{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED098] Global Scope Pollution (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED024] Js Eval Usage (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED088", "name": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.", "shortDescription": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 18 more): Same pattern found in 18 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 178 more): Same pattern found in 178 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 178 more): Same pattern found in 178 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 39 more): Same pattern found in 39 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-r", "shortDescription": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-node@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `eslint-plugin-react-hooks` pulled from URL/Git: `dependencies.eslint-plugin-react-hooks` = ", "shortDescription": {"text": "[MINED122] package.json dep `eslint-plugin-react-hooks` pulled from URL/Git: `dependencies.eslint-plugin-react-hooks` = `link:../../build/oss-stable/eslint-plugin-react-hooks` bypasses the npm registry. No integrity hash, no version locking"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. De", "shortDescription": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "fullDescription": {"text": "Add an auth middleware: app.post('/', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/714"}, "properties": {"repository": "facebook/react", "repoUrl": "https://github.com/facebook/react", "branch": "main"}, "results": [{"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 57687, "scanner": "repobility-threat-engine", "fingerprint": "dbf014ad655aa4eda820d4509068fd23719fa2f54fdce7f15661d1b11f4a1011", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n    return null;\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dbf014ad655aa4eda820d4509068fd23719fa2f54fdce7f15661d1b11f4a1011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-dom-bindings/src/client/ReactDOMSelection.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 57686, "scanner": "repobility-threat-engine", "fingerprint": "0e70260560e30f87eae240d8ec6175a39611a1c89d6625e0883ae6e5c20e835d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (_e) {\n          return null;\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e70260560e30f87eae240d8ec6175a39611a1c89d6625e0883ae6e5c20e835d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/symbolicateSource.js"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 57685, "scanner": "repobility-threat-engine", "fingerprint": "34ee420f470c8d356323dc7c25c46f2cff4ade8a3196327d7a5aa560d529cd0c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n    return null;\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|34ee420f470c8d356323dc7c25c46f2cff4ade8a3196327d7a5aa560d529cd0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/storage.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 57679, "scanner": "repobility-threat-engine", "fingerprint": "94445249479ce73390875cd0fdf88c4291920614dd26ab8c1875b883a26ab690", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a className={styles.Link} href={INSTRUCTIONS_FB_URL} target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|137|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/views/UnsupportedBridgeProtocolDialog.js"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 57678, "scanner": "repobility-threat-engine", "fingerprint": "132aa3bfbf70b692b61f848a2f3c1e53d967addcb07eeaf56c7791b2ab081437", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|66|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/views/Editor/OpenInEditorButton.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 57677, "scanner": "repobility-threat-engine", "fingerprint": "b9f870af9b8ef3803147d007a5b258f00fabe588467536ea47af0537c953cf15", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|41|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/views/Components/OpenInEditorButton.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 57658, "scanner": "repobility-threat-engine", "fingerprint": "f85a09ee23d8422d5ca60989fa0049cf9bd253fe24dec6e8668e9503d80bbbbb", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (error) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f85a09ee23d8422d5ca60989fa0049cf9bd253fe24dec6e8668e9503d80bbbbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/views/Components/Components.js"}, "region": {"startLine": 194}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 57657, "scanner": "repobility-threat-engine", "fingerprint": "6982ae6ab6b5522371c2dab614ba27a402f9b7bd8831041bea3bd4b7b604f09f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6982ae6ab6b5522371c2dab614ba27a402f9b7bd8831041bea3bd4b7b604f09f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/backend/shared/DevToolsComponentStackFrame.js"}, "region": {"startLine": 176}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 57656, "scanner": "repobility-threat-engine", "fingerprint": "d9124eb87f72a7294e2f315446daaac7d31d298f4262735b9101a16794f8978a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d9124eb87f72a7294e2f315446daaac7d31d298f4262735b9101a16794f8978a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/internal-test-utils/internalAct.js"}, "region": {"startLine": 273}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 57632, "scanner": "repobility-threat-engine", "fingerprint": "46350d699e5d66d933aae69afd743dc3440ab106ce15ce98f893c1ed37494ce6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|137|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/react-compiler-healthcheck/src/checks/reactCompiler.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 57631, "scanner": "repobility-threat-engine", "fingerprint": "686e06c01663eb3237028c600d4957707feb76168cd053c9f9582691c461f89b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|16|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/react-compiler-healthcheck/src/checks/libraryCompat.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 57630, "scanner": "repobility-threat-engine", "fingerprint": "1ed8189496b81d997e7d43047b9c566fd550298ca8fa7942842337d89be6b6f8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|28|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/Utils/TestUtils.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57715, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df31970358021a0142e10fa2d2bc25b1c30ef00f0def82a2b220e7a4b0f1a57a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-client/src/ReactFlightPerformanceTrack.js", "duplicate_line": 308, "correlation_key": "fp|df31970358021a0142e10fa2d2bc25b1c30ef00f0def82a2b220e7a4b0f1a57a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/views/Components/InspectedElementSuspendedBy.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57714, "scanner": "repobility-ai-code-hygiene", "fingerprint": "01aa89836538b884fd6a4ce1d24da4047d2e6da99792022df0fe1e421a29bfa5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-devtools-shared/src/devtools/views/Components/InspectedElementContextTree.js", "duplicate_line": 51, "correlation_key": "fp|01aa89836538b884fd6a4ce1d24da4047d2e6da99792022df0fe1e421a29bfa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/views/Components/InspectedElementStateTree.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57713, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7315445f558e4c66cc7efa62956d117aab905f2c90b85155d36d523dcdcbe44b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-devtools-core/webpack.standalone.js", "duplicate_line": 87, "correlation_key": "fp|7315445f558e4c66cc7efa62956d117aab905f2c90b85155d36d523dcdcbe44b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-inline/webpack.config.js"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7d018e93b5a3f92492fff1ddde6e4dce34b565befd69b0681d82c65fb6aae99d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-devtools-fusebox/webpack.config.frontend.js", "duplicate_line": 21, "correlation_key": "fp|7d018e93b5a3f92492fff1ddde6e4dce34b565befd69b0681d82c65fb6aae99d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-inline/webpack.config.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cac7cae2a979d1e42c281c6140e3099c7cdcf2c2a9aff2e4c8ce10616d47586c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-devtools-core/webpack.backend.js", "duplicate_line": 1, "correlation_key": "fp|cac7cae2a979d1e42c281c6140e3099c7cdcf2c2a9aff2e4c8ce10616d47586c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-inline/webpack.config.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "112173a3119d204cf2ff8ec14a7805696b7d07f5a34a5cf61c8d47736e47009f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-devtools-core/webpack.standalone.js", "duplicate_line": 87, "correlation_key": "fp|112173a3119d204cf2ff8ec14a7805696b7d07f5a34a5cf61c8d47736e47009f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-fusebox/webpack.config.frontend.js"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca72b0689dd8c12861d74d8bd49d9a2d54205183dcdd84848f72e7d1d4f2f1ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-devtools-core/webpack.backend.js", "duplicate_line": 8, "correlation_key": "fp|ca72b0689dd8c12861d74d8bd49d9a2d54205183dcdd84848f72e7d1d4f2f1ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-fusebox/webpack.config.frontend.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b575b3f8a9af59ab093eac657782ab79cc0f54af99531c2a4eae3d4514e0dc84", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-devtools-core/webpack.standalone.js", "duplicate_line": 52, "correlation_key": "fp|b575b3f8a9af59ab093eac657782ab79cc0f54af99531c2a4eae3d4514e0dc84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-extensions/webpack.config.js"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e6452b141970f391b32d44922640da1640cfc54a403040dbd70d8edfd4b9f3f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-devtools-core/webpack.backend.js", "duplicate_line": 8, "correlation_key": "fp|e6452b141970f391b32d44922640da1640cfc54a403040dbd70d8edfd4b9f3f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-extensions/webpack.config.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fddee4aa52e283dcfe6eb39b56da65efcf9dc5f5c1a6036df7f462c1420387c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-devtools-core/webpack.backend.js", "duplicate_line": 1, "correlation_key": "fp|fddee4aa52e283dcfe6eb39b56da65efcf9dc5f5c1a6036df7f462c1420387c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-core/webpack.standalone.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "08939f67675b6a2d42d5bd3f07fb5719e18b05767fd78ea955208f45a36d63fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-client/src/forks/ReactFlightClientConfig.custom.js", "duplicate_line": 2, "correlation_key": "fp|08939f67675b6a2d42d5bd3f07fb5719e18b05767fd78ea955208f45a36d63fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-client/src/forks/ReactFlightClientConfig.noop.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d32479d819995a3cb4bcd9ac97c92e2eb4c48eae334358cb015d26541ebbf648", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-client/src/ReactFlightClientStreamConfigNode.js", "duplicate_line": 2, "correlation_key": "fp|d32479d819995a3cb4bcd9ac97c92e2eb4c48eae334358cb015d26541ebbf648"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-client/src/ReactFlightClientStreamConfigWeb.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "511f6149cd750297edd5150adcedfc7d693b932011ddd87a9bd750574ad94ba4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-client/src/ReactClientConsoleConfigBrowser.js", "duplicate_line": 2, "correlation_key": "fp|511f6149cd750297edd5150adcedfc7d693b932011ddd87a9bd750574ad94ba4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-client/src/ReactClientConsoleConfigServer.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ec762f79275fbc5f5a8e176fb20a71ba423d5307f9cd34187d0dc39fdb714ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-client/src/ReactClientConsoleConfigBrowser.js", "duplicate_line": 9, "correlation_key": "fp|1ec762f79275fbc5f5a8e176fb20a71ba423d5307f9cd34187d0dc39fdb714ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-client/src/ReactClientConsoleConfigPlain.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87f710912df7dfcaa975b5e90a5515fb4b7a3ba17b973d440bc7bdada3a03eea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler/packages/eslint-plugin-react-compiler/src/shared/RunReactCompiler.ts", "duplicate_line": 31, "correlation_key": "fp|87f710912df7dfcaa975b5e90a5515fb4b7a3ba17b973d440bc7bdada3a03eea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-plugin-react-hooks/src/shared/RunReactCompiler.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9bb363e03c76e256de1f081961311a50a0a04c5c756edf2dd540240e9c2c7fc4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler/packages/eslint-plugin-react-compiler/src/rules/ReactCompilerRule.ts", "duplicate_line": 15, "correlation_key": "fp|9bb363e03c76e256de1f081961311a50a0a04c5c756edf2dd540240e9c2c7fc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-plugin-react-hooks/src/shared/ReactCompiler.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d27bfbe063b9e2248d8d6ec2c90efe6ddd3d2d224b166dba501854a632058222", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler/packages/snap/src/runner-worker.ts", "duplicate_line": 79, "correlation_key": "fp|d27bfbe063b9e2248d8d6ec2c90efe6ddd3d2d224b166dba501854a632058222"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/snap/src/runner.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f31964ba8b94254317becd996d9e45899e4ade9ba033ad09ad3bdce66d8e8352", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler/packages/react-forgive/server/src/compiler/index.ts", "duplicate_line": 32, "correlation_key": "fp|f31964ba8b94254317becd996d9e45899e4ade9ba033ad09ad3bdce66d8e8352"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/react-mcp-server/src/compiler/index.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2167bb398001741cbff03d8d7064e30617ca82f80fd19e18fdc03d0595a148ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler/packages/eslint-plugin-react-compiler/tsup.config.ts", "duplicate_line": 8, "correlation_key": "fp|2167bb398001741cbff03d8d7064e30617ca82f80fd19e18fdc03d0595a148ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/react-compiler-healthcheck/tsup.config.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a4a134b0830008339c187c578402274859be9337058063fd2a6fda2f526a553", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler/packages/babel-plugin-react-compiler/src/Inference/InferReactivePlaces.ts", "duplicate_line": 171, "correlation_key": "fp|7a4a134b0830008339c187c578402274859be9337058063fd2a6fda2f526a553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/Validation/ValidateNoSetStateInEffects.ts"}, "region": {"startLine": 227}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac288d8e66f8e6e81d4b0210de07175099f33fa5aa6b98e7c9ef27eeb4a57277", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler/packages/babel-plugin-react-compiler/src/Inference/InferReactivePlaces.ts", "duplicate_line": 171, "correlation_key": "fp|ac288d8e66f8e6e81d4b0210de07175099f33fa5aa6b98e7c9ef27eeb4a57277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/Validation/ValidateNoDerivedComputationsInEffects_exp.ts"}, "region": {"startLine": 387}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 57671, "scanner": "repobility-threat-engine", "fingerprint": "242b8b6c942a5e502a4f12de2f7456b78c0b1a3b01935aff726d48d4bd3bd017", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Cannot pass event handlers (' +\n            propKey +\n            ') in renderToHTML because '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|242b8b6c942a5e502a4f12de2f7456b78c0b1a3b01935aff726d48d4bd3bd017"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-markup/src/ReactFizzConfigMarkup.js"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 57670, "scanner": "repobility-threat-engine", "fingerprint": "64a98e750faca43182a31a3b01315773cbbde37b6fc63b882059e53eef452e16", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'    at Client Component Bundle (' +\n        href +\n        ':1:1)\\n'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|64a98e750faca43182a31a3b01315773cbbde37b6fc63b882059e53eef452e16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-flight-server-fb/src/client/ReactFlightClientConfigBundlerFB.js"}, "region": {"startLine": 204}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 57669, "scanner": "repobility-threat-engine", "fingerprint": "4292eb541a263f2a3f738a143c868479db0798d45ca552c7fc22d80430670fab", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Select extension folder - ' + cwd + '\\\\unpacked'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4292eb541a263f2a3f738a143c868479db0798d45ca552c7fc22d80430670fab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-extensions/edge/build.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 57665, "scanner": "repobility-threat-engine", "fingerprint": "7d4c5c7367a2548c2f5fb30c5c7763e1b36d33492dac724a46b7ad4c42b975a7", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": "document.write(h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|44|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shell/src/app/Iframe/index.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 57664, "scanner": "repobility-threat-engine", "fingerprint": "fecaf0ce31b458d597a12c3f6b9b721eff3b41b3b5280dcf56ed78557bb044fa", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = n", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|173|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-core/src/standalone.js"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 57694, "scanner": "repobility-threat-engine", "fingerprint": "08fc6c1cc17e91cac5c5c397e5bf6a3dab7c74444b1ee3a1fd98b093c439edf8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08fc6c1cc17e91cac5c5c397e5bf6a3dab7c74444b1ee3a1fd98b093c439edf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release/shared-commands/download-build-artifacts.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 57692, "scanner": "repobility-threat-engine", "fingerprint": "472681203dc5d5bd0291f43c58f84f043bbde60c5ead135a2cb72504934ac3d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|472681203dc5d5bd0291f43c58f84f043bbde60c5ead135a2cb72504934ac3d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-dom-bindings/src/shared/ReactDOMUnknownPropertyHook.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 57691, "scanner": "repobility-threat-engine", "fingerprint": "03ac331ff6b0d239d3abaac25ec6416d0a622a82493a8d5e4cd025ef99934498", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03ac331ff6b0d239d3abaac25ec6416d0a622a82493a8d5e4cd025ef99934498"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-dom-bindings/src/client/ReactDOMOption.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 57688, "scanner": "repobility-threat-engine", "fingerprint": "240332b6eac19ed20917309b8c65c3d20dd439ba1c1be8bfda8383c6ac10578e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|240332b6eac19ed20917309b8c65c3d20dd439ba1c1be8bfda8383c6ac10578e"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 57684, "scanner": "repobility-threat-engine", "fingerprint": "b45b92ee1ada3c05b3207f85a4df71d46f710c782a7fb5d7c818bed2a32f2f05", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|78|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/registerDevToolsEventLogger.js"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 57683, "scanner": "repobility-threat-engine", "fingerprint": "4d5740a75a2d15365e42f6a808b204827c88f540e21ae73b7b8b4c50bc6ec42a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d5740a75a2d15365e42f6a808b204827c88f540e21ae73b7b8b4c50bc6ec42a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench/benchmarks/hacker-news/benchmark.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 57682, "scanner": "repobility-threat-engine", "fingerprint": "d7f3bd1b1cb30643887358cbf4fcdbcf9acc62157fd859fa251e81a535ae3398", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7f3bd1b1cb30643887358cbf4fcdbcf9acc62157fd859fa251e81a535ae3398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-dom-bindings/src/client/DOMNamespaces.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 57681, "scanner": "repobility-threat-engine", "fingerprint": "b7656ee7b8466dc9268c34a51edf311bb88fbcb275061843cbf5b5c3b5fd8363", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7656ee7b8466dc9268c34a51edf311bb88fbcb275061843cbf5b5c3b5fd8363"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/views/Components/constants.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 57680, "scanner": "repobility-threat-engine", "fingerprint": "445e143bfb9fa42d815d6c9ae398165a70589a79a844fb4f61e3e95a91105bbd", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|445e143bfb9fa42d815d6c9ae398165a70589a79a844fb4f61e3e95a91105bbd"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 57676, "scanner": "repobility-threat-engine", "fingerprint": "bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "aggregated_count": 6}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 57675, "scanner": "repobility-threat-engine", "fingerprint": "af72e7646552cac3e402ab92ae6a350b9a53956118e951c0c04a1a91aff02779", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af72e7646552cac3e402ab92ae6a350b9a53956118e951c0c04a1a91aff02779"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/views/Components/OwnersStack.js"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 57674, "scanner": "repobility-threat-engine", "fingerprint": "4df287376d3d2f3cb20116b6bcdd79479ef516dca91b46cc1f25480d22665489", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4df287376d3d2f3cb20116b6bcdd79479ef516dca91b46cc1f25480d22665489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/views/Components/InspectedElementHooksTree.js"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 57673, "scanner": "repobility-threat-engine", "fingerprint": "99eca79235e76e4df27e4f254da9c4a3c4740f228ae1dc2159e02ffc768035cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|99eca79235e76e4df27e4f254da9c4a3c4740f228ae1dc2159e02ffc768035cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/ContextMenu/ContextMenu.js"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 57672, "scanner": "repobility-threat-engine", "fingerprint": "5b5429ce103e0212fe1464cb57739bff2520dbc1282d1a7ac9eefe5666813e21", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5b5429ce103e0212fe1464cb57739bff2520dbc1282d1a7ac9eefe5666813e21"}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 57663, "scanner": "repobility-threat-engine", "fingerprint": "046c37193ae09c5e8a100a9025671591bdc22eb7b5b86b8d2b2c60d84c2ce506", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|046c37193ae09c5e8a100a9025671591bdc22eb7b5b86b8d2b2c60d84c2ce506", "aggregated_count": 2}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 57662, "scanner": "repobility-threat-engine", "fingerprint": "a2ea268bccadc3720eb9f6e3645c387a65cbf59118b5983170f985e0a9c75e35", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a2ea268bccadc3720eb9f6e3645c387a65cbf59118b5983170f985e0a9c75e35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-extensions/src/contentScripts/proxy.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 57661, "scanner": "repobility-threat-engine", "fingerprint": "b31ae43a3327414a9ad6e7a5e0cd103fc87d09a7c15fbde046d2d416e3516f2c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b31ae43a3327414a9ad6e7a5e0cd103fc87d09a7c15fbde046d2d416e3516f2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-extensions/src/contentScripts/backendManager.js"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 57660, "scanner": "repobility-threat-engine", "fingerprint": "5a5c50daaa18855f357b2859a6bea042ca58267ca4f45b5b50ed1eaa7b6cddba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a5c50daaa18855f357b2859a6bea042ca58267ca4f45b5b50ed1eaa7b6cddba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/internal-test-utils/simulateBrowserEventDispatch.js"}, "region": {"startLine": 335}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 57659, "scanner": "repobility-threat-engine", "fingerprint": "42b331c1e4b17f85d81db72d75262314338abed6e5bfedff208d2157846ef882", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|42b331c1e4b17f85d81db72d75262314338abed6e5bfedff208d2157846ef882"}}}, {"ruleId": "MINED024", "level": "none", "message": {"text": "[MINED024] Js Eval Usage (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 57652, "scanner": "repobility-threat-engine", "fingerprint": "914b89d0f469ba491c06c74ac74bef6f059062d6a41e0f57fbe513350790832c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|914b89d0f469ba491c06c74ac74bef6f059062d6a41e0f57fbe513350790832c", "aggregated_count": 4}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 57648, "scanner": "repobility-threat-engine", "fingerprint": "8ce8a1367a2a0d9794a6d1f712fc9c846b60dcbe21c8f164bcea91d350a68bc9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8ce8a1367a2a0d9794a6d1f712fc9c846b60dcbe21c8f164bcea91d350a68bc9"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 57644, "scanner": "repobility-threat-engine", "fingerprint": "063abbc1a988e6c8b43781a2091a8af2089bfaa08444dfc3e5781c1eafa01559", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|063abbc1a988e6c8b43781a2091a8af2089bfaa08444dfc3e5781c1eafa01559"}}}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 57640, "scanner": "repobility-threat-engine", "fingerprint": "183bccc2b0d1f57e592337dff42f2b45e75cb376ba307c9f764a68423125c32f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|183bccc2b0d1f57e592337dff42f2b45e75cb376ba307c9f764a68423125c32f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/src/ReactHooks.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 57639, "scanner": "repobility-threat-engine", "fingerprint": "6dbbdd60d4d0923ad2f9e1994f8baeffb9285575324e80b53cfcb323c000feb9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6dbbdd60d4d0923ad2f9e1994f8baeffb9285575324e80b53cfcb323c000feb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/Validation/ValidateUseMemo.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 57638, "scanner": "repobility-threat-engine", "fingerprint": "a4eaffa4c52c7754102e4b65cec1f5295b03bab37760112c386cef82caf323bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4eaffa4c52c7754102e4b65cec1f5295b03bab37760112c386cef82caf323bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/Validation/ValidateNoSetStateInRender.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 57637, "scanner": "repobility-threat-engine", "fingerprint": "e3d8ef83063bc9bec0801532451165231f80633e17474089be0b8231b3e9ccd3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e3d8ef83063bc9bec0801532451165231f80633e17474089be0b8231b3e9ccd3"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 57633, "scanner": "repobility-threat-engine", "fingerprint": "662d7a28733ccd0b5a18b94cce15b3626802fe2dc3bf96aec9b99ba6379a69a5", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|662d7a28733ccd0b5a18b94cce15b3626802fe2dc3bf96aec9b99ba6379a69a5"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 57626, "scanner": "repobility-threat-engine", "fingerprint": "976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "aggregated_count": 1}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 57625, "scanner": "repobility-threat-engine", "fingerprint": "e0ff9a9a0ed357e123bfb319bfba9df840b7da4245c066d0136da15a25589bd8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0ff9a9a0ed357e123bfb319bfba9df840b7da4245c066d0136da15a25589bd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/snap/src/sprout/evaluator.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 57624, "scanner": "repobility-threat-engine", "fingerprint": "f3d564ddaec97c675c5180cdd042b7e6e3e21c5c1ccaf0621b5ffe14c52347a8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3d564ddaec97c675c5180cdd042b7e6e3e21c5c1ccaf0621b5ffe14c52347a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/make-read-only-util/src/makeReadOnly.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 57623, "scanner": "repobility-threat-engine", "fingerprint": "5a18b93a6b2e34992abedef098913d54370b6d08ff0e0f81b5df13ca67e0ab44", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a18b93a6b2e34992abedef098913d54370b6d08ff0e0f81b5df13ca67e0ab44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/Entrypoint/Reanimated.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 57622, "scanner": "repobility-threat-engine", "fingerprint": "10405ed5972d0163fa5681e2bb04cbe673746353d2f755e6d028c473b94466e9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|10405ed5972d0163fa5681e2bb04cbe673746353d2f755e6d028c473b94466e9", "aggregated_count": 11}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 57621, "scanner": "repobility-threat-engine", "fingerprint": "6eacbbdfcbda1c724900668aa5d17c42ceff50c5f46f6f4d62097a76b24d4a7d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6eacbbdfcbda1c724900668aa5d17c42ceff50c5f46f6f4d62097a76b24d4a7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/HIR/AssertTerminalBlocksExist.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 57620, "scanner": "repobility-threat-engine", "fingerprint": "f22d710b94bb1074ea2aded2da666c04263e9ecb0ba1576b2a1b733df2f626ac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f22d710b94bb1074ea2aded2da666c04263e9ecb0ba1576b2a1b733df2f626ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/Entrypoint/Reanimated.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 57619, "scanner": "repobility-threat-engine", "fingerprint": "ef840d8c2ae3c71cc5740d7c72704c19e614bbfed7dcc49faf5fbb4d9743f6bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef840d8c2ae3c71cc5740d7c72704c19e614bbfed7dcc49faf5fbb4d9743f6bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/scripts/jest/makeTransform.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 57618, "scanner": "repobility-threat-engine", "fingerprint": "8ef4fc4a1d1afa020d5157bc26f8e97b25b84982c476e0fc9fc2b462b5f52536", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8ef4fc4a1d1afa020d5157bc26f8e97b25b84982c476e0fc9fc2b462b5f52536", "aggregated_count": 6}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 57617, "scanner": "repobility-threat-engine", "fingerprint": "f550d3795fae3afad8bb54c03aaf7ab368d66b39fa5f356fe95f6fa6bb841e7c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f550d3795fae3afad8bb54c03aaf7ab368d66b39fa5f356fe95f6fa6bb841e7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/ReactiveScopes/MemoizeFbtAndMacroOperandsInSameScope.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 57616, "scanner": "repobility-threat-engine", "fingerprint": "c9b82eb536e6998ff89cebf12753c268dc7db6ad6ea5c54ccc1d839f0d67af64", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c9b82eb536e6998ff89cebf12753c268dc7db6ad6ea5c54ccc1d839f0d67af64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/HIR/ScopeDependencyUtils.ts"}, "region": {"startLine": 254}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 57615, "scanner": "repobility-threat-engine", "fingerprint": "7084602283b0b9cda2b220ac2353b8f58eec91a24901a36274dce3d8c2b14fe6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7084602283b0b9cda2b220ac2353b8f58eec91a24901a36274dce3d8c2b14fe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/scripts/babel-plugin-annotate-react-code.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 178 more): Same pattern found in 178 additional files. Review if needed."}, "properties": {"repobilityId": 57614, "scanner": "repobility-threat-engine", "fingerprint": "c9db8fe9f5ad2bc24214c649706decc9c5054f3553bf0122981edfcd23187be4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 178 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c9db8fe9f5ad2bc24214c649706decc9c5054f3553bf0122981edfcd23187be4", "aggregated_count": 178}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 57613, "scanner": "repobility-threat-engine", "fingerprint": "703d54e6f4128de7f709db27ab166eb0c83e5524d57c932216d5a4e879c4df84", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|703d54e6f4128de7f709db27ab166eb0c83e5524d57c932216d5a4e879c4df84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/Flood/TypeUtils.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 57612, "scanner": "repobility-threat-engine", "fingerprint": "403b8122b9d3a5d3c1267d91384c8ca6bb0350de2257132573ec4340059124c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|403b8122b9d3a5d3c1267d91384c8ca6bb0350de2257132573ec4340059124c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/scripts/jest/makeTransform.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 57611, "scanner": "repobility-threat-engine", "fingerprint": "3b9bfe31d3badb0dc2004b1d9d421cb6ec7880406faec4a25ea19991c6bb3b3c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b9bfe31d3badb0dc2004b1d9d421cb6ec7880406faec4a25ea19991c6bb3b3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/apps/playground/components/StoreContext.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "properties": {"repobilityId": 57610, "scanner": "repobility-threat-engine", "fingerprint": "b6efe59033771fa1abd6296ca1f950fdce26615eede4a663b37396df416f3eb9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 39 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 39 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6efe59033771fa1abd6296ca1f950fdce26615eede4a663b37396df416f3eb9"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57748, "scanner": "repobility-supply-chain", "fingerprint": "05edc934af6655bc011c30527856bdafa399ed62c46514543ffb71b00366e762", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05edc934af6655bc011c30527856bdafa399ed62c46514543ffb71b00366e762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compiler_playground.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57747, "scanner": "repobility-supply-chain", "fingerprint": "93e6fe48af3ea452a89dc822e6866dc31469dce2fd1a87b68721b4583499aa51", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93e6fe48af3ea452a89dc822e6866dc31469dce2fd1a87b68721b4583499aa51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compiler_playground.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `facebook/react/.github/workflows/shared_check_maintainer.yml` pinned to mutable ref `@main`: `uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57746, "scanner": "repobility-supply-chain", "fingerprint": "b5f7e307f7db45637b51a5e332effafc594aec53c6ac677428256f75034d29ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b5f7e307f7db45637b51a5e332effafc594aec53c6ac677428256f75034d29ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_discord_notify.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57745, "scanner": "repobility-supply-chain", "fingerprint": "e1986b7bf365d4c7373ad90b62e619c57f813b5aba0eded6af25a82561391771", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1986b7bf365d4c7373ad90b62e619c57f813b5aba0eded6af25a82561391771"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57744, "scanner": "repobility-supply-chain", "fingerprint": "23d6c1fae4b0b6a48d49aea5f64d2f526b924f005d1bfa9318869495d2d8ad5d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23d6c1fae4b0b6a48d49aea5f64d2f526b924f005d1bfa9318869495d2d8ad5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57743, "scanner": "repobility-supply-chain", "fingerprint": "f6b8c7a3c552c1dad9d9ce02ba4e79b63dfa5261f03af127e0f38cfb26142743", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6b8c7a3c552c1dad9d9ce02ba4e79b63dfa5261f03af127e0f38cfb26142743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57742, "scanner": "repobility-supply-chain", "fingerprint": "7fafdd8a953b9ab334ff39d80a8dc4df8ecbb7ba9356e3ae90e82663641a2e76", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7fafdd8a953b9ab334ff39d80a8dc4df8ecbb7ba9356e3ae90e82663641a2e76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57741, "scanner": "repobility-supply-chain", "fingerprint": "578e9e87983d49fdc7aec50c3f1545e0452b7a5e867a7f69135c036b430c1114", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|578e9e87983d49fdc7aec50c3f1545e0452b7a5e867a7f69135c036b430c1114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57740, "scanner": "repobility-supply-chain", "fingerprint": "df9960fe2d67527f0c6be602b48fa5d0422c2a8bbaf644ae67b29b5c78f13afc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df9960fe2d67527f0c6be602b48fa5d0422c2a8bbaf644ae67b29b5c78f13afc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57739, "scanner": "repobility-supply-chain", "fingerprint": "b7c49284c4190c42882e1112cc4f1ac71687428a324e629f789a6072be4b5559", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b7c49284c4190c42882e1112cc4f1ac71687428a324e629f789a6072be4b5559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57738, "scanner": "repobility-supply-chain", "fingerprint": "9d0776e294ad6f446752e06f3237d540b9167900f6e640f791e35bb4f36ef305", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d0776e294ad6f446752e06f3237d540b9167900f6e640f791e35bb4f36ef305"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57737, "scanner": "repobility-supply-chain", "fingerprint": "0b1605aab52dad28d2fb9e681cd9f4d3861f0240d5341fd72ff2daa6007a6669", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b1605aab52dad28d2fb9e681cd9f4d3861f0240d5341fd72ff2daa6007a6669"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57736, "scanner": "repobility-supply-chain", "fingerprint": "9a680ea480830f58be30d2481dc80e7fd19cbd57cdfb86acb7bd1d49c81b304b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a680ea480830f58be30d2481dc80e7fd19cbd57cdfb86acb7bd1d49c81b304b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57735, "scanner": "repobility-supply-chain", "fingerprint": "31b734a3344fa21e5d58dae2d4d13f66e5f27a56b95dcb2e8ba76ec41b839261", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31b734a3344fa21e5d58dae2d4d13f66e5f27a56b95dcb2e8ba76ec41b839261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57734, "scanner": "repobility-supply-chain", "fingerprint": "37f5ebd74b5c14dbfd6c3db045a7bf77006bee086068cccc17949dc81d1c3ae6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37f5ebd74b5c14dbfd6c3db045a7bf77006bee086068cccc17949dc81d1c3ae6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57733, "scanner": "repobility-supply-chain", "fingerprint": "1a5a984fa802a02bfe77a11c93d32cc30a957e7c09b831905d04090620e85dc2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a5a984fa802a02bfe77a11c93d32cc30a957e7c09b831905d04090620e85dc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57732, "scanner": "repobility-supply-chain", "fingerprint": "fdbb76f1f5a9bf65ce2eb630bf06350d616bdbc9a60691e406cd1e6ba44070f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fdbb76f1f5a9bf65ce2eb630bf06350d616bdbc9a60691e406cd1e6ba44070f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57731, "scanner": "repobility-supply-chain", "fingerprint": "2741545a72a0a81feab8e2c13cb6545ec390de89d6aecf6dd1dfc23f14b3084d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2741545a72a0a81feab8e2c13cb6545ec390de89d6aecf6dd1dfc23f14b3084d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57730, "scanner": "repobility-supply-chain", "fingerprint": "4b4370f8d5df4d96007b9c2bfd62c14777e35e43c59b560272a123b74a73633d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b4370f8d5df4d96007b9c2bfd62c14777e35e43c59b560272a123b74a73633d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57729, "scanner": "repobility-supply-chain", "fingerprint": "98d9b4f6ae174696bf68d95bf9b7c1e87fe656834888f30c5b7c6feafe195ff0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98d9b4f6ae174696bf68d95bf9b7c1e87fe656834888f30c5b7c6feafe195ff0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57728, "scanner": "repobility-supply-chain", "fingerprint": "3571263d732f0df57b90a3ce81c087c3834eb43351ddd5fa39c283572c0da62d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3571263d732f0df57b90a3ce81c087c3834eb43351ddd5fa39c283572c0da62d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57727, "scanner": "repobility-supply-chain", "fingerprint": "91c885d6e5eeb1a229cfb49c929377eff673d3373130e47a7b67534b6816a36e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91c885d6e5eeb1a229cfb49c929377eff673d3373130e47a7b67534b6816a36e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57726, "scanner": "repobility-supply-chain", "fingerprint": "c3a53f330708c6b7d04f61d3609f0f16ffd7ff22736dc211c6f88d4b5eff95a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3a53f330708c6b7d04f61d3609f0f16ffd7ff22736dc211c6f88d4b5eff95a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57725, "scanner": "repobility-supply-chain", "fingerprint": "ac553f802c45af6ce80d23528628f412b89b12abb7202950985344bf8992abb1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac553f802c45af6ce80d23528628f412b89b12abb7202950985344bf8992abb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools_regression_tests.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `facebook/react/.github/workflows/shared_check_maintainer.yml` pinned to mutable ref `@main`: `uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 57724, "scanner": "repobility-supply-chain", "fingerprint": "395e91ebcc50d83bad7ee0a1294851834760a3c2872a53c42aaf10d41bdcb0a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|395e91ebcc50d83bad7ee0a1294851834760a3c2872a53c42aaf10d41bdcb0a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compiler_discord_notify.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-react-hooks` pulled from URL/Git: `dependencies.eslint-plugin-react-hooks` = `link:../../build/oss-stable/eslint-plugin-react-hooks` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 57723, "scanner": "repobility-supply-chain", "fingerprint": "9cabdefb5b4243d49c616de90b31d9def9398fc213db208bcf7090364c8e10ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9cabdefb5b4243d49c616de90b31d9def9398fc213db208bcf7090364c8e10ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fixtures/eslint-v10/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-react-hooks` pulled from URL/Git: `dependencies.eslint-plugin-react-hooks` = `link:../../build/oss-stable/eslint-plugin-react-hooks` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 57722, "scanner": "repobility-supply-chain", "fingerprint": "7dcd379c811faf34b1848ec9c8c67ec3a16cf08605a4bb16fd4ff464ad41ee51", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7dcd379c811faf34b1848ec9c8c67ec3a16cf08605a4bb16fd4ff464ad41ee51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fixtures/eslint-v8/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-react-hooks` pulled from URL/Git: `dependencies.eslint-plugin-react-hooks` = `link:../../build/oss-stable/eslint-plugin-react-hooks` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 57721, "scanner": "repobility-supply-chain", "fingerprint": "96a4afd92c223b36c316dc37e1a42d0cdd4162602cf21f7801eeefa2e59ef81c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|96a4afd92c223b36c316dc37e1a42d0cdd4162602cf21f7801eeefa2e59ef81c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fixtures/eslint-v7/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-react-hooks` pulled from URL/Git: `dependencies.eslint-plugin-react-hooks` = `link:../../build/oss-stable/eslint-plugin-react-hooks` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 57720, "scanner": "repobility-supply-chain", "fingerprint": "8573692d736db6ba4f7e42faec63781c11dced4f6a94529e20cc10649b39de77", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8573692d736db6ba4f7e42faec63781c11dced4f6a94529e20cc10649b39de77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fixtures/eslint-v6/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-react-hooks` pulled from URL/Git: `dependencies.eslint-plugin-react-hooks` = `link:../../build/oss-stable/eslint-plugin-react-hooks` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 57719, "scanner": "repobility-supply-chain", "fingerprint": "10b835d83251c0065862fe4ae4804e1600be0492ab02da470c4d3e242a165ca3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10b835d83251c0065862fe4ae4804e1600be0492ab02da470c4d3e242a165ca3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fixtures/eslint-v9/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-react-internal` pulled from URL/Git: `devDependencies.eslint-plugin-react-internal` = `link:./scripts/eslint-rules` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 57718, "scanner": "repobility-supply-chain", "fingerprint": "156e60e27e4de9956e0b34263b30cc6ab415aaf377ebe8c5cedad7ad25e5eae3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|156e60e27e4de9956e0b34263b30cc6ab415aaf377ebe8c5cedad7ad25e5eae3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 57717, "scanner": "repobility-route-auth", "fingerprint": "c533583b8e9b8a6ca6747e483d134fb6e5f792fb2435b59f4c509aa50ec3cc38", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c533583b8e9b8a6ca6747e483d134fb6e5f792fb2435b59f4c509aa50ec3cc38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fixtures/flight/server/region.js"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 57716, "scanner": "repobility-route-auth", "fingerprint": "12171ada4ac7ce2d347ff8089c8c3d98e4cfbeb6635b616e6621d2ea95aeb3af", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|12171ada4ac7ce2d347ff8089c8c3d98e4cfbeb6635b616e6621d2ea95aeb3af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fixtures/flight-esm/server/region.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 57693, "scanner": "repobility-threat-engine", "fingerprint": "aff6920c60ce666152d16adc45f223de1f040ec6f4d1d68b4cbc7ef7601bc793", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aff6920c60ce666152d16adc45f223de1f040ec6f4d1d68b4cbc7ef7601bc793"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-server/src/ReactServerStreamConfigNode.js"}, "region": {"startLine": 239}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 57690, "scanner": "repobility-threat-engine", "fingerprint": "a223c67084b8efabca063fbfde1a5f9b8a7402c5b5bcbc1a537ff38dd12033ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a223c67084b8efabca063fbfde1a5f9b8a7402c5b5bcbc1a537ff38dd12033ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench/server.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 57689, "scanner": "repobility-threat-engine", "fingerprint": "af43422701e756367d43cfa071842c3c99de19bf7ffd7925e64703db79b151c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|af43422701e756367d43cfa071842c3c99de19bf7ffd7925e64703db79b151c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shell/webpack-server.js"}, "region": {"startLine": 235}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 57668, "scanner": "repobility-threat-engine", "fingerprint": "c4f3e50d12ca90da3c49a2173e6e2ff5f4ecee66d39a56beeae1d27f43d8d325", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}=${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c4f3e50d12ca90da3c49a2173e6e2ff5f4ecee66d39a56beeae1d27f43d8d325"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/jest/jest-cli.js"}, "region": {"startLine": 383}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 57667, "scanner": "repobility-threat-engine", "fingerprint": "a9173abd97b343672ef0c9fb58b28914ded3692ed2377d3850e3022a90b5a75a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "reduce(\n    (str, name) => `${str} ${name}@${version}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a9173abd97b343672ef0c9fb58b28914ded3692ed2377d3850e3022a90b5a75a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ci/download_devtools_regression_build.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 57666, "scanner": "repobility-threat-engine", "fingerprint": "0ed6ee1dc9461666e40f2a1158578dd5f9fea7cac3d76c10b6bb4727b0cce8a6", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n      <div class=\"box\">\n        <div class=\"box-header\">\n          Unknown error", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0ed6ee1dc9461666e40f2a1158578dd5f9fea7cac3d76c10b6bb4727b0cce8a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-core/src/standalone.js"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 57655, "scanner": "repobility-threat-engine", "fingerprint": "65c4b1177a7ba077c68c35e0402a7f09e03464e37339470c9588cd629d7378ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(string", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|65c4b1177a7ba077c68c35e0402a7f09e03464e37339470c9588cd629d7378ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-shared/src/devtools/views/utils.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 57654, "scanner": "repobility-threat-engine", "fingerprint": "084e485f60b06bdfff655bc4e9704a9d8056ffbf6787d2eefff74b6f3697dd91", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(additionalHooks", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|084e485f60b06bdfff655bc4e9704a9d8056ffbf6787d2eefff74b6f3697dd91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-plugin-react-hooks/src/shared/Utils.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 57653, "scanner": "repobility-threat-engine", "fingerprint": "51245569555fb3ab67a952505f4888dc68eb791f7ee8ac71e4362f6d15f02b68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n      `${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|51245569555fb3ab67a952505f4888dc68eb791f7ee8ac71e4362f6d15f02b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/scripts/enable-feature-flag.js"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 57643, "scanner": "repobility-threat-engine", "fingerprint": "e0af84247a0d34e45d66b020b893171f4d6fbd5634e99522bac50c141319c73d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Requests.delete(payload.url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e0af84247a0d34e45d66b020b893171f4d6fbd5634e99522bac50c141319c73d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-extensions/src/main/fetchFileWithCaching.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 57642, "scanner": "repobility-threat-engine", "fingerprint": "7712eb6c422a1b90500c0c79a527a5f599d41aef98505752c4e35ea1dc1cab93", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7712eb6c422a1b90500c0c79a527a5f599d41aef98505752c4e35ea1dc1cab93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-devtools-extensions/src/background/tabsManager.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 57641, "scanner": "repobility-threat-engine", "fingerprint": "24905c58c7b28335bef71efb86745391d6b653e796181cdffdae0d3648d4cbe9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|24905c58c7b28335bef71efb86745391d6b653e796181cdffdae0d3648d4cbe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/react-mcp-server/src/utils/algolia.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 57636, "scanner": "repobility-threat-engine", "fingerprint": "1b79dfd6ac3e64cd8d6e1d01f5c3a24219294e23b9edd48cb6b4276004b3d650", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1b79dfd6ac3e64cd8d6e1d01f5c3a24219294e23b9edd48cb6b4276004b3d650"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/react-compiler-healthcheck/src/checks/reactCompiler.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 57635, "scanner": "repobility-threat-engine", "fingerprint": "a402d3caef007daf52b9217a0e818ccbdfbc9123142b8ff15873e0f8ec6170b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a402d3caef007daf52b9217a0e818ccbdfbc9123142b8ff15873e0f8ec6170b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/react-compiler-healthcheck/src/checks/libraryCompat.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 57634, "scanner": "repobility-threat-engine", "fingerprint": "c7329bc56ca9d69953868d8d88a9247273a5fa9b0d32e4cadbf4acc05fa8bca4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(val", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c7329bc56ca9d69953868d8d88a9247273a5fa9b0d32e4cadbf4acc05fa8bca4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/Utils/TestUtils.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 57629, "scanner": "repobility-threat-engine", "fingerprint": "c5c7b615845c3b741b9d4c0f134193d956ca0d2681bd2b03a08fd90ec6d70519", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5c7b615845c3b741b9d4c0f134193d956ca0d2681bd2b03a08fd90ec6d70519"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/SSA/EnterSSA.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 57628, "scanner": "repobility-threat-engine", "fingerprint": "14eebd64cc38dcbefc865987a913a6f3fea794d6f56c23a2550ce190734e24d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14eebd64cc38dcbefc865987a913a6f3fea794d6f56c23a2550ce190734e24d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/ReactiveScopes/PruneHoistedContexts.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 57627, "scanner": "repobility-threat-engine", "fingerprint": "ff32c3a98a77910ef284528c64dc2d11bbdde93e3097e5135f80e37cc903aa91", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff32c3a98a77910ef284528c64dc2d11bbdde93e3097e5135f80e37cc903aa91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/HIR/FindContextIdentifiers.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 57609, "scanner": "repobility-threat-engine", "fingerprint": "783302b0a84477efabbfd518830563051e58f7dc60c84159833765983a80df4a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "moduleImports.delete('c');", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|783302b0a84477efabbfd518830563051e58f7dc60c84159833765983a80df4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/src/Entrypoint/Imports.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 57608, "scanner": "repobility-threat-engine", "fingerprint": "42e856d0c12dbb87a3c146e6b2d543dd5f7c85e8b1a95c96a23a7b2e7792f988", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hmac.update(formatted, 'utf8');", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|42e856d0c12dbb87a3c146e6b2d543dd5f7c85e8b1a95c96a23a7b2e7792f988"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/babel-plugin-react-compiler/scripts/build-react-hooks-fixures.js"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 57607, "scanner": "repobility-threat-engine", "fingerprint": "601ddb29eee6e798c9b607087788f2bb256f6e765d48a5a216888245f7c93aec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "nextState.delete(name);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|601ddb29eee6e798c9b607087788f2bb256f6e765d48a5a216888245f7c93aec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/apps/playground/components/AccordionWindow.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 57651, "scanner": "repobility-threat-engine", "fingerprint": "99f27c392439130da3f548edf9e8f704ee519bbb9709c65ea0bb4e2ecbc05c65", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|99f27c392439130da3f548edf9e8f704ee519bbb9709c65ea0bb4e2ecbc05c65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-client/src/ReactClientDebugConfigNode.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 57650, "scanner": "repobility-threat-engine", "fingerprint": "debf7484740a83a528b59c56c00639bae042b0c7500eafaa0bcede7c950e3ff1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|debf7484740a83a528b59c56c00639bae042b0c7500eafaa0bcede7c950e3ff1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-client/src/ReactClientDebugConfigBrowser.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 57649, "scanner": "repobility-threat-engine", "fingerprint": "d7867a142e1b9572219ed1ed75af3380e1f99d2d44052e47714f5be0ebc6ce36", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7867a142e1b9572219ed1ed75af3380e1f99d2d44052e47714f5be0ebc6ce36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/snap/src/sprout/evaluator.ts"}, "region": {"startLine": 255}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 57647, "scanner": "repobility-threat-engine", "fingerprint": "841734121991cdd42121e6b9dd9d12ed5acaa86613089df82dad996cbcb6c638", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(join", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|841734121991cdd42121e6b9dd9d12ed5acaa86613089df82dad996cbcb6c638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench/build.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 57646, "scanner": "repobility-threat-engine", "fingerprint": "67bb36be6bb54c7b151433b37c7901bd306189b363b3f26f7cb0a91afe9e4607", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(scriptSrc", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|67bb36be6bb54c7b151433b37c7901bd306189b363b3f26f7cb0a91afe9e4607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-dom/src/test-utils/FizzTestUtils.js"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 57645, "scanner": "repobility-threat-engine", "fingerprint": "0454b83426df977b9d8289e2b9b61e711d8ba8387e71e1c96c399bb5655fa553", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(BABEL_PLUGIN_SRC", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0454b83426df977b9d8289e2b9b61e711d8ba8387e71e1c96c399bb5655fa553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/packages/snap/src/runner-worker.ts"}, "region": {"startLine": 67}}}]}]}]}