "shortDescription": {"text": "ip: GHSA-2p57-rm9w-gvfp"}, "fullDescription": {"text": "ip SSRF improper categorization in isPublic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rc47-6667-2j5j", "name": "http-cache-semantics: GHSA-rc47-6667-2j5j", "shortDescription": {"text": "http-cache-semantics: GHSA-rc47-6667-2j5j"}, "fullDescription": {"text": "http-cache-semantics vulnerable to Regular Expression Denial of Service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xjpj-3mr7-gcpf", "name": "handlebars: GHSA-xjpj-3mr7-gcpf", "shortDescription": {"text": "handlebars: GHSA-xjpj-3mr7-gcpf"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xhpv-hc6g-r9c6", "name": "handlebars: GHSA-xhpv-hc6g-r9c6", "shortDescription": {"text": "handlebars: GHSA-xhpv-hc6g-r9c6"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9cx6-37pm-9jff", "name": "handlebars: GHSA-9cx6-37pm-9jff", "shortDescription": {"text": "handlebars: GHSA-9cx6-37pm-9jff"}, "fullDescription": {"text": "Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3mfm-83xf-c92r", "name": "handlebars: GHSA-3mfm-83xf-c92r", "shortDescription": {"text": "handlebars: GHSA-3mfm-83xf-c92r"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5j98-mcp5-4vw2", "name": "glob: GHSA-5j98-mcp5-4vw2", "shortDescription": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "fullDescription": {"text": "glob CLI: Command injection via -c/--cmd executes matches with shell:true"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wm7h-9275-46v2", "name": "dicer: GHSA-wm7h-9275-46v2", "shortDescription": {"text": "dicer: GHSA-wm7h-9275-46v2"}, "fullDescription": {"text": "Crash in HeaderParser in dicer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3xgq-45jj-v275", "name": "cross-spawn: GHSA-3xgq-45jj-v275", "shortDescription": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in cross-spawn"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x9w5-v3q2-3rhw", "name": "browserify-sign: GHSA-x9w5-v3q2-3rhw", "shortDescription": {"text": "browserify-sign: GHSA-x9w5-v3q2-3rhw"}, "fullDescription": {"text": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-grv7-fg5c-xmjg", "name": "braces: GHSA-grv7-fg5c-xmjg", "shortDescription": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "fullDescription": {"text": "Uncontrolled resource consumption in braces"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rpmf-866q-6p89", "name": "basic-ftp: GHSA-rpmf-866q-6p89", "shortDescription": {"text": "basic-ftp: GHSA-rpmf-866q-6p89"}, "fullDescription": {"text": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rp42-5vxx-qpwr", "name": "basic-ftp: GHSA-rp42-5vxx-qpwr", "shortDescription": {"text": "basic-ftp: GHSA-rp42-5vxx-qpwr"}, "fullDescription": {"text": "basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6v7q-wjvx-w8wg", "name": "basic-ftp: GHSA-6v7q-wjvx-w8wg", "shortDescription": {"text": "basic-ftp: GHSA-6v7q-wjvx-w8wg"}, "fullDescription": {"text": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fv7c-fp4j-7gwp", "name": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp", "shortDescription": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "fullDescription": {"text": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "package.json dep `axios` pulled from URL/Git", "shortDescription": {"text": "package.json dep `axios` pulled from URL/Git"}, "fullDescription": {"text": "`dependencies.axios` = `file:../../../..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST / has no auth", "shortDescription": {"text": "Express POST / has no auth"}, "fullDescription": {"text": "Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "GHSA-vwrp-x96c-mhwq", "name": "vm2: GHSA-vwrp-x96c-mhwq", "shortDescription": {"text": "vm2: GHSA-vwrp-x96c-mhwq"}, "fullDescription": {"text": "vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6mx-mf47-r5wg", "name": "vm2: GHSA-v6mx-mf47-r5wg", "shortDescription": {"text": "vm2: GHSA-v6mx-mf47-r5wg"}, "fullDescription": {"text": "vm2 has a Sandbox Escape issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v37h-5mfm-c47c", "name": "vm2: GHSA-v37h-5mfm-c47c", "shortDescription": {"text": "vm2: GHSA-v37h-5mfm-c47c"}, "fullDescription": {"text": "VM2 Has Sandbox Breakout Through Inspect Function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rp36-8xq3-r6c4", "name": "vm2: GHSA-rp36-8xq3-r6c4", "shortDescription": {"text": "vm2: GHSA-rp36-8xq3-r6c4"}, "fullDescription": {"text": "NodeVM builtin denylist bypass via process and inspector/promises allows host code execution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qvjj-29qf-hp7p", "name": "vm2: GHSA-qvjj-29qf-hp7p", "shortDescription": {"text": "vm2: GHSA-qvjj-29qf-hp7p"}, "fullDescription": {"text": "VM2 Has Sandbox Breakout Through Promise Species"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qcp4-v2jj-fjx8", "name": "vm2: GHSA-qcp4-v2jj-fjx8", "shortDescription": {"text": "vm2: GHSA-qcp4-v2jj-fjx8"}, "fullDescription": {"text": "vm2 has a Sandbox Escape Vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-grj5-jjm8-h35p", "name": "vm2: GHSA-grj5-jjm8-h35p", "shortDescription": {"text": "vm2: GHSA-grj5-jjm8-h35p"}, "fullDescription": {"text": "VM2 Sandbox Breakout Through __lookupGetter__"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g644-9gfx-q4q4", "name": "vm2: GHSA-g644-9gfx-q4q4", "shortDescription": {"text": "vm2: GHSA-g644-9gfx-q4q4"}, "fullDescription": {"text": "vm2 Sandbox Escape vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cchq-frgv-rjh5", "name": "vm2: GHSA-cchq-frgv-rjh5", "shortDescription": {"text": "vm2: GHSA-cchq-frgv-rjh5"}, "fullDescription": {"text": "vm2 Sandbox Escape vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9vg3-4rfj-wgcm", "name": "vm2: GHSA-9vg3-4rfj-wgcm", "shortDescription": {"text": "vm2: GHSA-9vg3-4rfj-wgcm"}, "fullDescription": {"text": "vm2 has Sandbox Breakout Through Null Proto Exception"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9qj6-qjgg-37qq", "name": "vm2: GHSA-9qj6-qjgg-37qq", "shortDescription": {"text": "vm2: GHSA-9qj6-qjgg-37qq"}, "fullDescription": {"text": "vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-99p7-6v5w-7xg8", "name": "vm2: GHSA-99p7-6v5w-7xg8", "shortDescription": {"text": "vm2: GHSA-99p7-6v5w-7xg8"}, "fullDescription": {"text": "vm2 has a Sandbox Escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8hg8-63c5-gwmx", "name": "vm2: GHSA-8hg8-63c5-gwmx", "shortDescription": {"text": "vm2: GHSA-8hg8-63c5-gwmx"}, "fullDescription": {"text": "vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-76w7-j9cq-rx2j", "name": "vm2: GHSA-76w7-j9cq-rx2j", "shortDescription": {"text": "vm2: GHSA-76w7-j9cq-rx2j"}, "fullDescription": {"text": "vm2 is Vulnerable to Sandbox Breakout Through Promise Species"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6j2x-vhqr-qr7q", "name": "vm2: GHSA-6j2x-vhqr-qr7q", "shortDescription": {"text": "vm2: GHSA-6j2x-vhqr-qr7q"}, "fullDescription": {"text": "vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-55hx-c926-fr95", "name": "vm2: GHSA-55hx-c926-fr95", "shortDescription": {"text": "vm2: GHSA-55hx-c926-fr95"}, "fullDescription": {"text": "VM2 Has a Sandbox Escape Issue via SuppressedError"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-47x8-96vw-5wg6", "name": "vm2: GHSA-47x8-96vw-5wg6", "shortDescription": {"text": "vm2: GHSA-47x8-96vw-5wg6"}, "fullDescription": {"text": "vm2 Access to Host Object Enables Sandbox Escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-248r-7h7q-cr24", "name": "vm2: GHSA-248r-7h7q-cr24", "shortDescription": {"text": "vm2: GHSA-248r-7h7q-cr24"}, "fullDescription": {"text": "vm2 Has a Sandbox Breakout Using Async Generator"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-95m3-7q98-8xr5", "name": "sha.js: GHSA-95m3-7q98-8xr5", "shortDescription": {"text": "sha.js: GHSA-95m3-7q98-8xr5"}, "fullDescription": {"text": "sha.js is missing type checks leading to hash rewind and passing on crafted data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v62p-rq8g-8h59", "name": "pbkdf2: GHSA-v62p-rq8g-8h59", "shortDescription": {"text": "pbkdf2: GHSA-v62p-rq8g-8h59"}, "fullDescription": {"text": "pbkdf2 silently disregards Uint8Array input, returning static keys"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h7cp-r72f-jxh6", "name": "pbkdf2: GHSA-h7cp-r72f-jxh6", "shortDescription": {"text": "pbkdf2: GHSA-h7cp-r72f-jxh6"}, "fullDescription": {"text": "pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2w6w-674q-4c4q", "name": "handlebars: GHSA-2w6w-674q-4c4q", "shortDescription": {"text": "handlebars: GHSA-2w6w-674q-4c4q"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fjxv-7rqg-78g4", "name": "form-data: GHSA-fjxv-7rqg-78g4", "shortDescription": {"text": "form-data: GHSA-fjxv-7rqg-78g4"}, "fullDescription": {"text": "form-data uses unsafe random function in form-data for choosing boundary"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vjh7-7g9h-fjfh", "name": "elliptic: GHSA-vjh7-7g9h-fjfh", "shortDescription": {"text": "elliptic: GHSA-vjh7-7g9h-fjfh"}, "fullDescription": {"text": "Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cpq7-6gpm-g9rc", "name": "cipher-base: GHSA-cpq7-6gpm-g9rc", "shortDescription": {"text": "cipher-base: GHSA-cpq7-6gpm-g9rc"}, "fullDescription": {"text": "cipher-base is missing type checks, leading to hash rewind and passing on crafted data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5rq4-664w-9x2c", "name": "basic-ftp: GHSA-5rq4-664w-9x2c", "shortDescription": {"text": "basic-ftp: GHSA-5rq4-664w-9x2c"}, "fullDescription": {"text": "Basic FTP has Path Traversal Vulnerability in its downloadToDir()\u00a0method"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67hx-6x53-jw92", "name": "babel-traverse: GHSA-67hx-6x53-jw92", "shortDescription": {"text": "babel-traverse: GHSA-67hx-6x53-jw92"}, "fullDescription": {"text": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED127", "name": "Cryptominer signature: `stratum+tcp://`", "shortDescription": {"text": "Cryptominer signature: `stratum+tcp://`"}, "fullDescription": {"text": "Source contains a known cryptominer signature (`stratum+tcp://`). Could be a deliberate malicious payload, a compromised dependency, or a copy-paste from a tutorial \u2014 but it warrants immediate investigation. Mining pool URLs in production code are almost never legitimate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/709"}, "properties": {"repository": "axios/axios", "repoUrl": "https://github.com/axios/axios", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 57059, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 57058, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 57057, "scanner": "osv-scanner", "fingerprint": "1b788fa8525382946c739270c1849aaa868327cf2c4216daf211eef3de5db45b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wp5r-2gw5-m7q7", "level": "warning", "message": {"text": "vm2: GHSA-wp5r-2gw5-m7q7"}, "properties": {"repobilityId": 57055, "scanner": "osv-scanner", "fingerprint": "1cd871e93b3adad5790e40081f148313f5436b55bbfc8d582f908e1d58d8221c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44003"], "package": "vm2", "rule_id": "GHSA-wp5r-2gw5-m7q7", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-44003|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v27g-jcqj-v8rw", "level": "warning", "message": {"text": "vm2: GHSA-v27g-jcqj-v8rw"}, "properties": {"repobilityId": 57051, "scanner": "osv-scanner", "fingerprint": "338f208b3c38bac374adbcc61bd2d4181d71e7b44605696bb3f8190065cb7f3d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44002"], "package": "vm2", "rule_id": "GHSA-v27g-jcqj-v8rw", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-44002|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mpf8-4hx2-7cjg", "level": "warning", "message": {"text": "vm2: GHSA-mpf8-4hx2-7cjg"}, "properties": {"repobilityId": 57045, "scanner": "osv-scanner", "fingerprint": "a077aad58010160d28d9077263d9a9add3bf01e94f77e37fc47e1bdbed258d5f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44000"], "package": "vm2", "rule_id": "GHSA-mpf8-4hx2-7cjg", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-44000|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9g8x-92q2-p28f", "level": "warning", "message": {"text": "vm2: GHSA-9g8x-92q2-p28f"}, "properties": {"repobilityId": 57036, "scanner": "osv-scanner", "fingerprint": "a7c9901bd7c11a0a3f1988be89bfdcc0eb586202fb0bb01e792e33ebc4411062", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47141"], "package": "vm2", "rule_id": "GHSA-9g8x-92q2-p28f", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-47141|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2cm2-m3w5-gp2f", "level": "warning", "message": {"text": "vm2: GHSA-2cm2-m3w5-gp2f"}, "properties": {"repobilityId": 57028, "scanner": "osv-scanner", "fingerprint": "399ae91eec3b415ac5f50554eb503f09a2c6d77f0dde7acf0195582e7c94dac1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "vm2", "rule_id": "GHSA-2cm2-m3w5-gp2f", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|GHSA-2CM2-M3W5-GP2F|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 57026, "scanner": "osv-scanner", "fingerprint": "2f6e44d3056f0549be14ae43b720d756ca97d735468761433ea29a9ddf340eaa", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-72xf-g2v4-qvf3", "level": "warning", "message": {"text": "tough-cookie: GHSA-72xf-g2v4-qvf3"}, "properties": {"repobilityId": 57025, "scanner": "osv-scanner", "fingerprint": "9312444564db3259ff3baca946d1de0e510333d4b6ad2cc139492995a0ed6e56", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-26136"], "package": "tough-cookie", "rule_id": "GHSA-72xf-g2v4-qvf3", "scanner": "osv-scanner", "correlation_key": "vuln|tough-cookie|CVE-2023-26136|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f5x3-32g6-xq36", "level": "warning", "message": {"text": "tar: GHSA-f5x3-32g6-xq36"}, "properties": {"repobilityId": 57020, "scanner": "osv-scanner", "fingerprint": "f2515de4e38a52b29c7c1ac4e565a1749040f28e9224f58037c9826bea81435e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-28863"], "package": "tar", "rule_id": "GHSA-f5x3-32g6-xq36", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2024-28863|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 57011, "scanner": "osv-scanner", "fingerprint": "861c9140d2458e85a1dd789a1de43fb0746f37a04647da29356e9e95fb4647ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-76p7-773f-r4q5", "level": "warning", "message": {"text": "serialize-javascript: GHSA-76p7-773f-r4q5"}, "properties": {"repobilityId": 57010, "scanner": "osv-scanner", "fingerprint": "74c8e54d8d2647b04201a388f885aab99eedda9b7bece01a5dd65462321576bc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-11831"], "package": "serialize-javascript", "rule_id": "GHSA-76p7-773f-r4q5", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2024-11831|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p8p7-x288-28g6", "level": "warning", "message": {"text": "request: GHSA-p8p7-x288-28g6"}, "properties": {"repobilityId": 57003, "scanner": "osv-scanner", "fingerprint": "7e583e9901c83796fd0a857d40046a0da07ae4c583ddf01f757d12823e82a16f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-28155"], "package": "request", "rule_id": "GHSA-p8p7-x288-28g6", "scanner": "osv-scanner", "correlation_key": "vuln|request|CVE-2023-28155|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 57001, "scanner": "osv-scanner", "fingerprint": "47af66b2941511910bef679f7fdc36232d020247a0f6ed279e094f6f5cfdf3b5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rw7-vpxm-498p", "level": "warning", "message": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "properties": {"repobilityId": 57000, "scanner": "osv-scanner", "fingerprint": "fa80c0113a31d4aa749588a85511874d731a5f17963bf03bd5aa107cf81d4b3f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-15284"], "package": "qs", "rule_id": "GHSA-6rw7-vpxm-498p", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2025-15284|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 56998, "scanner": "osv-scanner", "fingerprint": "d01f2097e7b318fed09051dc9486d1856dda99f71ea520983bca2d575128e70d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-952p-6rrq-rcjv", "level": "warning", "message": {"text": "micromatch: GHSA-952p-6rrq-rcjv"}, "properties": {"repobilityId": 56978, "scanner": "osv-scanner", "fingerprint": "6074fdd4d1c7ccc86350f1ed269ae01ecab6612eecc17984fef4f3c455e1e6a6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-4067"], "package": "micromatch", "rule_id": "GHSA-952p-6rrq-rcjv", "scanner": "osv-scanner", "correlation_key": "vuln|micromatch|CVE-2024-4067|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 56977, "scanner": "osv-scanner", "fingerprint": "f047ccc7d9c1109aced3a5c21f0b53a27d6582174ed7660bc0f4dfe83bf08a1a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 56975, "scanner": "osv-scanner", "fingerprint": "de986ead824c9cd2225230d6fcc7a484a3f62fc4668bd948eb33bf3de3e73e26", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 56974, "scanner": "osv-scanner", "fingerprint": "28d729fc1155c54fc66f4fb51841604d700ad2e22c31e413765f6dd36f601211", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 56973, "scanner": "osv-scanner", "fingerprint": "88e37ad91ff38f5df72baa5745d86869e8a461f1cce98114f89b163d238468a4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7rx3-28cr-v5wh", "level": "warning", "message": {"text": "handlebars: GHSA-7rx3-28cr-v5wh"}, "properties": {"repobilityId": 56966, "scanner": "osv-scanner", "fingerprint": "205ba0da3c81d4bdf0e41d1e687d2f7afbe99652be5ce87ed6a3faffc7f7db5b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "handlebars", "rule_id": "GHSA-7rx3-28cr-v5wh", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|GHSA-7RX3-28CR-V5WH|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2qvq-rjwj-gvw9", "level": "warning", "message": {"text": "handlebars: GHSA-2qvq-rjwj-gvw9"}, "properties": {"repobilityId": 56962, "scanner": "osv-scanner", "fingerprint": "f15dce2c113f980c0bfbaa5e75474d7bc3cbbcb13d0fcb2d7e9b1ea9070d6cf4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33916"], "package": "handlebars", "rule_id": "GHSA-2qvq-rjwj-gvw9", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33916|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pfrx-2q88-qq97", "level": "warning", "message": {"text": "got: GHSA-pfrx-2q88-qq97"}, "properties": {"repobilityId": 56961, "scanner": "osv-scanner", "fingerprint": "408b5f889e77361079e8dec3fd03d24fba9b7c804329983fe918441488168724", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-33987"], "package": "got", "rule_id": "GHSA-pfrx-2q88-qq97", "scanner": "osv-scanner", "correlation_key": "vuln|got|CVE-2022-33987|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 56957, "scanner": "osv-scanner", "fingerprint": "248c1e434ec83c5a892dfdf2f0e0aa80ddc9030d3cbaccddc0f5a14a5c6577be", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 56944, "scanner": "osv-scanner", "fingerprint": "e8eb0ab1ffbb15b3b127c7436af364aa04d69dbc42fb22d21fcb4f304d428269", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-378v-28hj-76wf", "level": "warning", "message": {"text": "bn.js: GHSA-378v-28hj-76wf"}, "properties": {"repobilityId": 56943, "scanner": "osv-scanner", "fingerprint": "0065f25bd4b4cc45ba1c7ad6053fbbf47b6e5ee563eac9003c5b0d926056e68a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2739"], "package": "bn.js", "rule_id": "GHSA-378v-28hj-76wf", "scanner": "osv-scanner", "correlation_key": "vuln|bn.js|CVE-2026-2739|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v88g-cgmw-v5xw", "level": "warning", "message": {"text": "ajv: GHSA-v88g-cgmw-v5xw"}, "properties": {"repobilityId": 56937, "scanner": "osv-scanner", "fingerprint": "e65a0f493c186c9f442c6c2c77cea62c3c86a265b77be76b218f6cb3b1696ad1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2020-15366"], "package": "ajv", "rule_id": "GHSA-v88g-cgmw-v5xw", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2020-15366|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 56936, "scanner": "osv-scanner", "fingerprint": "b6e4ab66cc3522d009fa9b7b4cb49ad3d9a60843a6d25559c80bbc6b5b65b8d7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xx4v-prfh-6cgc", "level": "warning", "message": {"text": "@octokit/request-error: GHSA-xx4v-prfh-6cgc"}, "properties": {"repobilityId": 56935, "scanner": "osv-scanner", "fingerprint": "6e22a369aa43b75d72d373140a5b62629b0f67baec1449294f864c875162a4a0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-25289"], "package": "@octokit/request-error", "rule_id": "GHSA-xx4v-prfh-6cgc", "scanner": "osv-scanner", "correlation_key": "vuln|octokit/request-error|CVE-2025-25289|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rmvr-2pp2-xj38", "level": "warning", "message": {"text": "@octokit/request: GHSA-rmvr-2pp2-xj38"}, "properties": {"repobilityId": 56934, "scanner": "osv-scanner", "fingerprint": "9d25e3a9d08dd216d0b5fc153395dac91582862d640a27407b9a01a3b78ddf8a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-25290"], "package": "@octokit/request", "rule_id": "GHSA-rmvr-2pp2-xj38", "scanner": "osv-scanner", "correlation_key": "vuln|octokit/request|CVE-2025-25290|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h5c3-5r3r-rr8q", "level": "warning", "message": {"text": "@octokit/plugin-paginate-rest: GHSA-h5c3-5r3r-rr8q"}, "properties": {"repobilityId": 56933, "scanner": "osv-scanner", "fingerprint": "7decc6bd36eed8f6312f5395527e833f73d09caf10f1be108cdc5266c3f913bf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-25288"], "package": "@octokit/plugin-paginate-rest", "rule_id": "GHSA-h5c3-5r3r-rr8q", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2025-25288|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 56932, "scanner": "osv-scanner", "fingerprint": "1a021c51241fa6b167e8ea883b0ad2124ec3f45610123342d66941a8ba97193b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/runtime", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/runtime|CVE-2025-27789|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/helpers: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 56930, "scanner": "osv-scanner", "fingerprint": "a2744c3dc4514686546d37b3766fd7426464a5ddd60df990e0fd10cd70ff8afb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/helpers", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/helpers|CVE-2025-27789|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `gulp` is 1 major version(s) behind (4.0.2 -> 5.0.1)"}, "properties": {"repobilityId": 56923, "scanner": "repobility-dependency-currency", "fingerprint": "e53dade0b0f5ec9025c9b70c1db4485affd56805689c0524410dcb529558a8df", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "gulp", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.1", "correlation_key": "fp|e53dade0b0f5ec9025c9b70c1db4485affd56805689c0524410dcb529558a8df", "current_version": "4.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `get-stream` is 3 major version(s) behind (6.0.1 -> 9.0.1)"}, "properties": {"repobilityId": 56922, "scanner": "repobility-dependency-currency", "fingerprint": "1ce0faba7a1f3790d0a91311f4ba6dddb85c582e26249f7c72c1f3e99a6f1581", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "get-stream", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.1", "correlation_key": "fp|1ce0faba7a1f3790d0a91311f4ba6dddb85c582e26249f7c72c1f3e99a6f1581", "current_version": "6.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `formidable` is 1 major version(s) behind (2.1.2 -> 3.5.4)"}, "properties": {"repobilityId": 56920, "scanner": "repobility-dependency-currency", "fingerprint": "9459b22f471bce58dea2814167ae97d00d9fa00a5e84207148ff40ce52e26480", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "formidable", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.5.4", "correlation_key": "fp|9459b22f471bce58dea2814167ae97d00d9fa00a5e84207148ff40ce52e26480", "current_version": "2.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `formdata-node` is 1 major version(s) behind (5.0.1 -> 6.0.3)"}, "properties": {"repobilityId": 56919, "scanner": "repobility-dependency-currency", "fingerprint": "a0c75ff89cbb44296a303ffb7fe5f8b64752c2044f7c41f07da5eaf5e0d39686", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "formdata-node", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.3", "correlation_key": "fp|a0c75ff89cbb44296a303ffb7fe5f8b64752c2044f7c41f07da5eaf5e0d39686", "current_version": "5.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `express` is 1 major version(s) behind (4.21.1 -> 5.2.1)"}, "properties": {"repobilityId": 56918, "scanner": "repobility-dependency-currency", "fingerprint": "962f9ee20f8720384772d63051dc73e3e7e3c1c41e258ca0d49a92c27edc25a7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "express", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.2.1", "correlation_key": "fp|962f9ee20f8720384772d63051dc73e3e7e3c1c41e258ca0d49a92c27edc25a7", "current_version": "4.21.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `cross-env` is 3 major version(s) behind (7.0.3 -> 10.1.0)"}, "properties": {"repobilityId": 56917, "scanner": "repobility-dependency-currency", "fingerprint": "128f153e37e60e4e535abf56696b01745e4738bb265c3de05046d3a2c218f77c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cross-env", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.1.0", "correlation_key": "fp|128f153e37e60e4e535abf56696b01745e4738bb265c3de05046d3a2c218f77c", "current_version": "7.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chalk` is 3 major version(s) behind (2.4.2 -> 5.6.2)"}, "properties": {"repobilityId": 56916, "scanner": "repobility-dependency-currency", "fingerprint": "1091133c38b5e6d1ce2a8c2508bd2283e931a126b6f5fb7536a5a2cc485e0d8b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chalk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.6.2", "correlation_key": "fp|1091133c38b5e6d1ce2a8c2508bd2283e931a126b6f5fb7536a5a2cc485e0d8b", "current_version": "2.4.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `c8` is 1 major version(s) behind (10.1.3 -> 11.0.0)"}, "properties": {"repobilityId": 56915, "scanner": "repobility-dependency-currency", "fingerprint": "5dacc3e7082bb87e56bb6aea7021d19af64234de81858083713d78f8ab0b44c4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "c8", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.0.0", "correlation_key": "fp|5dacc3e7082bb87e56bb6aea7021d19af64234de81858083713d78f8ab0b44c4", "current_version": "10.1.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `body-parser` is 1 major version(s) behind (1.20.3 -> 2.2.2)"}, "properties": {"repobilityId": 56914, "scanner": "repobility-dependency-currency", "fingerprint": "475a62d30fb656894affda1d097d08e1267a8a3efa56876602eb7f47186d6a29", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "body-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.2.2", "correlation_key": "fp|475a62d30fb656894affda1d097d08e1267a8a3efa56876602eb7f47186d6a29", "current_version": "1.20.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-node-resolve` is 7 major version(s) behind (9.0.0 -> 16.0.3)"}, "properties": {"repobilityId": 56911, "scanner": "repobility-dependency-currency", "fingerprint": "6318d4ca0845487a02de2cf8a158b973b44b2cea93dab644af7b528a486462b4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "7 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-node-resolve", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.0.3", "correlation_key": "fp|6318d4ca0845487a02de2cf8a158b973b44b2cea93dab644af7b528a486462b4", "current_version": "9.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-multi-entry` is 3 major version(s) behind (4.1.0 -> 7.1.0)"}, "properties": {"repobilityId": 56910, "scanner": "repobility-dependency-currency", "fingerprint": "e35ff1fb46c43284bdfef76a1d2a3b565a293d1b1f46609bc7a747db0efab033", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-multi-entry", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.1.0", "correlation_key": "fp|e35ff1fb46c43284bdfef76a1d2a3b565a293d1b1f46609bc7a747db0efab033", "current_version": "4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-json` is 2 major version(s) behind (4.1.0 -> 6.1.0)"}, "properties": {"repobilityId": 56909, "scanner": "repobility-dependency-currency", "fingerprint": "7a6e856df835f2fd108981be6fb8c5bdfe7f7aefd25661cd73f3342260b94a15", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-json", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.1.0", "correlation_key": "fp|7a6e856df835f2fd108981be6fb8c5bdfe7f7aefd25661cd73f3342260b94a15", "current_version": "4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-commonjs` is 14 major version(s) behind (15.1.0 -> 29.0.3)"}, "properties": {"repobilityId": 56908, "scanner": "repobility-dependency-currency", "fingerprint": "13cc27e905809094a23a775ee475230c9489d6d61b0aef803440645ee6e1b4bf", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "14 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-commonjs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "29.0.3", "correlation_key": "fp|13cc27e905809094a23a775ee475230c9489d6d61b0aef803440645ee6e1b4bf", "current_version": "15.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-babel` is 2 major version(s) behind (5.3.1 -> 7.1.0)"}, "properties": {"repobilityId": 56907, "scanner": "repobility-dependency-currency", "fingerprint": "2284e89938f523b2f4350387c6e1bfec4d23fb9d862f3b38e889b110572ef47e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-babel", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.1.0", "correlation_key": "fp|2284e89938f523b2f4350387c6e1bfec4d23fb9d862f3b38e889b110572ef47e", "current_version": "5.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-alias` is 1 major version(s) behind (5.1.0 -> 6.0.0)"}, "properties": {"repobilityId": 56906, "scanner": "repobility-dependency-currency", "fingerprint": "6d5a5984fcdd6ed9b88f8ff9f61b3a560800d07efd8497b5dc2883a754ecc973", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-alias", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.0", "correlation_key": "fp|6d5a5984fcdd6ed9b88f8ff9f61b3a560800d07efd8497b5dc2883a754ecc973", "current_version": "5.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@release-it/conventional-changelog` is 6 major version(s) behind (5.1.1 -> 11.0.1)"}, "properties": {"repobilityId": 56905, "scanner": "repobility-dependency-currency", "fingerprint": "0001532b60ef3b422eeddd91770a5c282501dcb84a5868c02621858ae1fc7139", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "6 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@release-it/conventional-changelog", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.0.1", "correlation_key": "fp|0001532b60ef3b422eeddd91770a5c282501dcb84a5868c02621858ae1fc7139", "current_version": "5.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@commitlint/config-conventional` is 4 major version(s) behind (17.8.1 -> 21.0.2)"}, "properties": {"repobilityId": 56904, "scanner": "repobility-dependency-currency", "fingerprint": "f97385cbe27cde0eb02f5bc4b4c598f7eb6b4d22d7e1216c05f557ef86ab08b0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "4 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@commitlint/config-conventional", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "21.0.2", "correlation_key": "fp|f97385cbe27cde0eb02f5bc4b4c598f7eb6b4d22d7e1216c05f557ef86ab08b0", "current_version": "17.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@commitlint/cli` is 4 major version(s) behind (17.8.1 -> 21.0.2)"}, "properties": {"repobilityId": 56903, "scanner": "repobility-dependency-currency", "fingerprint": "a76f472fa35deeca1a6353f54f9c78e931a8da7912473cad4e6b765223807fca", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "4 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@commitlint/cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "21.0.2", "correlation_key": "fp|a76f472fa35deeca1a6353f54f9c78e931a8da7912473cad4e6b765223807fca", "current_version": "17.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `proxy-from-env` is 1 major version(s) behind (1.1.0 -> 2.1.0)"}, "properties": {"repobilityId": 56900, "scanner": "repobility-dependency-currency", "fingerprint": "747ee655e997697ca6007ff707d0f9b0be94a63f7b19135cac4e78212c1688eb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "proxy-from-env", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.1.0", "correlation_key": "fp|747ee655e997697ca6007ff707d0f9b0be94a63f7b19135cac4e78212c1688eb", "current_version": "1.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 57060, "scanner": "repobility-web-presence", "fingerprint": "3081c029dd40a850a205941a65c49104d50d01746dd0d9f643123441ed143a96", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|3081c029dd40a850a205941a65c49104d50d01746dd0d9f643123441ed143a96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3fm-4wcw-g57x", "level": "note", "message": {"text": "vm2: GHSA-q3fm-4wcw-g57x"}, "properties": {"repobilityId": 57046, "scanner": "osv-scanner", "fingerprint": "6b52bf751e5666d8538f9c09b0f6e80b20b0dc6d4b66c9abd1b3718807ff7ce0", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "vm2", "rule_id": "GHSA-q3fm-4wcw-g57x", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|GHSA-Q3FM-4WCW-G57X|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-52f5-9888-hmc6", "level": "note", "message": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "properties": {"repobilityId": 57023, "scanner": "osv-scanner", "fingerprint": "5003655454a65a37426e56993d1d8451b9df8dbc03f84f8701df78d520fd3ab5", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-54798"], "package": "tmp", "rule_id": "GHSA-52f5-9888-hmc6", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2025-54798|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4x5v-gmq8-25ch", "level": "note", "message": {"text": "semver-regex: GHSA-4x5v-gmq8-25ch"}, "properties": {"repobilityId": 57008, "scanner": "osv-scanner", "fingerprint": "6cc64c61bf62665d3040e2f3d6df333dd207de2d5743bcb3abde7df4dc996340", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2021-43307"], "package": "semver-regex", "rule_id": "GHSA-4x5v-gmq8-25ch", "scanner": "osv-scanner", "correlation_key": "vuln|semver-regex|CVE-2021-43307|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w7fw-mjwx-w883", "level": "note", "message": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "properties": {"repobilityId": 57002, "scanner": "osv-scanner", "fingerprint": "f166fc9bedc798a4405ffae4db362d32e9e4c74b30e882f3e29ef038e180f732", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2391"], "package": "qs", "rule_id": "GHSA-w7fw-mjwx-w883", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-2391|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-78xj-cgh5-2h22", "level": "note", "message": {"text": "ip: GHSA-78xj-cgh5-2h22"}, "properties": {"repobilityId": 56972, "scanner": "osv-scanner", "fingerprint": "9ea4dd3778cf188b29d91f987ebc367de6a7be5eb95b67e2bc82d4edf0c03f69", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-42282"], "package": "ip", "rule_id": "GHSA-78xj-cgh5-2h22", "scanner": "osv-scanner", "correlation_key": "vuln|ip|CVE-2023-42282|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-442j-39wm-28r2", "level": "note", "message": {"text": "handlebars: GHSA-442j-39wm-28r2"}, "properties": {"repobilityId": 56965, "scanner": "osv-scanner", "fingerprint": "f693f5240767efc980b13bd685d246a210891abb1150adb64e3563244584b2b7", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "handlebars", "rule_id": "GHSA-442j-39wm-28r2", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|GHSA-442J-39WM-28R2|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-75v8-2h7p-7m2m", "level": "note", "message": {"text": "formidable: GHSA-75v8-2h7p-7m2m"}, "properties": {"repobilityId": 56959, "scanner": "osv-scanner", "fingerprint": "9b0cbb244235aa6c4399590937be387c378c2a8552511f26895be06c2dc8ada7", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-46653"], "package": "formidable", "rule_id": "GHSA-75v8-2h7p-7m2m", "scanner": "osv-scanner", "correlation_key": "vuln|formidable|CVE-2025-46653|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4gmj-3p3h-gm8h", "level": "note", "message": {"text": "es5-ext: GHSA-4gmj-3p3h-gm8h"}, "properties": {"repobilityId": 56954, "scanner": "osv-scanner", "fingerprint": "724928192aa0fdb7af68663729bbf87eb8d8a555f5d2b54e1b6a4ab1bda7aba7", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-27088"], "package": "es5-ext", "rule_id": "GHSA-4gmj-3p3h-gm8h", "scanner": "osv-scanner", "correlation_key": "vuln|es5-ext|CVE-2024-27088|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-848j-6mx2-7j84", "level": "note", "message": {"text": "elliptic: GHSA-848j-6mx2-7j84"}, "properties": {"repobilityId": 56952, "scanner": "osv-scanner", "fingerprint": "978bbd84f4a89b376839aea9031dfd03278556553f3af4c4b679a20da7208bc7", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-14505"], "package": "elliptic", "rule_id": "GHSA-848j-6mx2-7j84", "scanner": "osv-scanner", "correlation_key": "vuln|elliptic|CVE-2025-14505|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 56951, "scanner": "osv-scanner", "fingerprint": "2405e68ce7f62e11671ae9eb41fe554f754a22acc3d904b80f3e56e6f25eadd6", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 56945, "scanner": "osv-scanner", "fingerprint": "3b771ed61f472eab02b4c9eb792b38e138cfec35c8ab51f877acaaca0e374b2d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `fs-extra` is minor version(s) behind (11.2.0 -> 11.3.5)"}, "properties": {"repobilityId": 56921, "scanner": "repobility-dependency-currency", "fingerprint": "6c1fa85c35b20b2c433da30fd011c765ce77faaa9375e0d0ae36182a4dc41886", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fs-extra", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.3.5", "correlation_key": "fp|6c1fa85c35b20b2c433da30fd011c765ce77faaa9375e0d0ae36182a4dc41886", "current_version": "11.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `auto-changelog` is minor version(s) behind (2.4.0 -> 2.6.0)"}, "properties": {"repobilityId": 56913, "scanner": "repobility-dependency-currency", "fingerprint": "849749ddf6210b734f31cc41c062c34eaeafe8190bf1f33af5ffb1de27884f68", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "auto-changelog", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.6.0", "correlation_key": "fp|849749ddf6210b734f31cc41c062c34eaeafe8190bf1f33af5ffb1de27884f68", "current_version": "2.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/preset-env` is minor version(s) behind (7.23.9 -> 7.29.7)"}, "properties": {"repobilityId": 56902, "scanner": "repobility-dependency-currency", "fingerprint": "358c5aec42a88736c3d491e324c9d9dba712bf35d426773fe235e74ff97e589b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/preset-env", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|358c5aec42a88736c3d491e324c9d9dba712bf35d426773fe235e74ff97e589b", "current_version": "7.23.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/core` is minor version(s) behind (7.23.9 -> 7.29.7)"}, "properties": {"repobilityId": 56901, "scanner": "repobility-dependency-currency", "fingerprint": "5e8b2f9ebe7fc081f66f3b3d8ca7dc11dc0f7190d12f5523a8ccb37b398ee2c2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|5e8b2f9ebe7fc081f66f3b3d8ca7dc11dc0f7190d12f5523a8ccb37b398ee2c2", "current_version": "7.23.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `follow-redirects` is minor version(s) behind (1.15.11 -> 1.16.0)"}, "properties": {"repobilityId": 56899, "scanner": "repobility-dependency-currency", "fingerprint": "20cf5bbbbd7bc9ee120b2d8e707fee6c0f56449a2bdf68b7e0ee4ab17364e372", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "follow-redirects", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.16.0", "correlation_key": "fp|20cf5bbbbd7bc9ee120b2d8e707fee6c0f56449a2bdf68b7e0ee4ab17364e372", "current_version": "1.15.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56874, "scanner": "repobility-ai-code-hygiene", "fingerprint": "92899ba38b8e63545709b444bfd5f5a3269bcf10b761e9042c6127e2b995d441", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/module/typings/cjs/index.ts", "duplicate_line": 54, "correlation_key": "fp|92899ba38b8e63545709b444bfd5f5a3269bcf10b761e9042c6127e2b995d441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/typings/esm/index.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56873, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2eb057698bfda65a1e4c46c1073cc884d38f4d1402be5316e0fdc2c913dce299", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/module/ts-require-default/index.js", "duplicate_line": 5, "correlation_key": "fp|2eb057698bfda65a1e4c46c1073cc884d38f4d1402be5316e0fdc2c913dce299"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/ts/index.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56872, "scanner": "repobility-ai-code-hygiene", "fingerprint": "189b45931f8b958ddaaa3bceee75ddd8606d35449961f140c0fd62fdc225dd4d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/module/ts-require-default/index.js", "duplicate_line": 5, "correlation_key": "fp|189b45931f8b958ddaaa3bceee75ddd8606d35449961f140c0fd62fdc225dd4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/ts-require/index.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56871, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cbba02166527ce11da6d5fb02217531fa1a075a2b70462604d8ebfcb789b7cbe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/module/ts-require-default/index.ts", "duplicate_line": 3, "correlation_key": "fp|cbba02166527ce11da6d5fb02217531fa1a075a2b70462604d8ebfcb789b7cbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/ts-require/index.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56870, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8325ef79101e49c4d27bb7b1e8fa96ec07352fff3f0d1147430ffb51009b480", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/module/ts-require-default/index.js", "duplicate_line": 4, "correlation_key": "fp|a8325ef79101e49c4d27bb7b1e8fa96ec07352fff3f0d1147430ffb51009b480"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/ts-require/index.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56869, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6941bfa7e6af4145fd3a859aa0338c8e8eb8b845b914f6057b7c537df642b120", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/module/ts-require-default/index.js", "duplicate_line": 5, "correlation_key": "fp|6941bfa7e6af4145fd3a859aa0338c8e8eb8b845b914f6057b7c537df642b120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/ts-require-default/index.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 56927, "scanner": "repobility-threat-engine", "fingerprint": "616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "aggregated_count": 5}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 56926, "scanner": "repobility-threat-engine", "fingerprint": "2ae09b4622f5b178b97f997d76f1e28c89067944cb3ab492c4baeaa4d83c03e6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ae09b4622f5b178b97f997d76f1e28c89067944cb3ab492c4baeaa4d83c03e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.js"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 56925, "scanner": "repobility-threat-engine", "fingerprint": "5704df281d749bb47071024ef4ec8c08f73eb85d6295273aa5c4b383578978d0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5704df281d749bb47071024ef4ec8c08f73eb85d6295273aa5c4b383578978d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/postMultipartFormData/server.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 56924, "scanner": "repobility-threat-engine", "fingerprint": "01da0f9d0a6aa681d9be6004334c31280b89c5a8c3cebd4ef28afdcbb577ac04", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01da0f9d0a6aa681d9be6004334c31280b89c5a8c3cebd4ef28afdcbb577ac04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/post/server.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `abortcontroller-polyfill` is patch version(s) behind (1.7.5 -> 1.7.8)"}, "properties": {"repobilityId": 56912, "scanner": "repobility-dependency-currency", "fingerprint": "0e4f2b50a80a53ff76e60a9e22180cb6ac275ecaf9662395ad75e43538979e98", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "abortcontroller-polyfill", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.7.8", "correlation_key": "fp|0e4f2b50a80a53ff76e60a9e22180cb6ac275ecaf9662395ad75e43538979e98", "current_version": "1.7.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3h5v-q93c-6h6q", "level": "error", "message": {"text": "ws: GHSA-3h5v-q93c-6h6q"}, "properties": {"repobilityId": 57056, "scanner": "osv-scanner", "fingerprint": "8238b367394f3eb3a63c9fdcf3a3af1b249bb37192f2b8decf177b0ea2da6032", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-37890"], "package": "ws", "rule_id": "GHSA-3h5v-q93c-6h6q", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2024-37890|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r9pm-gxmw-wv6p", "level": "error", "message": {"text": "vm2: GHSA-r9pm-gxmw-wv6p"}, "properties": {"repobilityId": 57049, "scanner": "osv-scanner", "fingerprint": "334a0cf61e6a217695e506f78f8737c54b046a877fc8488fe80c1b6227aa0c16", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47139"], "package": "vm2", "rule_id": "GHSA-r9pm-gxmw-wv6p", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-47139|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m5q2-4fm3-vfqp", "level": "error", "message": {"text": "vm2: GHSA-m5q2-4fm3-vfqp"}, "properties": {"repobilityId": 57044, "scanner": "osv-scanner", "fingerprint": "92b16a91fa4480aea0afcd01371e6d05928a47c720017ea50df741f484822c64", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47135"], "package": "vm2", "rule_id": "GHSA-m5q2-4fm3-vfqp", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-47135|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hw58-p9xv-2mjh", "level": "error", "message": {"text": "vm2: GHSA-hw58-p9xv-2mjh"}, "properties": {"repobilityId": 57043, "scanner": "osv-scanner", "fingerprint": "c96fce652e8dcd33e8a5c1f083dae48d87d788ad3576da675997b11447bd53e1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44001"], "package": "vm2", "rule_id": "GHSA-hw58-p9xv-2mjh", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-44001|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c4cf-2hgv-2qv6", "level": "error", "message": {"text": "vm2: GHSA-c4cf-2hgv-2qv6"}, "properties": {"repobilityId": 57039, "scanner": "osv-scanner", "fingerprint": "24d5e5671b5d3b995aacdc94375228ba4fa3cc3a8058b6215801a47a85e463e9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47209"], "package": "vm2", "rule_id": "GHSA-c4cf-2hgv-2qv6", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-47209|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6785-pvv7-mvg7", "level": "error", "message": {"text": "vm2: GHSA-6785-pvv7-mvg7"}, "properties": {"repobilityId": 57031, "scanner": "osv-scanner", "fingerprint": "1650e45c02139c37049cd849b0e093161de6fdea3eed79ea8c4fb2070bcac32e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44004"], "package": "vm2", "rule_id": "GHSA-6785-pvv7-mvg7", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-44004|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 57024, "scanner": "osv-scanner", "fingerprint": "98d9d97f3f550caba1f6df39b82415945caad2b866cb40a32a12f4041deb865a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r6q2-hw4h-h46w", "level": "error", "message": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "properties": {"repobilityId": 57022, "scanner": "osv-scanner", "fingerprint": "7db5bbfb918ed38d76af37cf80e02b458b9801396cf65c517393e3e27f2027ff", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23950"], "package": "tar", "rule_id": "GHSA-r6q2-hw4h-h46w", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23950|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qffp-2rhf-9h96", "level": "error", "message": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "properties": {"repobilityId": 57021, "scanner": "osv-scanner", "fingerprint": "0cadc968d5f09288d0f7e175f9e57c30558d40af97a63675a0cdc5aac733c050", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29786"], "package": "tar", "rule_id": "GHSA-qffp-2rhf-9h96", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-29786|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9ppj-qmqm-q256", "level": "error", "message": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "properties": {"repobilityId": 57019, "scanner": "osv-scanner", "fingerprint": "be8780a0a337b6985f59beb6a9f4e6b68128dc76f9275db9e1b8b2c403e73a5f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31802"], "package": "tar", "rule_id": "GHSA-9ppj-qmqm-q256", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-31802|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8qq5-rm4j-mr97", "level": "error", "message": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "properties": {"repobilityId": 57018, "scanner": "osv-scanner", "fingerprint": "2abe8462acdc01bfb64182b348b938234ee8eb1feef4654aa599072f3d832a43", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23745"], "package": "tar", "rule_id": "GHSA-8qq5-rm4j-mr97", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23745|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-83g3-92jg-28cx", "level": "error", "message": {"text": "tar: GHSA-83g3-92jg-28cx"}, "properties": {"repobilityId": 57017, "scanner": "osv-scanner", "fingerprint": "8871680d469755dbb1f4b307b09f46b798a88f8175f3caace198cbfab90a9031", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26960"], "package": "tar", "rule_id": "GHSA-83g3-92jg-28cx", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-26960|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5955-9wpr-37jh", "level": "error", "message": {"text": "tar: GHSA-5955-9wpr-37jh"}, "properties": {"repobilityId": 57016, "scanner": "osv-scanner", "fingerprint": "732d7cf7240e4ba048a09d431c38b8df8f5015d79dc39fd2673fdd6a9373e1e2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2021-37713"], "package": "tar", "rule_id": "GHSA-5955-9wpr-37jh", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2021-37713|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3jfq-g458-7qm9", "level": "error", "message": {"text": "tar: GHSA-3jfq-g458-7qm9"}, "properties": {"repobilityId": 57015, "scanner": "osv-scanner", "fingerprint": "922b45bc8d86f7ff52f55b11c507255f0b9b748a38eaf7e89a884642427c3316", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2021-32804"], "package": "tar", "rule_id": "GHSA-3jfq-g458-7qm9", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2021-32804|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-34x7-hfp2-rc4v", "level": "error", "message": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "properties": {"repobilityId": 57014, "scanner": "osv-scanner", "fingerprint": "827b1e133b1d1fae4bbe3a6bec8b3421b9bdabd2fca4b92f5a0562718d9eabf3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24842"], "package": "tar", "rule_id": "GHSA-34x7-hfp2-rc4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-24842|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-677m-j7p3-52f9", "level": "error", "message": {"text": "socket.io-parser: GHSA-677m-j7p3-52f9"}, "properties": {"repobilityId": 57013, "scanner": "osv-scanner", "fingerprint": "27006bae0c86b343ea3189cc4e3939891c3f4b371fd79c7cea3cd4f8e609cb38", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33151"], "package": "socket.io-parser", "rule_id": "GHSA-677m-j7p3-52f9", "scanner": "osv-scanner", "correlation_key": "vuln|socket.io-parser|CVE-2026-33151|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 57009, "scanner": "osv-scanner", "fingerprint": "7f2d30dd9b8a0eda6d87deac04527ff692eca0ea143a54f9b4184ad2b283ffa3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-44c6-4v22-4mhx", "level": "error", "message": {"text": "semver-regex: GHSA-44c6-4v22-4mhx"}, "properties": {"repobilityId": 57007, "scanner": "osv-scanner", "fingerprint": "cdff85c32eb627f0277e9b0ba4a33d87ab61f1ae32f05e0f38f068265419e6dc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2021-3795"], "package": "semver-regex", "rule_id": "GHSA-44c6-4v22-4mhx", "scanner": "osv-scanner", "correlation_key": "vuln|semver-regex|CVE-2021-3795|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2qf-rxjj-qqgw", "level": "error", "message": {"text": "semver: GHSA-c2qf-rxjj-qqgw"}, "properties": {"repobilityId": 57006, "scanner": "osv-scanner", "fingerprint": "99a27955ef80d362141ad0a78ae49f493e9942bb5b0563c320b2990d69becaa1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-25883"], "package": "semver", "rule_id": "GHSA-c2qf-rxjj-qqgw", "scanner": "osv-scanner", "correlation_key": "vuln|semver|CVE-2022-25883|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 57005, "scanner": "osv-scanner", "fingerprint": "45eb15dbc950ecc73cdbba5f5c1bf13da272afb36602ddfcb04a26485063e743", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gcx4-mw62-g8wm", "level": "error", "message": {"text": "rollup: GHSA-gcx4-mw62-g8wm"}, "properties": {"repobilityId": 57004, "scanner": "osv-scanner", "fingerprint": "37433dbccd9064e3d37c1cb46f7a72ce9ce1ed3c6d1093f1d725f83554f99332", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47068"], "package": "rollup", "rule_id": "GHSA-gcx4-mw62-g8wm", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2024-47068|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 56999, "scanner": "osv-scanner", "fingerprint": "3cd93794643bff3fd4328203c06c842a2d7c54c53b7a77b0e6bc61b44cf4e561", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wv6-86v2-598j", "level": "error", "message": {"text": "path-to-regexp: GHSA-9wv6-86v2-598j"}, "properties": {"repobilityId": 56995, "scanner": "osv-scanner", "fingerprint": "f635acb6c06dd63fc843a1297afeda6ea144557ed6c9e162bc2f402c71790c4b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45296"], "package": "path-to-regexp", "rule_id": "GHSA-9wv6-86v2-598j", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2024-45296|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rhx6-c78j-4q9w", "level": "error", "message": {"text": "path-to-regexp: GHSA-rhx6-c78j-4q9w"}, "properties": {"repobilityId": 56994, "scanner": "osv-scanner", "fingerprint": "5f70b1a6804ae10c8c4a2c5486f556c2ce83bba46c289061fdf21c4f411c1a2b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-52798"], "package": "path-to-regexp", "rule_id": "GHSA-rhx6-c78j-4q9w", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2024-52798|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37ch-88jc-xwx2", "level": "error", "message": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "properties": {"repobilityId": 56993, "scanner": "osv-scanner", "fingerprint": "0553c735e6885cddd69fe125815eaa685a866283e1d2919fec632afa55cb94a7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4867"], "package": "path-to-regexp", "rule_id": "GHSA-37ch-88jc-xwx2", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4867|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q67f-28xg-22rw", "level": "error", "message": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "properties": {"repobilityId": 56992, "scanner": "osv-scanner", "fingerprint": "fdb04ce43ba71d52990eaf717554b031ed0dd534075f79e3fd2989e6616cc8a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33895"], "package": "node-forge", "rule_id": "GHSA-q67f-28xg-22rw", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33895|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ppp5-5v6c-4jwp", "level": "error", "message": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "properties": {"repobilityId": 56991, "scanner": "osv-scanner", "fingerprint": "e2442db9c881e288c61856c4c232148baaba28d5873908677833469480ead93e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33894"], "package": "node-forge", "rule_id": "GHSA-ppp5-5v6c-4jwp", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33894|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5m6q-g25r-mvwx", "level": "error", "message": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "properties": {"repobilityId": 56990, "scanner": "osv-scanner", "fingerprint": "5221fba3cfbea0a987adcb0df92157aeb212d115ff461bb7b51188b3df375991", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33891"], "package": "node-forge", "rule_id": "GHSA-5m6q-g25r-mvwx", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33891|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2328-f5f3-gj25", "level": "error", "message": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "properties": {"repobilityId": 56989, "scanner": "osv-scanner", "fingerprint": "87e656f76b46a65b335374ceca974578eb42fa7ca15aa3ea0392c3dbbe33badb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33896"], "package": "node-forge", "rule_id": "GHSA-2328-f5f3-gj25", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33896|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xf7r-hgr6-v32p", "level": "error", "message": {"text": "multer: GHSA-xf7r-hgr6-v32p"}, "properties": {"repobilityId": 56988, "scanner": "osv-scanner", "fingerprint": "c70ffcc97e385004a3f740e0fce4f729e3cad121c2d49a76d8caa1731f409fd7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3304"], "package": "multer", "rule_id": "GHSA-xf7r-hgr6-v32p", "scanner": "osv-scanner", "correlation_key": "vuln|multer|CVE-2026-3304|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v52c-386h-88mc", "level": "error", "message": {"text": "multer: GHSA-v52c-386h-88mc"}, "properties": {"repobilityId": 56987, "scanner": "osv-scanner", "fingerprint": "63274a34df6b60e509fc3673c2a10b84cc992571a94caaf9e6d265047c0738c3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2359"], "package": "multer", "rule_id": "GHSA-v52c-386h-88mc", "scanner": "osv-scanner", "correlation_key": "vuln|multer|CVE-2026-2359|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g5hg-p3ph-g8qg", "level": "error", "message": {"text": "multer: GHSA-g5hg-p3ph-g8qg"}, "properties": {"repobilityId": 56986, "scanner": "osv-scanner", "fingerprint": "a932f6fb4dbfb767306654dd6398d82f17e2375d75b24344cf9720d64e30f8f7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-48997"], "package": "multer", "rule_id": "GHSA-g5hg-p3ph-g8qg", "scanner": "osv-scanner", "correlation_key": "vuln|multer|CVE-2025-48997|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fjgf-rc76-4x9p", "level": "error", "message": {"text": "multer: GHSA-fjgf-rc76-4x9p"}, "properties": {"repobilityId": 56985, "scanner": "osv-scanner", "fingerprint": "a05495fac43cdace660f42c9a35434559653a0204a3ee357e197cd7c37e8795f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-7338"], "package": "multer", "rule_id": "GHSA-fjgf-rc76-4x9p", "scanner": "osv-scanner", "correlation_key": "vuln|multer|CVE-2025-7338|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5528-5vmv-3xc2", "level": "error", "message": {"text": "multer: GHSA-5528-5vmv-3xc2"}, "properties": {"repobilityId": 56984, "scanner": "osv-scanner", "fingerprint": "e5bf9850ee25837a4d8355eb7078f746c516b23991bf2245b5de5a7a90bfa7c8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3520"], "package": "multer", "rule_id": "GHSA-5528-5vmv-3xc2", "scanner": "osv-scanner", "correlation_key": "vuln|multer|CVE-2026-3520|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4pg4-qvpc-4q3h", "level": "error", "message": {"text": "multer: GHSA-4pg4-qvpc-4q3h"}, "properties": {"repobilityId": 56983, "scanner": "osv-scanner", "fingerprint": "6a60e0f81b9d250b65e3bdea615388e7b5450ec4d4b2850223bfdb3a312d0a07", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-47944"], "package": "multer", "rule_id": "GHSA-4pg4-qvpc-4q3h", "scanner": "osv-scanner", "correlation_key": "vuln|multer|CVE-2025-47944|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-44fp-w29j-9vj5", "level": "error", "message": {"text": "multer: GHSA-44fp-w29j-9vj5"}, "properties": {"repobilityId": 56982, "scanner": "osv-scanner", "fingerprint": "12de8ca130e96c8a5d34abfd9c21d9c0e7c167f762a12381cdc8da97ccc2c001", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-47935"], "package": "multer", "rule_id": "GHSA-44fp-w29j-9vj5", "scanner": "osv-scanner", "correlation_key": "vuln|multer|CVE-2025-47935|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 56981, "scanner": "osv-scanner", "fingerprint": "eefef250e5a6e239df447b5946f207cdb0dd68151255b2332fb8ba8f476755c1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 56980, "scanner": "osv-scanner", "fingerprint": "51db4fe99f02113d5057e54849a1514660f72202efa765a619a8195e282ff31f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 56979, "scanner": "osv-scanner", "fingerprint": "f4f398661d95064420cba5942b7bc163815b09d09751c05f0247afa0ed407b54", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 56976, "scanner": "osv-scanner", "fingerprint": "069f9bb4f0a38c36ca2992b2ffe11f999b2e5befc1dec86319fea7bbf65a679b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2p57-rm9w-gvfp", "level": "error", "message": {"text": "ip: GHSA-2p57-rm9w-gvfp"}, "properties": {"repobilityId": 56971, "scanner": "osv-scanner", "fingerprint": "204843cd003633a75d76f3cee34e7f0a981439e9ebce394182e52ce7fe48f6f7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-29415"], "package": "ip", "rule_id": "GHSA-2p57-rm9w-gvfp", "scanner": "osv-scanner", "correlation_key": "vuln|ip|CVE-2024-29415|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rc47-6667-2j5j", "level": "error", "message": {"text": "http-cache-semantics: GHSA-rc47-6667-2j5j"}, "properties": {"repobilityId": 56970, "scanner": "osv-scanner", "fingerprint": "e2625c6ee3bc27af243ba0acbd197662217e719ae945675353e3ecac9bbc4734", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-25881"], "package": "http-cache-semantics", "rule_id": "GHSA-rc47-6667-2j5j", "scanner": "osv-scanner", "correlation_key": "vuln|http-cache-semantics|CVE-2022-25881|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xjpj-3mr7-gcpf", "level": "error", "message": {"text": "handlebars: GHSA-xjpj-3mr7-gcpf"}, "properties": {"repobilityId": 56969, "scanner": "osv-scanner", "fingerprint": "5d68750694ce45c5c73f13d5eda300a594a83e7af0e195ec59ab5d7dca506556", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33941"], "package": "handlebars", "rule_id": "GHSA-xjpj-3mr7-gcpf", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33941|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xhpv-hc6g-r9c6", "level": "error", "message": {"text": "handlebars: GHSA-xhpv-hc6g-r9c6"}, "properties": {"repobilityId": 56968, "scanner": "osv-scanner", "fingerprint": "9b273d9e123082510c2554cce26e26ed646303fd95ec06b251fd281ede2255bc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33940"], "package": "handlebars", "rule_id": "GHSA-xhpv-hc6g-r9c6", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33940|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9cx6-37pm-9jff", "level": "error", "message": {"text": "handlebars: GHSA-9cx6-37pm-9jff"}, "properties": {"repobilityId": 56967, "scanner": "osv-scanner", "fingerprint": "d63ea04482fb309b9a67ecde9d929e7e3fda165410ce60a38784d6e9e9a660a7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33939"], "package": "handlebars", "rule_id": "GHSA-9cx6-37pm-9jff", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33939|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3mfm-83xf-c92r", "level": "error", "message": {"text": "handlebars: GHSA-3mfm-83xf-c92r"}, "properties": {"repobilityId": 56964, "scanner": "osv-scanner", "fingerprint": "24cf4acd490e0cdd986a541b65c8063ec4cd0e7a0ce5062f5a95f2043bd1b2d6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33938"], "package": "handlebars", "rule_id": "GHSA-3mfm-83xf-c92r", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33938|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5j98-mcp5-4vw2", "level": "error", "message": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "properties": {"repobilityId": 56960, "scanner": "osv-scanner", "fingerprint": "eb490bd1b89973ff050f29fea98c6d9f88110605102c7a249218d08c2cfd6d73", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64756"], "package": "glob", "rule_id": "GHSA-5j98-mcp5-4vw2", "scanner": "osv-scanner", "correlation_key": "vuln|glob|CVE-2025-64756|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 56956, "scanner": "osv-scanner", "fingerprint": "12f8c13a1500c4e201cd19c15c7415ed765defb1c8c79e0887745cf5d0c7caba", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 56955, "scanner": "osv-scanner", "fingerprint": "b797beca07deb64b07234792c672e8b741104617529fbd9314dd615ac2f0d51d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wm7h-9275-46v2", "level": "error", "message": {"text": "dicer: GHSA-wm7h-9275-46v2"}, "properties": {"repobilityId": 56950, "scanner": "osv-scanner", "fingerprint": "eb66b5c3600482b3ee5b1b34dc3e2ee6702f6540867c9218b3ada2678996357d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-24434"], "package": "dicer", "rule_id": "GHSA-wm7h-9275-46v2", "scanner": "osv-scanner", "correlation_key": "vuln|dicer|CVE-2022-24434|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3xgq-45jj-v275", "level": "error", "message": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "properties": {"repobilityId": 56949, "scanner": "osv-scanner", "fingerprint": "d2e8ad2e78fcc589de2192cb324111e4957895ae7347a6d0ae3a1bff7c881c9d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-21538"], "package": "cross-spawn", "rule_id": "GHSA-3xgq-45jj-v275", "scanner": "osv-scanner", "correlation_key": "vuln|cross-spawn|CVE-2024-21538|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x9w5-v3q2-3rhw", "level": "error", "message": {"text": "browserify-sign: GHSA-x9w5-v3q2-3rhw"}, "properties": {"repobilityId": 56947, "scanner": "osv-scanner", "fingerprint": "2c06e10b98f7bebb7ed0330d66b659b828f09a60d3d1bc9def7bbe6c983546bb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-46234"], "package": "browserify-sign", "rule_id": "GHSA-x9w5-v3q2-3rhw", "scanner": "osv-scanner", "correlation_key": "vuln|browserify-sign|CVE-2023-46234|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-grv7-fg5c-xmjg", "level": "error", "message": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "properties": {"repobilityId": 56946, "scanner": "osv-scanner", "fingerprint": "467a760dbf4a428753304f077900d3bdfba0282340dd3145e3dad79851484f96", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-4068"], "package": "braces", "rule_id": "GHSA-grv7-fg5c-xmjg", "scanner": "osv-scanner", "correlation_key": "vuln|braces|CVE-2024-4068|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rpmf-866q-6p89", "level": "error", "message": {"text": "basic-ftp: GHSA-rpmf-866q-6p89"}, "properties": {"repobilityId": 56942, "scanner": "osv-scanner", "fingerprint": "0ac6731d638ce81d00e122a556a1b9bbc4348aabfb5343bffc8c32fd58d7e023", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44240"], "package": "basic-ftp", "rule_id": "GHSA-rpmf-866q-6p89", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|CVE-2026-44240|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rp42-5vxx-qpwr", "level": "error", "message": {"text": "basic-ftp: GHSA-rp42-5vxx-qpwr"}, "properties": {"repobilityId": 56941, "scanner": "osv-scanner", "fingerprint": "0c9fb19e1cd5df58df27b944a7d040ac9d0b9365aad61e92782d2b63ff5b5787", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41324"], "package": "basic-ftp", "rule_id": "GHSA-rp42-5vxx-qpwr", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|CVE-2026-41324|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6v7q-wjvx-w8wg", "level": "error", "message": {"text": "basic-ftp: GHSA-6v7q-wjvx-w8wg"}, "properties": {"repobilityId": 56940, "scanner": "osv-scanner", "fingerprint": "537b00f3adec9d006c42ad6ff2331a26cc1e97534e6adc05cf952997a24ba722", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "basic-ftp", "rule_id": "GHSA-6v7q-wjvx-w8wg", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|GHSA-6V7Q-WJVX-W8WG|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fv7c-fp4j-7gwp", "level": "error", "message": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "properties": {"repobilityId": 56931, "scanner": "osv-scanner", "fingerprint": "ad52739427efbb114a916176e346643bbd15d1155c76f28185e965208050ec44", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44728"], "package": "@babel/plugin-transform-modules-systemjs", "rule_id": "GHSA-fv7c-fp4j-7gwp", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44728|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 56928, "scanner": "repobility-threat-engine", "fingerprint": "47383027de7d49c24db472d35419b312db2e4f572a319526a00116992e0b0b47", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(({login, name, url}) => `${name || login} (https://github.com/${login}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|47383027de7d49c24db472d35419b312db2e4f572a319526a00116992e0b0b47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gulpfile.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 56897, "scanner": "repobility-supply-chain", "fingerprint": "3dd1eadc898fbcc726d4163769a601044e3080939cbce673b71674d682e861c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3dd1eadc898fbcc726d4163769a601044e3080939cbce673b71674d682e861c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 56896, "scanner": "repobility-supply-chain", "fingerprint": "473c1a609d554c2f2f21287a5a30792579d797975514cd8b795408c4fd5fbd9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|473c1a609d554c2f2f21287a5a30792579d797975514cd8b795408c4fd5fbd9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 56895, "scanner": "repobility-supply-chain", "fingerprint": "e80222b891c65b45d699dd65ea190366531680db52911854196bd5431b463d58", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e80222b891c65b45d699dd65ea190366531680db52911854196bd5431b463d58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-sponsor-block.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 56894, "scanner": "repobility-supply-chain", "fingerprint": "70fc1c2e8662e3b4537d9ee4df6b44f56bff738dda1b2b819bf9b2815cb0a1ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70fc1c2e8662e3b4537d9ee4df6b44f56bff738dda1b2b819bf9b2815cb0a1ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-sponsor-block.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 56893, "scanner": "repobility-supply-chain", "fingerprint": "cb488ec59a9abb76876897f85a2444bcc045abc528d07098d542ef71ec51f6ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb488ec59a9abb76876897f85a2444bcc045abc528d07098d542ef71ec51f6ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-sponsor-block.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/analyze` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 56892, "scanner": "repobility-supply-chain", "fingerprint": "d610895819455e7f7a4e8dbb11fbc733d9227719afc598514865b015dd0ed044", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d610895819455e7f7a4e8dbb11fbc733d9227719afc598514865b015dd0ed044"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-ci.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/init` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 56891, "scanner": "repobility-supply-chain", "fingerprint": "b02401b2c275d24ba7b56d72efd3e079860874351dab5b9ccda5c1f73e4beab0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b02401b2c275d24ba7b56d72efd3e079860874351dab5b9ccda5c1f73e4beab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-ci.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/dependency-review-action` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 56890, "scanner": "repobility-supply-chain", "fingerprint": "cf167d0846b404ec103ea743e4b7542a42e3d38f90a11202d10f432289645fcc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf167d0846b404ec103ea743e4b7542a42e3d38f90a11202d10f432289645fcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-ci.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 56889, "scanner": "repobility-supply-chain", "fingerprint": "0fa3c157fa11eebdeb188a1887ff22a71846734ffa0a9e5cdfde1978daf2c14e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fa3c157fa11eebdeb188a1887ff22a71846734ffa0a9e5cdfde1978daf2c14e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-ci.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 56888, "scanner": "repobility-supply-chain", "fingerprint": "6b9e8263d3bde18f4a8b6e121faf69af9a95817cd29855812f2579ce809fcc42", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b9e8263d3bde18f4a8b6e121faf69af9a95817cd29855812f2579ce809fcc42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-ci.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 56887, "scanner": "repobility-supply-chain", "fingerprint": "7b45e8a3084563a61408ef76e2edb4b448e40d7ef0d9bd431cdf0c4e6f5b7c54", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b45e8a3084563a61408ef76e2edb4b448e40d7ef0d9bd431cdf0c4e6f5b7c54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-branch.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `phips28/gh-action-bump-version` pinned to mutable ref `@v9`"}, "properties": {"repobilityId": 56886, "scanner": "repobility-supply-chain", "fingerprint": "445efcd82ea7f0879ba66f52081e0cee431d7a2d90e9ff5fe2d863b628ef7943", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|445efcd82ea7f0879ba66f52081e0cee431d7a2d90e9ff5fe2d863b628ef7943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-branch.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 56885, "scanner": "repobility-supply-chain", "fingerprint": "80d34c39407feeefa56c8b7f4ce1888ab8c6977b1ee1088cc96dcd61171ebd07", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80d34c39407feeefa56c8b7f4ce1888ab8c6977b1ee1088cc96dcd61171ebd07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-branch.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 56884, "scanner": "repobility-supply-chain", "fingerprint": "c494e41d111cac536f55922770dcf4a8c85adbb2d50deae3bc78d96a3c73a7aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c494e41d111cac536f55922770dcf4a8c85adbb2d50deae3bc78d96a3c73a7aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-branch.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `axios` pulled from URL/Git"}, "properties": {"repobilityId": 56883, "scanner": "repobility-supply-chain", "fingerprint": "eee9b4f0103f13075b9a5b8abbf9239766af80e93a509902a53096bcad4202c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eee9b4f0103f13075b9a5b8abbf9239766af80e93a509902a53096bcad4202c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/typings/esm/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `axios` pulled from URL/Git"}, "properties": {"repobilityId": 56882, "scanner": "repobility-supply-chain", "fingerprint": "6482af04723b93517623ae25c7d68fba21da00a73c6c15b94c983e8ad7544e03", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6482af04723b93517623ae25c7d68fba21da00a73c6c15b94c983e8ad7544e03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/typings/cjs/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `axios` pulled from URL/Git"}, "properties": {"repobilityId": 56881, "scanner": "repobility-supply-chain", "fingerprint": "5e55ef764a2f9e3caa237a661e502868cb479c79aa657362b2e86c884a854469", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e55ef764a2f9e3caa237a661e502868cb479c79aa657362b2e86c884a854469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/esm/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `axios` pulled from URL/Git"}, "properties": {"repobilityId": 56880, "scanner": "repobility-supply-chain", "fingerprint": "d5b0a02edb40f883d14377696c70bbb11a2982ffdf403219530fecf29097db00", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d5b0a02edb40f883d14377696c70bbb11a2982ffdf403219530fecf29097db00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/ts-require-default/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `axios` pulled from URL/Git"}, "properties": {"repobilityId": 56879, "scanner": "repobility-supply-chain", "fingerprint": "b0ed817f0acf8dc59364dc89f7858123b7c81caebf90d0d9ff514bc0290144c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0ed817f0acf8dc59364dc89f7858123b7c81caebf90d0d9ff514bc0290144c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/ts/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `axios` pulled from URL/Git"}, "properties": {"repobilityId": 56878, "scanner": "repobility-supply-chain", "fingerprint": "c3bdb831cb61c7cf2a0f2ad3db1fcec1d220efb52802f4d7680b7ddb9dd73923", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3bdb831cb61c7cf2a0f2ad3db1fcec1d220efb52802f4d7680b7ddb9dd73923"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/ts-require/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `axios` pulled from URL/Git"}, "properties": {"repobilityId": 56877, "scanner": "repobility-supply-chain", "fingerprint": "071eaabd72941f3a6addf7ede225738fadc676d21af032bbafea992fcb197e3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|071eaabd72941f3a6addf7ede225738fadc676d21af032bbafea992fcb197e3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/module/cjs/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 56876, "scanner": "repobility-route-auth", "fingerprint": "0618920a4c80c5e14573a893a6e00b19d80fe6bb9d02da3763a4b1f16d6b7c93", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0618920a4c80c5e14573a893a6e00b19d80fe6bb9d02da3763a4b1f16d6b7c93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/unit/adapters/http.js"}, "region": {"startLine": 1789}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 56875, "scanner": "repobility-route-auth", "fingerprint": "6037b85d35805d4a77816407d7ef6f60a3b5999d3492e400a70732b5bfb2b44c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6037b85d35805d4a77816407d7ef6f60a3b5999d3492e400a70732b5bfb2b44c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/unit/adapters/http.js"}, "region": {"startLine": 1730}}}]}, {"ruleId": "GHSA-vwrp-x96c-mhwq", "level": "error", "message": {"text": "vm2: GHSA-vwrp-x96c-mhwq"}, "properties": {"repobilityId": 57054, "scanner": "osv-scanner", "fingerprint": "2b967f406680129ad8cf9e92e3a8f31feeec894761f9d6ffd6b021fb3ad7c88c", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44005"], "package": "vm2", "rule_id": "GHSA-vwrp-x96c-mhwq", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-44005|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6mx-mf47-r5wg", "level": "error", "message": {"text": "vm2: GHSA-v6mx-mf47-r5wg"}, "properties": {"repobilityId": 57053, "scanner": "osv-scanner", "fingerprint": "73ba5db615f0ca9f6ff8fc458609681eee01591b44ad88fc411046116230eb3f", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47131"], "package": "vm2", "rule_id": "GHSA-v6mx-mf47-r5wg", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-47131|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v37h-5mfm-c47c", "level": "error", "message": {"text": "vm2: GHSA-v37h-5mfm-c47c"}, "properties": {"repobilityId": 57052, "scanner": "osv-scanner", "fingerprint": "0b5ce74cdaae705043432977f5418e181592f64c8e7697177f95b3967dfcbebf", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24781"], "package": "vm2", "rule_id": "GHSA-v37h-5mfm-c47c", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-24781|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rp36-8xq3-r6c4", "level": "error", "message": {"text": "vm2: GHSA-rp36-8xq3-r6c4"}, "properties": {"repobilityId": 57050, "scanner": "osv-scanner", "fingerprint": "07fbc29a3e13b559a4fbff17c7686956ed9ac952b00f264282e6049ada8b9a81", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47140"], "package": "vm2", "rule_id": "GHSA-rp36-8xq3-r6c4", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-47140|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qvjj-29qf-hp7p", "level": "error", "message": {"text": "vm2: GHSA-qvjj-29qf-hp7p"}, "properties": {"repobilityId": 57048, "scanner": "osv-scanner", "fingerprint": "24b38ec159dd56808344b99a00a5c26215f364938d21b382960847a6af7e2ce1", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24120"], "package": "vm2", "rule_id": "GHSA-qvjj-29qf-hp7p", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-24120|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qcp4-v2jj-fjx8", "level": "error", "message": {"text": "vm2: GHSA-qcp4-v2jj-fjx8"}, "properties": {"repobilityId": 57047, "scanner": "osv-scanner", "fingerprint": "89be1cb13aad66ea419f4148eae8aff3a64adc2e245f17c4c29d74f11bc816c8", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44006"], "package": "vm2", "rule_id": "GHSA-qcp4-v2jj-fjx8", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-44006|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-grj5-jjm8-h35p", "level": "error", "message": {"text": "vm2: GHSA-grj5-jjm8-h35p"}, "properties": {"repobilityId": 57042, "scanner": "osv-scanner", "fingerprint": "67304a390b67138b1af577a7ad8461d0c39e49514d462e574b07e9779f67eb6b", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24118"], "package": "vm2", "rule_id": "GHSA-grj5-jjm8-h35p", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-24118|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g644-9gfx-q4q4", "level": "error", "message": {"text": "vm2: GHSA-g644-9gfx-q4q4"}, "properties": {"repobilityId": 57041, "scanner": "osv-scanner", "fingerprint": "cfdfdbe25dcf81cd34c84e7d346bfbb5156032ab84cd8f2014e23e2fe8988c6c", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-37903"], "package": "vm2", "rule_id": "GHSA-g644-9gfx-q4q4", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2023-37903|package-lock.json", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-g644-9gfx-q4q4", "GHSA-m4wx-m65x-ghrr"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["57457cbfb0fe722e6c9064f243d75e7ff1c4b6e60bbe97feea0bed138167297b", "cfdfdbe25dcf81cd34c84e7d346bfbb5156032ab84cd8f2014e23e2fe8988c6c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cchq-frgv-rjh5", "level": "error", "message": {"text": "vm2: GHSA-cchq-frgv-rjh5"}, "properties": {"repobilityId": 57040, "scanner": "osv-scanner", "fingerprint": "aac9e04cb7b91b78c6c1e8e67287a368f0419c1e2280e055952207f0e5eb3380", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-37466"], "package": "vm2", "rule_id": "GHSA-cchq-frgv-rjh5", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2023-37466|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9vg3-4rfj-wgcm", "level": "error", "message": {"text": "vm2: GHSA-9vg3-4rfj-wgcm"}, "properties": {"repobilityId": 57038, "scanner": "osv-scanner", "fingerprint": "8e81fca9718dc207fb903d7c6f183d51ba91be3134212bffc2ebadf9f39f8474", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44009"], "package": "vm2", "rule_id": "GHSA-9vg3-4rfj-wgcm", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-44009|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9qj6-qjgg-37qq", "level": "error", "message": {"text": "vm2: GHSA-9qj6-qjgg-37qq"}, "properties": {"repobilityId": 57037, "scanner": "osv-scanner", "fingerprint": "81a9ffc6eb235156f748c0c8cde9ef7459a75417d1b9976cf5813038c82ad19a", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44008"], "package": "vm2", "rule_id": "GHSA-9qj6-qjgg-37qq", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-44008|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-99p7-6v5w-7xg8", "level": "error", "message": {"text": "vm2: GHSA-99p7-6v5w-7xg8"}, "properties": {"repobilityId": 57035, "scanner": "osv-scanner", "fingerprint": "6c8f2452db2616d4e1c5263347b7f36e04ee981cb822f6f0cb31562d326bc501", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-22709"], "package": "vm2", "rule_id": "GHSA-99p7-6v5w-7xg8", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-22709|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8hg8-63c5-gwmx", "level": "error", "message": {"text": "vm2: GHSA-8hg8-63c5-gwmx"}, "properties": {"repobilityId": 57034, "scanner": "osv-scanner", "fingerprint": "1b5b0e30528bd7e75661b8ed25a4aa0aeae655ce0d0f149bae5be9497cb75318", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44007"], "package": "vm2", "rule_id": "GHSA-8hg8-63c5-gwmx", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-44007|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-76w7-j9cq-rx2j", "level": "error", "message": {"text": "vm2: GHSA-76w7-j9cq-rx2j"}, "properties": {"repobilityId": 57033, "scanner": "osv-scanner", "fingerprint": "72cca9dabbff547d15712a2d1384ee06a77d442b59a9f1defb68ab039332edfa", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47208"], "package": "vm2", "rule_id": "GHSA-76w7-j9cq-rx2j", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-47208|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6j2x-vhqr-qr7q", "level": "error", "message": {"text": "vm2: GHSA-6j2x-vhqr-qr7q"}, "properties": {"repobilityId": 57032, "scanner": "osv-scanner", "fingerprint": "6b4679e1467d20d2b0c1d94a5385f6a3f284298c37e76141b265e853d22c025f", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47210"], "package": "vm2", "rule_id": "GHSA-6j2x-vhqr-qr7q", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-47210|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-55hx-c926-fr95", "level": "error", "message": {"text": "vm2: GHSA-55hx-c926-fr95"}, "properties": {"repobilityId": 57030, "scanner": "osv-scanner", "fingerprint": "2deb908a9bcf42ef9438a46ec9f94e49072dc2fc80904ad9702aa6bb8a703632", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26332"], "package": "vm2", "rule_id": "GHSA-55hx-c926-fr95", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-26332|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-47x8-96vw-5wg6", "level": "error", "message": {"text": "vm2: GHSA-47x8-96vw-5wg6"}, "properties": {"repobilityId": 57029, "scanner": "osv-scanner", "fingerprint": "d6eea16d28183f29c376fa57e0adeb18ab849a7e6b2ec33b9ec9ac5a51044fbd", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-43997"], "package": "vm2", "rule_id": "GHSA-47x8-96vw-5wg6", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-43997|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-248r-7h7q-cr24", "level": "error", "message": {"text": "vm2: GHSA-248r-7h7q-cr24"}, "properties": {"repobilityId": 57027, "scanner": "osv-scanner", "fingerprint": "a9bd957465863841b3fe38c3b115443b545730c432e91cfb7612371f2a355ed3", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45411"], "package": "vm2", "rule_id": "GHSA-248r-7h7q-cr24", "scanner": "osv-scanner", "correlation_key": "vuln|vm2|CVE-2026-45411|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-95m3-7q98-8xr5", "level": "error", "message": {"text": "sha.js: GHSA-95m3-7q98-8xr5"}, "properties": {"repobilityId": 57012, "scanner": "osv-scanner", "fingerprint": "3347f6686a26adc2e93f04dec9113af692fe757b93c61edabcab778fe3e165bb", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-9288"], "package": "sha.js", "rule_id": "GHSA-95m3-7q98-8xr5", "scanner": "osv-scanner", "correlation_key": "vuln|sha.js|CVE-2025-9288|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v62p-rq8g-8h59", "level": "error", "message": {"text": "pbkdf2: GHSA-v62p-rq8g-8h59"}, "properties": {"repobilityId": 56997, "scanner": "osv-scanner", "fingerprint": "f4a0e8359703d4540076c1cca35fee4f400fb001709ae54e653c24d98a86be62", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-6547"], "package": "pbkdf2", "rule_id": "GHSA-v62p-rq8g-8h59", "scanner": "osv-scanner", "correlation_key": "vuln|pbkdf2|CVE-2025-6547|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h7cp-r72f-jxh6", "level": "error", "message": {"text": "pbkdf2: GHSA-h7cp-r72f-jxh6"}, "properties": {"repobilityId": 56996, "scanner": "osv-scanner", "fingerprint": "681150c386ea2a6ae1819d971b33acc43aee3d8042e3d2f018235527e782b5d9", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-6545"], "package": "pbkdf2", "rule_id": "GHSA-h7cp-r72f-jxh6", "scanner": "osv-scanner", "correlation_key": "vuln|pbkdf2|CVE-2025-6545|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2w6w-674q-4c4q", "level": "error", "message": {"text": "handlebars: GHSA-2w6w-674q-4c4q"}, "properties": {"repobilityId": 56963, "scanner": "osv-scanner", "fingerprint": "63049d0268f20b2dd39a40f605bc45c983245e1c3efd3d64bfd68449d15f7255", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33937"], "package": "handlebars", "rule_id": "GHSA-2w6w-674q-4c4q", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33937|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fjxv-7rqg-78g4", "level": "error", "message": {"text": "form-data: GHSA-fjxv-7rqg-78g4"}, "properties": {"repobilityId": 56958, "scanner": "osv-scanner", "fingerprint": "4a6f7e2dea5113b393ee1171be93cf20d0c04c5890440121f926d31a7ca5f35a", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-7783"], "package": "form-data", "rule_id": "GHSA-fjxv-7rqg-78g4", "scanner": "osv-scanner", "correlation_key": "vuln|form-data|CVE-2025-7783|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vjh7-7g9h-fjfh", "level": "error", "message": {"text": "elliptic: GHSA-vjh7-7g9h-fjfh"}, "properties": {"repobilityId": 56953, "scanner": "osv-scanner", "fingerprint": "e6e35c009bb182fa664dcea4e661bb330e44e04e20cbe3723182d0351ec837d7", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "elliptic", "rule_id": "GHSA-vjh7-7g9h-fjfh", "scanner": "osv-scanner", "correlation_key": "vuln|elliptic|GHSA-VJH7-7G9H-FJFH|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cpq7-6gpm-g9rc", "level": "error", "message": {"text": "cipher-base: GHSA-cpq7-6gpm-g9rc"}, "properties": {"repobilityId": 56948, "scanner": "osv-scanner", "fingerprint": "384fc91107337f30fa4514226b9817816d4010c526b90a3ad6690bd3090b18a6", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-9287"], "package": "cipher-base", "rule_id": "GHSA-cpq7-6gpm-g9rc", "scanner": "osv-scanner", "correlation_key": "vuln|cipher-base|CVE-2025-9287|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5rq4-664w-9x2c", "level": "error", "message": {"text": "basic-ftp: GHSA-5rq4-664w-9x2c"}, "properties": {"repobilityId": 56939, "scanner": "osv-scanner", "fingerprint": "449aaeba80973eabca21e3ccf6cb3085ee324a816f38ce76d4b7c25e4a9e7016", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27699"], "package": "basic-ftp", "rule_id": "GHSA-5rq4-664w-9x2c", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|CVE-2026-27699|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67hx-6x53-jw92", "level": "error", "message": {"text": "babel-traverse: GHSA-67hx-6x53-jw92"}, "properties": {"repobilityId": 56938, "scanner": "osv-scanner", "fingerprint": "0fef6cb018e12e050bf2259868ff72e874c17e1d36ed92404b5d5588ada982eb", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-45133"], "package": "babel-traverse", "rule_id": "GHSA-67hx-6x53-jw92", "scanner": "osv-scanner", "correlation_key": "vuln|babel-traverse|CVE-2023-45133|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 56929, "scanner": "gitleaks", "fingerprint": "38c4ff39e5f88c9628d8b76146c902b53401efe61a4a1d64f2ffe72c9543566a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|test/unit/adapters/key.pem|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/unit/adapters/key.pem"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED127", "level": "error", "message": {"text": "Cryptominer signature: `stratum+tcp://`"}, "properties": {"repobilityId": 56898, "scanner": "repobility-supply-chain", "fingerprint": "26126f2477c718feefea4a5eda943e3efe0f85eacb6b339f49b8b1146bd09f44", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "cryptominer-signature", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26126f2477c718feefea4a5eda943e3efe0f85eacb6b339f49b8b1146bd09f44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/unit/helpers/parseProtocol.js"}, "region": {"startLine": 15}}}]}]}]}