{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-72xf-g2v4-qvf3", "name": "tough-cookie: GHSA-72xf-g2v4-qvf3", "shortDescription": {"text": "tough-cookie: GHSA-72xf-g2v4-qvf3"}, "fullDescription": {"text": "tough-cookie Prototype Pollution vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p8p7-x288-28g6", "name": "request: GHSA-p8p7-x288-28g6", "shortDescription": {"text": "request: GHSA-p8p7-x288-28g6"}, "fullDescription": {"text": "Server-Side Request Forgery in Request"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6rw7-vpxm-498p", "name": "qs: GHSA-6rw7-vpxm-498p", "shortDescription": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "fullDescription": {"text": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5v7r-6r5c-r473", "name": "file-type: GHSA-5v7r-6r5c-r473", "shortDescription": {"text": "file-type: GHSA-5v7r-6r5c-r473"}, "fullDescription": {"text": "file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f22v-gfqf-p8f3", "name": "react-router: GHSA-f22v-gfqf-p8f3", "shortDescription": {"text": "react-router: GHSA-f22v-gfqf-p8f3"}, "fullDescription": {"text": "React Router has stored XSS via unescaped Location header in prerendered redirect HTML"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2j2x-hqr9-3h42", "name": "react-router: GHSA-2j2x-hqr9-3h42", "shortDescription": {"text": "react-router: GHSA-2j2x-hqr9-3h42"}, "fullDescription": {"text": "React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q6x5-8v7m-xcrf", "name": "protobufjs: GHSA-q6x5-8v7m-xcrf", "shortDescription": {"text": "protobufjs: GHSA-q6x5-8v7m-xcrf"}, "fullDescription": {"text": "protobufjs has overlong UTF-8 decoding"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jggg-4jg4-v7c6", "name": "protobufjs: GHSA-jggg-4jg4-v7c6", "shortDescription": {"text": "protobufjs: GHSA-jggg-4jg4-v7c6"}, "fullDescription": {"text": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fx83-v9x8-x52w", "name": "protobufjs: GHSA-fx83-v9x8-x52w", "shortDescription": {"text": "protobufjs: GHSA-fx83-v9x8-x52w"}, "fullDescription": {"text": "protobuf.js: Prototype injection in generated message constructors"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2pr8-phx7-x9h3", "name": "protobufjs: GHSA-2pr8-phx7-x9h3", "shortDescription": {"text": "protobufjs: GHSA-2pr8-phx7-x9h3"}, "fullDescription": {"text": "protobuf.js: Denial of service from crafted field names in generated code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-27v5-c462-wpq7", "name": "path-to-regexp: GHSA-27v5-c462-wpq7", "shortDescription": {"text": "path-to-regexp: GHSA-27v5-c462-wpq7"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xcj9-5m2h-648r", "name": "mermaid: GHSA-xcj9-5m2h-648r", "shortDescription": {"text": "mermaid: GHSA-xcj9-5m2h-648r"}, "fullDescription": {"text": "Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ghcm-xqfw-q4vr", "name": "mermaid: GHSA-ghcm-xqfw-q4vr", "shortDescription": {"text": "mermaid: GHSA-ghcm-xqfw-q4vr"}, "fullDescription": {"text": "Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-87f9-hvmw-gh4p", "name": "mermaid: GHSA-87f9-hvmw-gh4p", "shortDescription": {"text": "mermaid: GHSA-87f9-hvmw-gh4p"}, "fullDescription": {"text": "Mermaid: Improper sanitization of configuration leads to CSS injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6m6c-36f7-fhxh", "name": "mermaid: GHSA-6m6c-36f7-fhxh", "shortDescription": {"text": "mermaid: GHSA-6m6c-36f7-fhxh"}, "fullDescription": {"text": "Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash-es: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xrhx-7g5j-rcj5", "name": "hono: GHSA-xrhx-7g5j-rcj5", "shortDescription": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "fullDescription": {"text": "Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xpcf-pg52-r92g", "name": "hono: GHSA-xpcf-pg52-r92g", "shortDescription": {"text": "hono: GHSA-xpcf-pg52-r92g"}, "fullDescription": {"text": "Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xf4j-xp2r-rqqx", "name": "hono: GHSA-xf4j-xp2r-rqqx", "shortDescription": {"text": "hono: GHSA-xf4j-xp2r-rqqx"}, "fullDescription": {"text": "Hono: Path traversal in toSSG() allows writing files outside the output directory"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wmmm-f939-6g9c", "name": "hono: GHSA-wmmm-f939-6g9c", "shortDescription": {"text": "hono: GHSA-wmmm-f939-6g9c"}, "fullDescription": {"text": "Hono: Middleware bypass via repeated slashes in serveStatic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5rp-j6wh-rvv4", "name": "hono: GHSA-r5rp-j6wh-rvv4", "shortDescription": {"text": "hono: GHSA-r5rp-j6wh-rvv4"}, "fullDescription": {"text": "Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qp7p-654g-cw7p", "name": "hono: GHSA-qp7p-654g-cw7p", "shortDescription": {"text": "hono: GHSA-qp7p-654g-cw7p"}, "fullDescription": {"text": "Hono has CSS Declaration Injection via Style Object Values in JSX SSR"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p77w-8qqv-26rm", "name": "hono: GHSA-p77w-8qqv-26rm", "shortDescription": {"text": "hono: GHSA-p77w-8qqv-26rm"}, "fullDescription": {"text": "Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f577-qrjj-4474", "name": "hono: GHSA-f577-qrjj-4474", "shortDescription": {"text": "hono: GHSA-f577-qrjj-4474"}, "fullDescription": {"text": "Hono: JWT middleware accepts any Authorization scheme, not only Bearer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9vqf-7f2p-gf9v", "name": "hono: GHSA-9vqf-7f2p-gf9v", "shortDescription": {"text": "hono: GHSA-9vqf-7f2p-gf9v"}, "fullDescription": {"text": "Hono: bodyLimit() can be bypassed for chunked / unknown-length requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-69xw-7hcm-h432", "name": "hono: GHSA-69xw-7hcm-h432", "shortDescription": {"text": "hono: GHSA-69xw-7hcm-h432"}, "fullDescription": {"text": "hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-458j-xx4x-4375", "name": "hono: GHSA-458j-xx4x-4375", "shortDescription": {"text": "hono: GHSA-458j-xx4x-4375"}, "fullDescription": {"text": "hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3hrh-pfw6-9m5x", "name": "hono: GHSA-3hrh-pfw6-9m5x", "shortDescription": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "fullDescription": {"text": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2gcr-mfcq-wcc3", "name": "hono: GHSA-2gcr-mfcq-wcc3", "shortDescription": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "fullDescription": {"text": "Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-26pp-8wgv-hjvm", "name": "hono: GHSA-26pp-8wgv-hjvm", "shortDescription": {"text": "hono: GHSA-26pp-8wgv-hjvm"}, "fullDescription": {"text": "Hono missing validation of cookie name on write path in setCookie()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jp2q-39xq-3w4g", "name": "fast-xml-parser: GHSA-jp2q-39xq-3w4g", "shortDescription": {"text": "fast-xml-parser: GHSA-jp2q-39xq-3w4g"}, "fullDescription": {"text": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gh4j-gqv2-49f6", "name": "fast-xml-parser: GHSA-gh4j-gqv2-49f6", "shortDescription": {"text": "fast-xml-parser: GHSA-gh4j-gqv2-49f6"}, "fullDescription": {"text": "fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xwr5-m59h-vwqr", "name": "electron: GHSA-xwr5-m59h-vwqr", "shortDescription": {"text": "electron: GHSA-xwr5-m59h-vwqr"}, "fullDescription": {"text": "Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xj5x-m3f3-5x3h", "name": "electron: GHSA-xj5x-m3f3-5x3h", "shortDescription": {"text": "electron: GHSA-xj5x-m3f3-5x3h"}, "fullDescription": {"text": "Electron: Service worker can spoof executeJavaScript IPC replies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5p7-gp4j-qhrx", "name": "electron: GHSA-r5p7-gp4j-qhrx", "shortDescription": {"text": "electron: GHSA-r5p7-gp4j-qhrx"}, "fullDescription": {"text": "Electron: Incorrect origin passed to permission request handler for iframe requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwmh-mq4g-g6gr", "name": "electron: GHSA-mwmh-mq4g-g6gr", "shortDescription": {"text": "electron: GHSA-mwmh-mq4g-g6gr"}, "fullDescription": {"text": "Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f3pv-wv63-48x8", "name": "electron: GHSA-f3pv-wv63-48x8", "shortDescription": {"text": "electron: GHSA-f3pv-wv63-48x8"}, "fullDescription": {"text": "Electron: Named window.open targets not scoped to the opener's browsing context"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9w97-2464-8783", "name": "electron: GHSA-9w97-2464-8783", "shortDescription": {"text": "electron: GHSA-9w97-2464-8783"}, "fullDescription": {"text": "Electron: Use-after-free in download save dialog callback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5rqw-r77c-jp79", "name": "electron: GHSA-5rqw-r77c-jp79", "shortDescription": {"text": "electron: GHSA-5rqw-r77c-jp79"}, "fullDescription": {"text": "Electron: AppleScript injection in app.moveToApplicationsFolder on macOS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4p4r-m79c-wq3v", "name": "electron: GHSA-4p4r-m79c-wq3v", "shortDescription": {"text": "electron: GHSA-4p4r-m79c-wq3v"}, "fullDescription": {"text": "Electron: HTTP Response Header Injection in custom protocol handlers and webRequest"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3c8v-cfp5-9885", "name": "electron: GHSA-3c8v-cfp5-9885", "shortDescription": {"text": "electron: GHSA-3c8v-cfp5-9885"}, "fullDescription": {"text": "Electron: Out-of-bounds read in second-instance IPC on macOS and Linux"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v9jr-rg53-9pgp", "name": "dompurify: GHSA-v9jr-rg53-9pgp", "shortDescription": {"text": "dompurify: GHSA-v9jr-rg53-9pgp"}, "fullDescription": {"text": "DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2wj-7wpq-c8vv", "name": "dompurify: GHSA-v2wj-7wpq-c8vv", "shortDescription": {"text": "dompurify: GHSA-v2wj-7wpq-c8vv"}, "fullDescription": {"text": "DOMPurify contains a Cross-site Scripting vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h8r8-wccr-v5f2", "name": "dompurify: GHSA-h8r8-wccr-v5f2", "shortDescription": {"text": "dompurify: GHSA-h8r8-wccr-v5f2"}, "fullDescription": {"text": "DOMPurify is vulnerable to mutation-XSS via Re-Contextualization "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h7mw-gpvr-xq4m", "name": "dompurify: GHSA-h7mw-gpvr-xq4m", "shortDescription": {"text": "dompurify: GHSA-h7mw-gpvr-xq4m"}, "fullDescription": {"text": "DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-crv5-9vww-q3g8", "name": "dompurify: GHSA-crv5-9vww-q3g8", "shortDescription": {"text": "dompurify: GHSA-crv5-9vww-q3g8"}, "fullDescription": {"text": "DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cjmm-f4jc-qw8r", "name": "dompurify: GHSA-cjmm-f4jc-qw8r", "shortDescription": {"text": "dompurify: GHSA-cjmm-f4jc-qw8r"}, "fullDescription": {"text": "DOMPurify ADD_ATTR predicate skips URI validation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cj63-jhhr-wcxv", "name": "dompurify: GHSA-cj63-jhhr-wcxv", "shortDescription": {"text": "dompurify: GHSA-cj63-jhhr-wcxv"}, "fullDescription": {"text": "DOMPurify USE_PROFILES prototype pollution allows event handlers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-39q2-94rc-95cp", "name": "dompurify: GHSA-39q2-94rc-95cp", "shortDescription": {"text": "dompurify: GHSA-39q2-94rc-95cp"}, "fullDescription": {"text": "DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xx6v-rp6x-q39c", "name": "axios: GHSA-xx6v-rp6x-q39c", "shortDescription": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "fullDescription": {"text": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w9j2-pvgh-6h63", "name": "axios: GHSA-w9j2-pvgh-6h63", "shortDescription": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "fullDescription": {"text": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vf2m-468p-8v99", "name": "axios: GHSA-vf2m-468p-8v99", "shortDescription": {"text": "axios: GHSA-vf2m-468p-8v99"}, "fullDescription": {"text": "Axios: HTTP adapter streamed responses bypass maxContentLength"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m7pr-hjqh-92cm", "name": "axios: GHSA-m7pr-hjqh-92cm", "shortDescription": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "fullDescription": {"text": "Axios: no_proxy bypass via IP alias allows SSRF"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fvcv-3m26-pcqx", "name": "axios: GHSA-fvcv-3m26-pcqx", "shortDescription": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "fullDescription": {"text": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-898c-q2cr-xwhg", "name": "axios: GHSA-898c-q2cr-xwhg", "shortDescription": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "fullDescription": {"text": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-62hf-57xw-28j9", "name": "axios: GHSA-62hf-57xw-28j9", "shortDescription": {"text": "axios: GHSA-62hf-57xw-28j9"}, "fullDescription": {"text": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c9x-8gcm-mpgx", "name": "axios: GHSA-5c9x-8gcm-mpgx", "shortDescription": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "fullDescription": {"text": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-445q-vr5w-6q77", "name": "axios: GHSA-445q-vr5w-6q77", "shortDescription": {"text": "axios: GHSA-445q-vr5w-6q77"}, "fullDescription": {"text": "Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3w6x-2g7m-8v23", "name": "axios: GHSA-3w6x-2g7m-8v23", "shortDescription": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "fullDescription": {"text": "Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-92pp-h63x-v22m", "name": "@hono/node-server: GHSA-92pp-h63x-v22m", "shortDescription": {"text": "@hono/node-server: GHSA-92pp-h63x-v22m"}, "fullDescription": {"text": "@hono/node-server: Middleware bypass via repeated slashes in serveStatic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-hm8q-7f3q-5f36", "name": "hono: GHSA-hm8q-7f3q-5f36", "shortDescription": {"text": "hono: GHSA-hm8q-7f3q-5f36"}, "fullDescription": {"text": "Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jfqx-fxh3-c62j", "name": "electron: GHSA-jfqx-fxh3-c62j", "shortDescription": {"text": "electron: GHSA-jfqx-fxh3-c62j"}, "fullDescription": {"text": "Electron: Unquoted executable path in app.setLoginItemSettings on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f37v-82c4-4x64", "name": "electron: GHSA-f37v-82c4-4x64", "shortDescription": {"text": "electron: GHSA-f37v-82c4-4x64"}, "fullDescription": {"text": "Electron: Crash in clipboard.readImage() on malformed clipboard image data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9899-m83m-qhpj", "name": "electron: GHSA-9899-m83m-qhpj", "shortDescription": {"text": "electron: GHSA-9899-m83m-qhpj"}, "fullDescription": {"text": "Electron: USB device selection not validated against filtered device list"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8x5q-pvf5-64mp", "name": "electron: GHSA-8x5q-pvf5-64mp", "shortDescription": {"text": "electron: GHSA-8x5q-pvf5-64mp"}, "fullDescription": {"text": "Electron: Use-after-free in offscreen shared texture release() callback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xhjh-pmcv-23jw", "name": "axios: GHSA-xhjh-pmcv-23jw", "shortDescription": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "fullDescription": {"text": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vpq2-c234-7xj6", "name": "@tootallnate/once: GHSA-vpq2-c234-7xj6", "shortDescription": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "fullDescription": {"text": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `discover_flake_inputs` has cognitive complexity 8 (SonarSource scale). Co", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `discover_flake_inputs` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and re"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `cachix/install-nix-action@v31` is minor version(s) behind (latest v31.10.6)", "shortDescription": {"text": "GitHub Action `cachix/install-nix-action@v31` is minor version(s) behind (latest v31.10.6)"}, "fullDescription": {"text": "`uses: cachix/install-nix-action@v31` is minor version(s) behind the latest published release v31.10.6. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9ff-h696-f583", "name": "vite: GHSA-p9ff-h696-f583", "shortDescription": {"text": "vite: GHSA-p9ff-h696-f583"}, "fullDescription": {"text": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hvx9-hwr7-wjj9", "name": "systeminformation: GHSA-hvx9-hwr7-wjj9", "shortDescription": {"text": "systeminformation: GHSA-hvx9-hwr7-wjj9"}, "fullDescription": {"text": "Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hffm-xvc3-vprc", "name": "simple-git: GHSA-hffm-xvc3-vprc", "shortDescription": {"text": "simple-git: GHSA-hffm-xvc3-vprc"}, "fullDescription": {"text": "simple-git is vulnerable to Remote Code Execution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rxv8-25v2-qmq8", "name": "react-router: GHSA-rxv8-25v2-qmq8", "shortDescription": {"text": "react-router: GHSA-rxv8-25v2-qmq8"}, "fullDescription": {"text": "React Router vulnerable to Denial of Service via reflected user input in single-fetch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8x6r-g9mw-2r78", "name": "react-router: GHSA-8x6r-g9mw-2r78", "shortDescription": {"text": "react-router: GHSA-8x6r-g9mw-2r78"}, "fullDescription": {"text": "React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8646-j5j9-6r62", "name": "react-router: GHSA-8646-j5j9-6r62", "shortDescription": {"text": "react-router: GHSA-8646-j5j9-6r62"}, "fullDescription": {"text": "React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-49rj-9fvp-4h2h", "name": "react-router: GHSA-49rj-9fvp-4h2h", "shortDescription": {"text": "react-router: GHSA-49rj-9fvp-4h2h"}, "fullDescription": {"text": "React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jvwf-75h9-cwgg", "name": "protobufjs: GHSA-jvwf-75h9-cwgg", "shortDescription": {"text": "protobufjs: GHSA-jvwf-75h9-cwgg"}, "fullDescription": {"text": "protobuf.js: Process-wide denial of service through unsafe option paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-75px-5xx7-5xc7", "name": "protobufjs: GHSA-75px-5xx7-5xc7", "shortDescription": {"text": "protobufjs: GHSA-75px-5xx7-5xc7"}, "fullDescription": {"text": "protobuf.js: Code generation gadget after prototype pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-685m-2w69-288q", "name": "protobufjs: GHSA-685m-2w69-288q", "shortDescription": {"text": "protobufjs: GHSA-685m-2w69-288q"}, "fullDescription": {"text": "protobuf.js: Denial of service through unbounded protobuf recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-66ff-xgx4-vchm", "name": "protobufjs: GHSA-66ff-xgx4-vchm", "shortDescription": {"text": "protobufjs: GHSA-66ff-xgx4-vchm"}, "fullDescription": {"text": "protobuf.js: Code injection through bytes field defaults in generated toObject code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j3q9-mxjg-w52f", "name": "path-to-regexp: GHSA-j3q9-mxjg-w52f", "shortDescription": {"text": "path-to-regexp: GHSA-j3q9-mxjg-w52f"}, "fullDescription": {"text": "path-to-regexp vulnerable to Denial of Service via sequential optional groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash-es: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8gc5-j5rx-235r", "name": "fast-xml-parser: GHSA-8gc5-j5rx-235r", "shortDescription": {"text": "fast-xml-parser: GHSA-8gc5-j5rx-235r"}, "fullDescription": {"text": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5wm8-gmm8-39j9", "name": "fast-xml-builder: GHSA-5wm8-gmm8-39j9", "shortDescription": {"text": "fast-xml-builder: GHSA-5wm8-gmm8-39j9"}, "fullDescription": {"text": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jjp3-mq3x-295m", "name": "electron: GHSA-jjp3-mq3x-295m", "shortDescription": {"text": "electron: GHSA-jjp3-mq3x-295m"}, "fullDescription": {"text": "Electron: Use-after-free in PowerMonitor on Windows and macOS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wfr-w7mm-pc7f", "name": "electron: GHSA-9wfr-w7mm-pc7f", "shortDescription": {"text": "electron: GHSA-9wfr-w7mm-pc7f"}, "fullDescription": {"text": "Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8337-3p73-46f4", "name": "electron: GHSA-8337-3p73-46f4", "shortDescription": {"text": "electron: GHSA-8337-3p73-46f4"}, "fullDescription": {"text": "Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-532v-xpq5-8h95", "name": "electron: GHSA-532v-xpq5-8h95", "shortDescription": {"text": "electron: GHSA-532v-xpq5-8h95"}, "fullDescription": {"text": "Electron: Use-after-free in offscreen child window paint callback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-737v-mqg7-c878", "name": "defu: GHSA-737v-mqg7-c878", "shortDescription": {"text": "defu: GHSA-737v-mqg7-c878"}, "fullDescription": {"text": "defu: Prototype pollution via `__proto__` key in defaults argument"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8qp-cvcw-x6jj", "name": "axios: GHSA-q8qp-cvcw-x6jj", "shortDescription": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "fullDescription": {"text": "Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pf86-5x62-jrwf", "name": "axios: GHSA-pf86-5x62-jrwf", "shortDescription": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "fullDescription": {"text": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p92q-9vqr-4j8v", "name": "axios: GHSA-p92q-9vqr-4j8v", "shortDescription": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "fullDescription": {"text": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j5f8-grm9-p9fc", "name": "axios: GHSA-j5f8-grm9-p9fc", "shortDescription": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "fullDescription": {"text": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hfxv-24rg-xrqf", "name": "axios: GHSA-hfxv-24rg-xrqf", "shortDescription": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "fullDescription": {"text": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-777c-7fjr-54vf", "name": "axios: GHSA-777c-7fjr-54vf", "shortDescription": {"text": "axios: GHSA-777c-7fjr-54vf"}, "fullDescription": {"text": "Allocation of Resources Without Limits or Throttling in Axios"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6chq-wfr3-2hj9", "name": "axios: GHSA-6chq-wfr3-2hj9", "shortDescription": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "fullDescription": {"text": "Axios: Header Injection via Prototype Pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjwm-pj3p-43mv", "name": "axios: GHSA-pjwm-pj3p-43mv", "shortDescription": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "fullDescription": {"text": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3g43-6gmg-66jw", "name": "axios: GHSA-3g43-6gmg-66jw", "shortDescription": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "fullDescription": {"text": "axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-35jp-ww65-95wh", "name": "axios: GHSA-35jp-ww65-95wh", "shortDescription": {"text": "axios: GHSA-35jp-ww65-95wh"}, "fullDescription": {"text": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x6wf-f3px-wcqx", "name": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx", "shortDescription": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated processing instruction serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wh4c-j3r5-mjhp", "name": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp", "shortDescription": {"text": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp"}, "fullDescription": {"text": "xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j759-j44w-7fr8", "name": "@xmldom/xmldom: GHSA-j759-j44w-7fr8", "shortDescription": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated comment serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f6ww-3ggp-fr8h", "name": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h", "shortDescription": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "fullDescription": {"text": "xmldom has XML injection through unvalidated DocumentType serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2v35-w6hq-6mfw", "name": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw", "shortDescription": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "fullDescription": {"text": "xmldom: Uncontrolled recursion in XML serialization leads to DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q7rr-3cgh-j5r3", "name": "@opentelemetry/sdk-node: GHSA-q7rr-3cgh-j5r3", "shortDescription": {"text": "@opentelemetry/sdk-node: GHSA-q7rr-3cgh-j5r3"}, "fullDescription": {"text": "Prometheus exporter process crash via malformed HTTP request"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC080", "name": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-", "shortDescription": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "fullDescription": {"text": "Add `filter='data'` (Python \u2265 3.12) or manually validate member paths against `os.path.abspath`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `Mic92/auto-merge` pinned to mutable ref `@main`", "shortDescription": {"text": "Action `Mic92/auto-merge` pinned to mutable ref `@main`"}, "fullDescription": {"text": "`uses: Mic92/auto-merge@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "GHSA-5xrq-8626-4rwp", "name": "vitest: GHSA-5xrq-8626-4rwp", "shortDescription": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "fullDescription": {"text": "When Vitest UI server is listening, arbitrary file can be read and executed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fjxv-7rqg-78g4", "name": "form-data: GHSA-fjxv-7rqg-78g4", "shortDescription": {"text": "form-data: GHSA-fjxv-7rqg-78g4"}, "fullDescription": {"text": "form-data uses unsafe random function in form-data for choosing boundary"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xq3m-2v4x-88gg", "name": "protobufjs: GHSA-xq3m-2v4x-88gg", "shortDescription": {"text": "protobufjs: GHSA-xq3m-2v4x-88gg"}, "fullDescription": {"text": "Arbitrary code execution in protobufjs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1235"}, "properties": {"repository": "numtide/llm-agents.nix", "repoUrl": "https://github.com/numtide/llm-agents.nix", "branch": "main"}, "results": [{"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 124206, "scanner": "osv-scanner", "fingerprint": "295733d77105213c5625a14d0483445030f5cc72e72c44e649b335030f7454ae", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/iflow-cli/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 124204, "scanner": "osv-scanner", "fingerprint": "3611d5b67aecec64994a9b93c7b70262ac984e7d06ce2f8c45742f9353c9bbcc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/iflow-cli/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-72xf-g2v4-qvf3", "level": "warning", "message": {"text": "tough-cookie: GHSA-72xf-g2v4-qvf3"}, "properties": {"repobilityId": 124203, "scanner": "osv-scanner", "fingerprint": "b35bc3f9767ed46ed46d1a85b66526d30ea2f534adeb90bf3204e0031d4c23df", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-26136"], "package": "tough-cookie", "rule_id": "GHSA-72xf-g2v4-qvf3", "scanner": "osv-scanner", "correlation_key": "vuln|tough-cookie|CVE-2023-26136|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/iflow-cli/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p8p7-x288-28g6", "level": "warning", "message": {"text": "request: GHSA-p8p7-x288-28g6"}, "properties": {"repobilityId": 124202, "scanner": "osv-scanner", "fingerprint": "8e67521a4dda9f232ec654e3b5ec78ff4918d51a066599e4160dcc5cab146d39", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-28155"], "package": "request", "rule_id": "GHSA-p8p7-x288-28g6", "scanner": "osv-scanner", "correlation_key": "vuln|request|CVE-2023-28155|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/iflow-cli/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rw7-vpxm-498p", "level": "warning", "message": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "properties": {"repobilityId": 124201, "scanner": "osv-scanner", "fingerprint": "8fdc5de34455d74f95eb87e0495f8675befd26f31829f6822c649c8d0963485f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-15284"], "package": "qs", "rule_id": "GHSA-6rw7-vpxm-498p", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2025-15284|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/iflow-cli/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5v7r-6r5c-r473", "level": "warning", "message": {"text": "file-type: GHSA-5v7r-6r5c-r473"}, "properties": {"repobilityId": 124199, "scanner": "osv-scanner", "fingerprint": "75d30b9083210ec8466047e2a28cb5320848adba2def3a1db3882d88326f69f2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31808"], "package": "file-type", "rule_id": "GHSA-5v7r-6r5c-r473", "scanner": "osv-scanner", "correlation_key": "vuln|file-type|CVE-2026-31808|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/iflow-cli/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 124198, "scanner": "osv-scanner", "fingerprint": "e0539e8c86cdf1b6915217be66fe48502a8aae9fb72bb437e94f4089a9cdd6df", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/iflow-cli/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 124197, "scanner": "osv-scanner", "fingerprint": "a7356f742b750332cd0e262789824a5e9847a881a40a66cae09dc4fd5b4892d1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 124196, "scanner": "osv-scanner", "fingerprint": "cf82d6ff3669333b39a738dbad1d3b039d1fa922276ffd12dd0c1f00f7aacfe1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 124194, "scanner": "osv-scanner", "fingerprint": "e327093619fa96df61a3cd46fe2a5d83e3d8b75f8e46bdf3f0783d1099fc2631", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 124193, "scanner": "osv-scanner", "fingerprint": "324c2cc007c84859c40af6eed09df15a63ccf9a77e3148dc12719f105dec2aff", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f22v-gfqf-p8f3", "level": "warning", "message": {"text": "react-router: GHSA-f22v-gfqf-p8f3"}, "properties": {"repobilityId": 124188, "scanner": "osv-scanner", "fingerprint": "8648e762005d14c0289ccd66b53d6fd5d7ca5c5a33b63f62ab62c2269c401a8e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33244"], "package": "react-router", "rule_id": "GHSA-f22v-gfqf-p8f3", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-33244|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2j2x-hqr9-3h42", "level": "warning", "message": {"text": "react-router: GHSA-2j2x-hqr9-3h42"}, "properties": {"repobilityId": 124184, "scanner": "osv-scanner", "fingerprint": "77e00d30ae82835efb1681b180dd4874461a7bd1e5cf85fc23af4544028aac53", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40181"], "package": "react-router", "rule_id": "GHSA-2j2x-hqr9-3h42", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-40181|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 124183, "scanner": "osv-scanner", "fingerprint": "0b0e67028d2832a8f46be7e5742c7de699f04325635410550413b959ce79680d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q6x5-8v7m-xcrf", "level": "warning", "message": {"text": "protobufjs: GHSA-q6x5-8v7m-xcrf"}, "properties": {"repobilityId": 124181, "scanner": "osv-scanner", "fingerprint": "8fa713fefea4a2ab7d140ee6f04c5249e42d64bcc7869952afc23c80bff89cd4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44288"], "package": "protobufjs", "rule_id": "GHSA-q6x5-8v7m-xcrf", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44288|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jggg-4jg4-v7c6", "level": "warning", "message": {"text": "protobufjs: GHSA-jggg-4jg4-v7c6"}, "properties": {"repobilityId": 124179, "scanner": "osv-scanner", "fingerprint": "ba1e3fafb4aabd96f9f60b41a4e319b5ff6292cab1ccd829a324a94961bef855", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45740"], "package": "protobufjs", "rule_id": "GHSA-jggg-4jg4-v7c6", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-45740|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fx83-v9x8-x52w", "level": "warning", "message": {"text": "protobufjs: GHSA-fx83-v9x8-x52w"}, "properties": {"repobilityId": 124178, "scanner": "osv-scanner", "fingerprint": "095844814fad0ee45f388aad8044e88731faa2a48ba9345b40ebd6c2ccc8e9a2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44292"], "package": "protobufjs", "rule_id": "GHSA-fx83-v9x8-x52w", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44292|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2pr8-phx7-x9h3", "level": "warning", "message": {"text": "protobufjs: GHSA-2pr8-phx7-x9h3"}, "properties": {"repobilityId": 124174, "scanner": "osv-scanner", "fingerprint": "b1509d35bb8bf4632b6b621654ddde47620c10756440c50135f051b6cf742ddc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44294"], "package": "protobufjs", "rule_id": "GHSA-2pr8-phx7-x9h3", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44294|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 124173, "scanner": "osv-scanner", "fingerprint": "48b963506860f8e59bf816a0f5add1a7a7b17f0855c35cc5f2475f462518fde7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 124171, "scanner": "osv-scanner", "fingerprint": "53d9b369983da7516867190abf1b8df0c4253083106035e6a010d0802edfbf72", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-27v5-c462-wpq7", "level": "warning", "message": {"text": "path-to-regexp: GHSA-27v5-c462-wpq7"}, "properties": {"repobilityId": 124169, "scanner": "osv-scanner", "fingerprint": "ef12f545768c355abb1fcd0e8d6514b1770838ce8f80414326800b6501919338", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4923"], "package": "path-to-regexp", "rule_id": "GHSA-27v5-c462-wpq7", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4923|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xcj9-5m2h-648r", "level": "warning", "message": {"text": "mermaid: GHSA-xcj9-5m2h-648r"}, "properties": {"repobilityId": 124165, "scanner": "osv-scanner", "fingerprint": "f807238b8e49acc0be5bd68921b6b16404251d77a4a7bd490c72ad821b6eb049", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41148"], "package": "mermaid", "rule_id": "GHSA-xcj9-5m2h-648r", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41148|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ghcm-xqfw-q4vr", "level": "warning", "message": {"text": "mermaid: GHSA-ghcm-xqfw-q4vr"}, "properties": {"repobilityId": 124164, "scanner": "osv-scanner", "fingerprint": "fdff2a1a4fc43380496f5c8d2ebeba19c4098484349db3eb9fa2b4da024fe5d1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41149"], "package": "mermaid", "rule_id": "GHSA-ghcm-xqfw-q4vr", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41149|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-87f9-hvmw-gh4p", "level": "warning", "message": {"text": "mermaid: GHSA-87f9-hvmw-gh4p"}, "properties": {"repobilityId": 124163, "scanner": "osv-scanner", "fingerprint": "8426c05a7eb84a0504eb322f484a5232a5c3a98fa56e6482274c887283e6298c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41159"], "package": "mermaid", "rule_id": "GHSA-87f9-hvmw-gh4p", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41159|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6m6c-36f7-fhxh", "level": "warning", "message": {"text": "mermaid: GHSA-6m6c-36f7-fhxh"}, "properties": {"repobilityId": 124162, "scanner": "osv-scanner", "fingerprint": "429ca784f9bb46721c835803e25d4915860365a54c10d1fcd425c460800f9f5c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41150"], "package": "mermaid", "rule_id": "GHSA-6m6c-36f7-fhxh", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41150|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 124160, "scanner": "osv-scanner", "fingerprint": "a34825c98178930494df615bc7c582663f12adef8c17e81cf19a69395e2f39e9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash-es", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-2950|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 124158, "scanner": "osv-scanner", "fingerprint": "c3b2f7f36d11add10f7d2786fc4346853fedae10b0724474b21153462f4b31da", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 124157, "scanner": "osv-scanner", "fingerprint": "62cc120529e0ea7e112c75ba69c2871a0970d5fb55f88728336a56c156607eb6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xrhx-7g5j-rcj5", "level": "warning", "message": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "properties": {"repobilityId": 124156, "scanner": "osv-scanner", "fingerprint": "a2c206f8ea2b32c461caa7f8ecd7a0e5cef592ef21000476d3f483947016c852", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47674"], "package": "hono", "rule_id": "GHSA-xrhx-7g5j-rcj5", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47674|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xpcf-pg52-r92g", "level": "warning", "message": {"text": "hono: GHSA-xpcf-pg52-r92g"}, "properties": {"repobilityId": 124155, "scanner": "osv-scanner", "fingerprint": "e26f5ee09605fed501b0d2c97ba388ef746da54a3d0fd7c3e4807e85d27ed142", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39409"], "package": "hono", "rule_id": "GHSA-xpcf-pg52-r92g", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39409|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xf4j-xp2r-rqqx", "level": "warning", "message": {"text": "hono: GHSA-xf4j-xp2r-rqqx"}, "properties": {"repobilityId": 124154, "scanner": "osv-scanner", "fingerprint": "5729bbbc5ff35f73f95861436dacb1806889d87d7ba7e6c2b48e5ec2048daf24", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39408"], "package": "hono", "rule_id": "GHSA-xf4j-xp2r-rqqx", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39408|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wmmm-f939-6g9c", "level": "warning", "message": {"text": "hono: GHSA-wmmm-f939-6g9c"}, "properties": {"repobilityId": 124153, "scanner": "osv-scanner", "fingerprint": "3cfcfd2c3cae3cfd0610c194576d9d9cfa96e392b2582fc2b89338ebb57ced80", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39407"], "package": "hono", "rule_id": "GHSA-wmmm-f939-6g9c", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39407|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5rp-j6wh-rvv4", "level": "warning", "message": {"text": "hono: GHSA-r5rp-j6wh-rvv4"}, "properties": {"repobilityId": 124152, "scanner": "osv-scanner", "fingerprint": "59e4c93dabbf7fa1dcecb9a98354bf3e82e98436496f484bc9de4e45c52b8c5a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39410"], "package": "hono", "rule_id": "GHSA-r5rp-j6wh-rvv4", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39410|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qp7p-654g-cw7p", "level": "warning", "message": {"text": "hono: GHSA-qp7p-654g-cw7p"}, "properties": {"repobilityId": 124151, "scanner": "osv-scanner", "fingerprint": "d1b118ba026bea19c75652d3a1efe5ec4935b554e19aedb67169904008c274c4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44458"], "package": "hono", "rule_id": "GHSA-qp7p-654g-cw7p", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44458|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p77w-8qqv-26rm", "level": "warning", "message": {"text": "hono: GHSA-p77w-8qqv-26rm"}, "properties": {"repobilityId": 124150, "scanner": "osv-scanner", "fingerprint": "d1278fe3a5b43bf26f477f64e1a04e6312ae72c17f50dfd70bcb19b218324091", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44457"], "package": "hono", "rule_id": "GHSA-p77w-8qqv-26rm", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44457|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f577-qrjj-4474", "level": "warning", "message": {"text": "hono: GHSA-f577-qrjj-4474"}, "properties": {"repobilityId": 124148, "scanner": "osv-scanner", "fingerprint": "2e7d3740d774833875c65bc9fa702666aa797a5a5dd72781408cb292c4f86c81", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47673"], "package": "hono", "rule_id": "GHSA-f577-qrjj-4474", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47673|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9vqf-7f2p-gf9v", "level": "warning", "message": {"text": "hono: GHSA-9vqf-7f2p-gf9v"}, "properties": {"repobilityId": 124147, "scanner": "osv-scanner", "fingerprint": "58c1c180eb066bed295c21c55c6e18ebe159d45baf146860da95152d6891b37e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44456"], "package": "hono", "rule_id": "GHSA-9vqf-7f2p-gf9v", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44456|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-69xw-7hcm-h432", "level": "warning", "message": {"text": "hono: GHSA-69xw-7hcm-h432"}, "properties": {"repobilityId": 124146, "scanner": "osv-scanner", "fingerprint": "86aa0fb1b2d1cabff7783658948c40b3be17186aa370e3d074c2ec040dedc565", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44455"], "package": "hono", "rule_id": "GHSA-69xw-7hcm-h432", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44455|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-458j-xx4x-4375", "level": "warning", "message": {"text": "hono: GHSA-458j-xx4x-4375"}, "properties": {"repobilityId": 124145, "scanner": "osv-scanner", "fingerprint": "6d8e2449e2755fd71cd314f55bf7c69fc1f62eed80bad5474534463e92366d39", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "hono", "rule_id": "GHSA-458j-xx4x-4375", "scanner": "osv-scanner", "correlation_key": "vuln|hono|GHSA-458J-XX4X-4375|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3hrh-pfw6-9m5x", "level": "warning", "message": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "properties": {"repobilityId": 124144, "scanner": "osv-scanner", "fingerprint": "444815267f4004c2e6a377d30bf996733d0a68d0bc6dbfc88a80f4de679615e6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47675"], "package": "hono", "rule_id": "GHSA-3hrh-pfw6-9m5x", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47675|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2gcr-mfcq-wcc3", "level": "warning", "message": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "properties": {"repobilityId": 124143, "scanner": "osv-scanner", "fingerprint": "ffc92d5fff908d5bb6225c6b3024dc79a9840504654271a80e5c92e8fe850709", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47676"], "package": "hono", "rule_id": "GHSA-2gcr-mfcq-wcc3", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47676|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-26pp-8wgv-hjvm", "level": "warning", "message": {"text": "hono: GHSA-26pp-8wgv-hjvm"}, "properties": {"repobilityId": 124142, "scanner": "osv-scanner", "fingerprint": "9a51c2de705f4621c8e69b0fc6efa58e1876e2abf3b559f5fe4b8974eac8ca42", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "hono", "rule_id": "GHSA-26pp-8wgv-hjvm", "scanner": "osv-scanner", "correlation_key": "vuln|hono|GHSA-26PP-8WGV-HJVM|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 124141, "scanner": "osv-scanner", "fingerprint": "3b7394b040946311ee088a2f2ebbeb1ae0d7c45fb004b8df0e348f3227cc5d22", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5v7r-6r5c-r473", "level": "warning", "message": {"text": "file-type: GHSA-5v7r-6r5c-r473"}, "properties": {"repobilityId": 124140, "scanner": "osv-scanner", "fingerprint": "325749894805396baeb67a54e047c14922297399f0e0a62b7c621d1f23725b30", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31808"], "package": "file-type", "rule_id": "GHSA-5v7r-6r5c-r473", "scanner": "osv-scanner", "correlation_key": "vuln|file-type|CVE-2026-31808|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jp2q-39xq-3w4g", "level": "warning", "message": {"text": "fast-xml-parser: GHSA-jp2q-39xq-3w4g"}, "properties": {"repobilityId": 124139, "scanner": "osv-scanner", "fingerprint": "9af950528da52f5d5dfaff1130c01256fed1f55a580579706a302adf555eb059", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33349"], "package": "fast-xml-parser", "rule_id": "GHSA-jp2q-39xq-3w4g", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-33349|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gh4j-gqv2-49f6", "level": "warning", "message": {"text": "fast-xml-parser: GHSA-gh4j-gqv2-49f6"}, "properties": {"repobilityId": 124138, "scanner": "osv-scanner", "fingerprint": "3b1d70242df98e955863ad32dfc65a16415abf45708e51681e95f45de2ac65c7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41650"], "package": "fast-xml-parser", "rule_id": "GHSA-gh4j-gqv2-49f6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-41650|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xwr5-m59h-vwqr", "level": "warning", "message": {"text": "electron: GHSA-xwr5-m59h-vwqr"}, "properties": {"repobilityId": 124133, "scanner": "osv-scanner", "fingerprint": "77a8a880af7551efb9369bbc05874640a1514ed79507f408b0aa84915b9e7455", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34775"], "package": "electron", "rule_id": "GHSA-xwr5-m59h-vwqr", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34775|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xj5x-m3f3-5x3h", "level": "warning", "message": {"text": "electron: GHSA-xj5x-m3f3-5x3h"}, "properties": {"repobilityId": 124132, "scanner": "osv-scanner", "fingerprint": "39983aac923ebc45df0d937c4099f3c994f9a75378667898ca2ab1652fad934b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34778"], "package": "electron", "rule_id": "GHSA-xj5x-m3f3-5x3h", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34778|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5p7-gp4j-qhrx", "level": "warning", "message": {"text": "electron: GHSA-r5p7-gp4j-qhrx"}, "properties": {"repobilityId": 124131, "scanner": "osv-scanner", "fingerprint": "e689a4e468ad20de9f134f87c2dd54afccfd2289fd23892caeaedfb089fe1c3d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34777"], "package": "electron", "rule_id": "GHSA-r5p7-gp4j-qhrx", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34777|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwmh-mq4g-g6gr", "level": "warning", "message": {"text": "electron: GHSA-mwmh-mq4g-g6gr"}, "properties": {"repobilityId": 124130, "scanner": "osv-scanner", "fingerprint": "200412c2458c1a59ba5795eb0609d37bc0489e44a2842d919b4d77f563986406", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34773"], "package": "electron", "rule_id": "GHSA-mwmh-mq4g-g6gr", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34773|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f3pv-wv63-48x8", "level": "warning", "message": {"text": "electron: GHSA-f3pv-wv63-48x8"}, "properties": {"repobilityId": 124127, "scanner": "osv-scanner", "fingerprint": "33053d8d4215a81196a16235485870d9359c02649bb97c9f75d1065cb85591af", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34765"], "package": "electron", "rule_id": "GHSA-f3pv-wv63-48x8", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34765|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9w97-2464-8783", "level": "warning", "message": {"text": "electron: GHSA-9w97-2464-8783"}, "properties": {"repobilityId": 124124, "scanner": "osv-scanner", "fingerprint": "ad3f268507d628c700d385cadbf4b99d50685c48d089caf3de180a02c58f09e6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34772"], "package": "electron", "rule_id": "GHSA-9w97-2464-8783", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34772|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5rqw-r77c-jp79", "level": "warning", "message": {"text": "electron: GHSA-5rqw-r77c-jp79"}, "properties": {"repobilityId": 124120, "scanner": "osv-scanner", "fingerprint": "6114fff1a2e9fb87fe1d789f2a39ef06b2509c848ee92ca2621f5399804bca03", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34779"], "package": "electron", "rule_id": "GHSA-5rqw-r77c-jp79", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34779|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4p4r-m79c-wq3v", "level": "warning", "message": {"text": "electron: GHSA-4p4r-m79c-wq3v"}, "properties": {"repobilityId": 124118, "scanner": "osv-scanner", "fingerprint": "179a81775fd889b379ac520a68ad453e2be7ec6f40c51c4014dafe7a1686002c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34767"], "package": "electron", "rule_id": "GHSA-4p4r-m79c-wq3v", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34767|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3c8v-cfp5-9885", "level": "warning", "message": {"text": "electron: GHSA-3c8v-cfp5-9885"}, "properties": {"repobilityId": 124117, "scanner": "osv-scanner", "fingerprint": "c89818ee995230ae17baa08e3aefb865d9fb14cea7dee39d05d35ca321756256", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34776"], "package": "electron", "rule_id": "GHSA-3c8v-cfp5-9885", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34776|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v9jr-rg53-9pgp", "level": "warning", "message": {"text": "dompurify: GHSA-v9jr-rg53-9pgp"}, "properties": {"repobilityId": 124116, "scanner": "osv-scanner", "fingerprint": "341a567b2d8a8496413fc5ade58b533d6e6164fcc6028a944c861929493a1b78", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41238"], "package": "dompurify", "rule_id": "GHSA-v9jr-rg53-9pgp", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-41238|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2wj-7wpq-c8vv", "level": "warning", "message": {"text": "dompurify: GHSA-v2wj-7wpq-c8vv"}, "properties": {"repobilityId": 124115, "scanner": "osv-scanner", "fingerprint": "7f06b3f18310b50728ffa7b484cf06de00db0be5457fa1dfa8b6a8d1020b6556", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-0540"], "package": "dompurify", "rule_id": "GHSA-v2wj-7wpq-c8vv", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-0540|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h8r8-wccr-v5f2", "level": "warning", "message": {"text": "dompurify: GHSA-h8r8-wccr-v5f2"}, "properties": {"repobilityId": 124114, "scanner": "osv-scanner", "fingerprint": "6c7fd0349f0bfa9a5a11c38532f1e0216a8d5e980c7a69610b7544614010851b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "dompurify", "rule_id": "GHSA-h8r8-wccr-v5f2", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|GHSA-H8R8-WCCR-V5F2|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h7mw-gpvr-xq4m", "level": "warning", "message": {"text": "dompurify: GHSA-h7mw-gpvr-xq4m"}, "properties": {"repobilityId": 124113, "scanner": "osv-scanner", "fingerprint": "decc81ea3bc2f2d6a31f30b8a21e3ce897b4f3ba24584ecb5ff8232ce31d21e4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41240"], "package": "dompurify", "rule_id": "GHSA-h7mw-gpvr-xq4m", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-41240|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-crv5-9vww-q3g8", "level": "warning", "message": {"text": "dompurify: GHSA-crv5-9vww-q3g8"}, "properties": {"repobilityId": 124112, "scanner": "osv-scanner", "fingerprint": "4b1e6da777c86f47944cfa04e382f863d2d0b986919bd675fa23e08077a5889a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41239"], "package": "dompurify", "rule_id": "GHSA-crv5-9vww-q3g8", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-41239|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cjmm-f4jc-qw8r", "level": "warning", "message": {"text": "dompurify: GHSA-cjmm-f4jc-qw8r"}, "properties": {"repobilityId": 124111, "scanner": "osv-scanner", "fingerprint": "115bc15b6aa406ec8f56199700ca5dcff6f1ad87a069c3ae0f2acf9c370d5be8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "dompurify", "rule_id": "GHSA-cjmm-f4jc-qw8r", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|GHSA-CJMM-F4JC-QW8R|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cj63-jhhr-wcxv", "level": "warning", "message": {"text": "dompurify: GHSA-cj63-jhhr-wcxv"}, "properties": {"repobilityId": 124110, "scanner": "osv-scanner", "fingerprint": "6bef60a46140dcd96763cd60af768c6509fca91bce5147c386e58e935461854b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "dompurify", "rule_id": "GHSA-cj63-jhhr-wcxv", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|GHSA-CJ63-JHHR-WCXV|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-39q2-94rc-95cp", "level": "warning", "message": {"text": "dompurify: GHSA-39q2-94rc-95cp"}, "properties": {"repobilityId": 124109, "scanner": "osv-scanner", "fingerprint": "438fd53c54382f5abeb173877d4726f47aaeaf5d777bee042c7b80af108491c7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "dompurify", "rule_id": "GHSA-39q2-94rc-95cp", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|GHSA-39Q2-94RC-95CP|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 124107, "scanner": "osv-scanner", "fingerprint": "e97062cab9d8914439e9127f4934487ebffa9dfda821124fe3d8839d1cd5859b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 124106, "scanner": "osv-scanner", "fingerprint": "9c0d2a2e4ff67b6cc102fcd0be444ee32dee4781a591943c74ee54a067e5458a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xx6v-rp6x-q39c", "level": "warning", "message": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "properties": {"repobilityId": 124105, "scanner": "osv-scanner", "fingerprint": "c3851273b41cdc0631acd67785c4454462dbba0affc0c0c2a6de7b803befa6de", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42042"], "package": "axios", "rule_id": "GHSA-xx6v-rp6x-q39c", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42042|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w9j2-pvgh-6h63", "level": "warning", "message": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "properties": {"repobilityId": 124103, "scanner": "osv-scanner", "fingerprint": "bf2508578b21a0d06b5c0bb24ec7517887628f3ec8e60ba32efcf90d5323224d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42041"], "package": "axios", "rule_id": "GHSA-w9j2-pvgh-6h63", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42041|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vf2m-468p-8v99", "level": "warning", "message": {"text": "axios: GHSA-vf2m-468p-8v99"}, "properties": {"repobilityId": 124102, "scanner": "osv-scanner", "fingerprint": "d10f31f03177bedcb4f5add01006a0f1feb37d5c3b27d3d2fc3dd0cf8b756753", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42036"], "package": "axios", "rule_id": "GHSA-vf2m-468p-8v99", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42036|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m7pr-hjqh-92cm", "level": "warning", "message": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "properties": {"repobilityId": 124098, "scanner": "osv-scanner", "fingerprint": "deb8d0638fd14bef99f9114d16b217f3b34f194a54ba693647ddf29c69c14210", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42038"], "package": "axios", "rule_id": "GHSA-m7pr-hjqh-92cm", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42038|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fvcv-3m26-pcqx", "level": "warning", "message": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "properties": {"repobilityId": 124095, "scanner": "osv-scanner", "fingerprint": "0a045ba8b508b5aaa44a66cb787bbd9e7c2e642e18b73b5087e07237578cffde", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40175"], "package": "axios", "rule_id": "GHSA-fvcv-3m26-pcqx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-40175|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-898c-q2cr-xwhg", "level": "warning", "message": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "properties": {"repobilityId": 124094, "scanner": "osv-scanner", "fingerprint": "2dd3921ffe3577289b5abaf7fa74bb0dd9500118c529e6d3f9b1d0dbeb0f5d06", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44490"], "package": "axios", "rule_id": "GHSA-898c-q2cr-xwhg", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44490|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-62hf-57xw-28j9", "level": "warning", "message": {"text": "axios: GHSA-62hf-57xw-28j9"}, "properties": {"repobilityId": 124091, "scanner": "osv-scanner", "fingerprint": "b92545984b75ca0d819f060d5ab85b6b82fbf1d5dd4a40684df89aa9ebebcd62", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42039"], "package": "axios", "rule_id": "GHSA-62hf-57xw-28j9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42039|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c9x-8gcm-mpgx", "level": "warning", "message": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "properties": {"repobilityId": 124090, "scanner": "osv-scanner", "fingerprint": "e12cc9b0b38fe63d6819dfb355a9e835972dbd1221462f9f2a0542ff56b905da", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42034"], "package": "axios", "rule_id": "GHSA-5c9x-8gcm-mpgx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42034|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-445q-vr5w-6q77", "level": "warning", "message": {"text": "axios: GHSA-445q-vr5w-6q77"}, "properties": {"repobilityId": 124089, "scanner": "osv-scanner", "fingerprint": "5218a813a42f5e78f65ca6a5e190e679df032a38a8c75a2520bae5f536d6808e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42037"], "package": "axios", "rule_id": "GHSA-445q-vr5w-6q77", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42037|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3w6x-2g7m-8v23", "level": "warning", "message": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "properties": {"repobilityId": 124088, "scanner": "osv-scanner", "fingerprint": "b45ad419721eb782a549a48ce549ef0894acd9e41c24041b57507d7d9c2ff9f1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42044"], "package": "axios", "rule_id": "GHSA-3w6x-2g7m-8v23", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42044|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q6x5-8v7m-xcrf", "level": "warning", "message": {"text": "@protobufjs/utf8: GHSA-q6x5-8v7m-xcrf"}, "properties": {"repobilityId": 124078, "scanner": "osv-scanner", "fingerprint": "a25db4b6d803c09e74d5ea389b8699d07c729c09398e61fdec788632b97166d5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44288"], "package": "@protobufjs/utf8", "rule_id": "GHSA-q6x5-8v7m-xcrf", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs/utf8|CVE-2026-44288|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-92pp-h63x-v22m", "level": "warning", "message": {"text": "@hono/node-server: GHSA-92pp-h63x-v22m"}, "properties": {"repobilityId": 124075, "scanner": "osv-scanner", "fingerprint": "270a20e403ffcf71d643e6b9ebf6f0ff16bd311f6f091cd0bfeeca25bdb249c8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39406"], "package": "@hono/node-server", "rule_id": "GHSA-92pp-h63x-v22m", "scanner": "osv-scanner", "correlation_key": "vuln|hono/node-server|CVE-2026-39406|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 124074, "scanner": "repobility-threat-engine", "fingerprint": "eb547fb76f89cd0abf479349903583c0e87cc73b164f8bddeb36e1d22993b351", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|scripts/updater/npm.py|69|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/updater/npm.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "GHSA-hm8q-7f3q-5f36", "level": "note", "message": {"text": "hono: GHSA-hm8q-7f3q-5f36"}, "properties": {"repobilityId": 124149, "scanner": "osv-scanner", "fingerprint": "49a3c938d872050139fed09abb839cc86c9130f55e41168ee495a8c9e134bab1", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44459"], "package": "hono", "rule_id": "GHSA-hm8q-7f3q-5f36", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44459|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jfqx-fxh3-c62j", "level": "note", "message": {"text": "electron: GHSA-jfqx-fxh3-c62j"}, "properties": {"repobilityId": 124128, "scanner": "osv-scanner", "fingerprint": "733a4e8cc0a9c9bad084024ca7cee6f59f223ec4e74a80cf40155b483443d474", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34768"], "package": "electron", "rule_id": "GHSA-jfqx-fxh3-c62j", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34768|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f37v-82c4-4x64", "level": "note", "message": {"text": "electron: GHSA-f37v-82c4-4x64"}, "properties": {"repobilityId": 124126, "scanner": "osv-scanner", "fingerprint": "90b2b2964b9b2a3ae852e557f01a1f6e1904a62c256cecaa8ae852927253ce99", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34781"], "package": "electron", "rule_id": "GHSA-f37v-82c4-4x64", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34781|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9899-m83m-qhpj", "level": "note", "message": {"text": "electron: GHSA-9899-m83m-qhpj"}, "properties": {"repobilityId": 124123, "scanner": "osv-scanner", "fingerprint": "d4c48d0d425e4fa2ef3c40bffde224e536f262a5c6931a64b3de9b0093f8dc83", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34766"], "package": "electron", "rule_id": "GHSA-9899-m83m-qhpj", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34766|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8x5q-pvf5-64mp", "level": "note", "message": {"text": "electron: GHSA-8x5q-pvf5-64mp"}, "properties": {"repobilityId": 124122, "scanner": "osv-scanner", "fingerprint": "c6426b308c538bbef20815f167ceac44fe4821d8c540c3a63e4c3a568672ec76", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34764"], "package": "electron", "rule_id": "GHSA-8x5q-pvf5-64mp", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34764|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xhjh-pmcv-23jw", "level": "note", "message": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "properties": {"repobilityId": 124104, "scanner": "osv-scanner", "fingerprint": "fc59a08d283c946d0ad29290a0111cb615d11c2532a23d1fa15f415ed89dadea", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42040"], "package": "axios", "rule_id": "GHSA-xhjh-pmcv-23jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42040|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vpq2-c234-7xj6", "level": "note", "message": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "properties": {"repobilityId": 124079, "scanner": "osv-scanner", "fingerprint": "f7789c07e5fe11b25b6c28a7d8c73f38211b053b7793af5f6cd94f1cfcad33a1", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3449"], "package": "@tootallnate/once", "rule_id": "GHSA-vpq2-c234-7xj6", "scanner": "osv-scanner", "correlation_key": "vuln|tootallnate/once|CVE-2026-3449|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `discover_flake_inputs` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=1, if=2, nested_bonus=2, or=1, ternary=1."}, "properties": {"repobilityId": 124064, "scanner": "repobility-threat-engine", "fingerprint": "b2b3574f98ea0cb36e16514051b564ae2391e229a25b8b298c5c5d05221c91e8", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "discover_flake_inputs", "breakdown": {"if": 2, "or": 1, "for": 1, "ternary": 1, "continue": 1, "nested_bonus": 2}, "complexity": 8, "correlation_key": "fp|b2b3574f98ea0cb36e16514051b564ae2391e229a25b8b298c5c5d05221c91e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/ci/discovery.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `write_matrix` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=2, nested_bonus=5."}, "properties": {"repobilityId": 124063, "scanner": "repobility-threat-engine", "fingerprint": "11e4c867966695c1bebe6d1a5d449df63891eee47f9372c1b25f84b2481955d7", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "write_matrix", "breakdown": {"if": 2, "for": 2, "nested_bonus": 5}, "complexity": 9, "correlation_key": "fp|11e4c867966695c1bebe6d1a5d449df63891eee47f9372c1b25f84b2481955d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/ci/discovery.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `discover_packages` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=2, if=4, nested_bonus=6."}, "properties": {"repobilityId": 124062, "scanner": "repobility-threat-engine", "fingerprint": "712054de8c5500460fe9ec47b21c30b08e12dccc21bd684d0da4bccedd2691da", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "discover_packages", "breakdown": {"if": 4, "for": 2, "else": 1, "nested_bonus": 6}, "complexity": 13, "correlation_key": "fp|712054de8c5500460fe9ec47b21c30b08e12dccc21bd684d0da4bccedd2691da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/ci/discovery.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `cachix/install-nix-action@v31` is minor version(s) behind (latest v31.10.6)"}, "properties": {"repobilityId": 124058, "scanner": "repobility-dependency-currency", "fingerprint": "c98e788138cdb532e62980c5f04d7a1153aa3d0ad7468500bd42c952b74c4288", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "cachix/install-nix-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v31.10.6", "correlation_key": "fp|c98e788138cdb532e62980c5f04d7a1153aa3d0ad7468500bd42c952b74c4288", "current_version": "v31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-readme.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/create-github-app-token@v3` is minor version(s) behind (latest v3.2.0)"}, "properties": {"repobilityId": 124056, "scanner": "repobility-dependency-currency", "fingerprint": "c7e6a45711b84a47260acb7329b923f8736101618ae776a878086207be8e5224", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/create-github-app-token", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v3.2.0", "correlation_key": "fp|c7e6a45711b84a47260acb7329b923f8736101618ae776a878086207be8e5224", "current_version": "v3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `cachix/install-nix-action@v31` is minor version(s) behind (latest v31.10.6)"}, "properties": {"repobilityId": 124055, "scanner": "repobility-dependency-currency", "fingerprint": "2a9cb5180c461c8a7b85bcc912223c420129545789c25304756b304c40aac68b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "cachix/install-nix-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v31.10.6", "correlation_key": "fp|2a9cb5180c461c8a7b85bcc912223c420129545789c25304756b304c40aac68b", "current_version": "v31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `cachix/install-nix-action@v31` is minor version(s) behind (latest v31.10.6)"}, "properties": {"repobilityId": 124053, "scanner": "repobility-dependency-currency", "fingerprint": "4165c9cc6deae6756a809f5b6671f31224d3ecd480d743d0d33e77c6efa4fe96", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "cachix/install-nix-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v31.10.6", "correlation_key": "fp|4165c9cc6deae6756a809f5b6671f31224d3ecd480d743d0d33e77c6efa4fe96", "current_version": "v31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-maintainers.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124038, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1707dd521b1c2e0b31d43a68f55a563b32d9a747395bc58efbf18f0776639788", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/copilot-language-server/update.py", "duplicate_line": 2, "correlation_key": "fp|1707dd521b1c2e0b31d43a68f55a563b32d9a747395bc58efbf18f0776639788"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/sandbox-runtime/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124037, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bff30ee4a49b1760b8d3cf4a319ecbeab394456ea4e5a4e5159c1a4f2c2f85ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/backlog-md/update.py", "duplicate_line": 3, "correlation_key": "fp|bff30ee4a49b1760b8d3cf4a319ecbeab394456ea4e5a4e5159c1a4f2c2f85ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ralph-tui/update.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124036, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0129de5acb615bd8bd96a23218045a74321897bf48fe42f78c2b62f84ea1673b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/backlog-md/update.py", "duplicate_line": 3, "correlation_key": "fp|0129de5acb615bd8bd96a23218045a74321897bf48fe42f78c2b62f84ea1673b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/qmd/update.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124035, "scanner": "repobility-ai-code-hygiene", "fingerprint": "628a9e621ba482d33f45900c79ded9fd746384c89e3c6e5f861cf83742df8933", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/copilot-language-server/update.py", "duplicate_line": 2, "correlation_key": "fp|628a9e621ba482d33f45900c79ded9fd746384c89e3c6e5f861cf83742df8933"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124034, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7df0c579a748cc3cfcb2876b2e7b8bbd08bac068adb03786e48b73f9a4769f11", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/copilot-language-server/update.py", "duplicate_line": 2, "correlation_key": "fp|7df0c579a748cc3cfcb2876b2e7b8bbd08bac068adb03786e48b73f9a4769f11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/openspecui/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124033, "scanner": "repobility-ai-code-hygiene", "fingerprint": "98cc5abcf92099125c615eaae002c288e92a94765cc4830486cd99eae113d9f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/copilot-language-server/update.py", "duplicate_line": 2, "correlation_key": "fp|98cc5abcf92099125c615eaae002c288e92a94765cc4830486cd99eae113d9f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/openspec/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124032, "scanner": "repobility-ai-code-hygiene", "fingerprint": "18f1e618884178a63018bb6068693177ba21fa028e9a763897a8f5db29e7ce8a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/catnip/update.py", "duplicate_line": 2, "correlation_key": "fp|18f1e618884178a63018bb6068693177ba21fa028e9a763897a8f5db29e7ce8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/opencode/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124031, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be7960bba82d4185694c574d51683e15f2ddbada8e20b0df65e2348632e6f73a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentsview/update.py", "duplicate_line": 2, "correlation_key": "fp|be7960bba82d4185694c574d51683e15f2ddbada8e20b0df65e2348632e6f73a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oh-my-codex/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124030, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffcbdf2294b73574b2ffcef5d1d683b77d7e0d79362a2dbbe17948efca5cffe3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/copilot-language-server/update.py", "duplicate_line": 2, "correlation_key": "fp|ffcbdf2294b73574b2ffcef5d1d683b77d7e0d79362a2dbbe17948efca5cffe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/letta-code/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124029, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e0e7363cbd5bbae18ccc06a510bbf6e926e0d9d81ebbdd4d8fbdb8a23f9368f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/copilot-language-server/update.py", "duplicate_line": 2, "correlation_key": "fp|0e0e7363cbd5bbae18ccc06a510bbf6e926e0d9d81ebbdd4d8fbdb8a23f9368f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/iflow-cli/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124028, "scanner": "repobility-ai-code-hygiene", "fingerprint": "396533f039f2bdb82e548b12e233c2022edcb04ad4afaa1512d85088be224c6a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/antigravity-cli/update.py", "duplicate_line": 2, "correlation_key": "fp|396533f039f2bdb82e548b12e233c2022edcb04ad4afaa1512d85088be224c6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/go-bin/update.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124027, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e62f55362cbfe5e3883422c575ec2ea6b14727ebbdaf188e4ea155c50780b49b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/backlog-md/update.py", "duplicate_line": 3, "correlation_key": "fp|e62f55362cbfe5e3883422c575ec2ea6b14727ebbdaf188e4ea155c50780b49b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gno/update.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124026, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec213a4bca18316d1ade2fb8ba96beb589a9532886cc322f930b069929af1479", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/catnip/update.py", "duplicate_line": 2, "correlation_key": "fp|ec213a4bca18316d1ade2fb8ba96beb589a9532886cc322f930b069929af1479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/forgecode/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124025, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a4d6ece79769d76f823fdf61562420a88b1bae07080302b6a99c8e9144287313", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cursor-agent/update.py", "duplicate_line": 2, "correlation_key": "fp|a4d6ece79769d76f823fdf61562420a88b1bae07080302b6a99c8e9144287313"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/droid/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124024, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0d79a1349cbd489efb4f4c55e98bc93ed62ac1f044276dae617cd9c1f36e833a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentsview/update.py", "duplicate_line": 2, "correlation_key": "fp|0d79a1349cbd489efb4f4c55e98bc93ed62ac1f044276dae617cd9c1f36e833a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/crush/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124023, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73093326d56c846cca5e892f33c5977c87041cdab221970b98da948d48bde6c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentsview/update.py", "duplicate_line": 2, "correlation_key": "fp|73093326d56c846cca5e892f33c5977c87041cdab221970b98da948d48bde6c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli-proxy-api/update.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 124073, "scanner": "repobility-threat-engine", "fingerprint": "1ab940311a3ed1dccd2f4d0d18b0159e6417d7601ce68e8082401e04ab31b164", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ab940311a3ed1dccd2f4d0d18b0159e6417d7601ce68e8082401e04ab31b164"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/tuicr/check-tuicr.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 124069, "scanner": "repobility-threat-engine", "fingerprint": "a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 124065, "scanner": "repobility-threat-engine", "fingerprint": "d77c5009f48b7037f4b39dca2da19e88620f9ee944ab4de5a78fef76b97d4995", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "discover_packages", "breakdown": {"if": 4, "for": 2, "else": 1, "nested_bonus": 6}, "aggregated": true, "complexity": 13, "correlation_key": "fp|d77c5009f48b7037f4b39dca2da19e88620f9ee944ab4de5a78fef76b97d4995", "aggregated_count": 8}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 124061, "scanner": "repobility-threat-engine", "fingerprint": "e0836eb35b4efd495da79fc3ceea4ee0decef5548960b76aaabf366584629df2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0836eb35b4efd495da79fc3ceea4ee0decef5548960b76aaabf366584629df2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/ci/discovery.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 124060, "scanner": "repobility-threat-engine", "fingerprint": "2a3a205309c6446377308a119827189b0bbb97a4dbac863f8938761cd64c9288", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a3a205309c6446377308a119827189b0bbb97a4dbac863f8938761cd64c9288"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/ci/create_pr.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 124057, "scanner": "repobility-dependency-currency", "fingerprint": "1ff52f65fae8e28bf1f99e83e2bee8b7b038bd1d396518e5c7d383773a3259fe", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|1ff52f65fae8e28bf1f99e83e2bee8b7b038bd1d396518e5c7d383773a3259fe", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-readme.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 124054, "scanner": "repobility-dependency-currency", "fingerprint": "912bbf144f3357ba2dac3ae02fcf95f9311b1bde11ad78db7eb53feed65257e4", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|912bbf144f3357ba2dac3ae02fcf95f9311b1bde11ad78db7eb53feed65257e4", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 124052, "scanner": "repobility-dependency-currency", "fingerprint": "952679560227e12fd5e620ebd719c1bdf311edbf4dfd6e09788840a1d68a3848", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|952679560227e12fd5e620ebd719c1bdf311edbf4dfd6e09788840a1d68a3848", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-maintainers.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 124195, "scanner": "osv-scanner", "fingerprint": "ccac025cba866752b0848c240b80eca06c0343bea87f5a44c1e1dd579490a4fb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 124192, "scanner": "osv-scanner", "fingerprint": "ff68026afd589210ae1fb113c3cf5c0203ac4d553d60d175d5fe5dfefa2388ee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hvx9-hwr7-wjj9", "level": "error", "message": {"text": "systeminformation: GHSA-hvx9-hwr7-wjj9"}, "properties": {"repobilityId": 124191, "scanner": "osv-scanner", "fingerprint": "ff278f1cde7181fccfa310cb6ead3417ab26897e12890b5bd10e2795fcc1789f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44724"], "package": "systeminformation", "rule_id": "GHSA-hvx9-hwr7-wjj9", "scanner": "osv-scanner", "correlation_key": "vuln|systeminformation|CVE-2026-44724|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hffm-xvc3-vprc", "level": "error", "message": {"text": "simple-git: GHSA-hffm-xvc3-vprc"}, "properties": {"repobilityId": 124190, "scanner": "osv-scanner", "fingerprint": "cf4e4ab583585c8c910719aec09a7950b654035f9c0789b360120009e9cda9a3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6951"], "package": "simple-git", "rule_id": "GHSA-hffm-xvc3-vprc", "scanner": "osv-scanner", "correlation_key": "vuln|simple-git|CVE-2026-6951|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rxv8-25v2-qmq8", "level": "error", "message": {"text": "react-router: GHSA-rxv8-25v2-qmq8"}, "properties": {"repobilityId": 124189, "scanner": "osv-scanner", "fingerprint": "46cdcbe850f479484e5cff0aef16613d6139b7763bf22bd222b9e9b9d3c2e235", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34077"], "package": "react-router", "rule_id": "GHSA-rxv8-25v2-qmq8", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-34077|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8x6r-g9mw-2r78", "level": "error", "message": {"text": "react-router: GHSA-8x6r-g9mw-2r78"}, "properties": {"repobilityId": 124187, "scanner": "osv-scanner", "fingerprint": "89198d1a76e02b11f95d0ec66b3d9232a1b0dc9790f8cc123e3bec0a54bbb0a1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42342"], "package": "react-router", "rule_id": "GHSA-8x6r-g9mw-2r78", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-42342|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8646-j5j9-6r62", "level": "error", "message": {"text": "react-router: GHSA-8646-j5j9-6r62"}, "properties": {"repobilityId": 124186, "scanner": "osv-scanner", "fingerprint": "1e91cdee3f2081bc798df0b70b54133268222a7047c701ac87a1f0b08f7a77ff", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33245"], "package": "react-router", "rule_id": "GHSA-8646-j5j9-6r62", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-33245|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-49rj-9fvp-4h2h", "level": "error", "message": {"text": "react-router: GHSA-49rj-9fvp-4h2h"}, "properties": {"repobilityId": 124185, "scanner": "osv-scanner", "fingerprint": "8f4fb4a125b1513ba728c81f00ff000ed3c373c3f5ca797072e6ce3525aa99e8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42211"], "package": "react-router", "rule_id": "GHSA-49rj-9fvp-4h2h", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-42211|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jvwf-75h9-cwgg", "level": "error", "message": {"text": "protobufjs: GHSA-jvwf-75h9-cwgg"}, "properties": {"repobilityId": 124180, "scanner": "osv-scanner", "fingerprint": "3ce9714a7810a0aee1e4b480289299326d099a759ec8757624a519cc183b6d11", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44290"], "package": "protobufjs", "rule_id": "GHSA-jvwf-75h9-cwgg", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44290|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-75px-5xx7-5xc7", "level": "error", "message": {"text": "protobufjs: GHSA-75px-5xx7-5xc7"}, "properties": {"repobilityId": 124177, "scanner": "osv-scanner", "fingerprint": "c42899d489de707372a8c03b18cdc093b0f0878ba9ec10bff81fd5e53452bffc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44291"], "package": "protobufjs", "rule_id": "GHSA-75px-5xx7-5xc7", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44291|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-685m-2w69-288q", "level": "error", "message": {"text": "protobufjs: GHSA-685m-2w69-288q"}, "properties": {"repobilityId": 124176, "scanner": "osv-scanner", "fingerprint": "587a0da4b14dd1894c81d61b5a29d0ab414842ef24d175e368426132e11319a5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44289"], "package": "protobufjs", "rule_id": "GHSA-685m-2w69-288q", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44289|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-66ff-xgx4-vchm", "level": "error", "message": {"text": "protobufjs: GHSA-66ff-xgx4-vchm"}, "properties": {"repobilityId": 124175, "scanner": "osv-scanner", "fingerprint": "7c1888f7efc693d0c13af8843264190303cea1c5393ac8f4beaae4bffd6fd3fe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44293"], "package": "protobufjs", "rule_id": "GHSA-66ff-xgx4-vchm", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44293|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 124172, "scanner": "osv-scanner", "fingerprint": "5daf9d9bcbb9cc6ea8ef4bd969cd403b2e6512367c1107e0eb1a569d15c3d7c4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j3q9-mxjg-w52f", "level": "error", "message": {"text": "path-to-regexp: GHSA-j3q9-mxjg-w52f"}, "properties": {"repobilityId": 124170, "scanner": "osv-scanner", "fingerprint": "4ecdf8c4e2e2cff522ab59a9787139bf81af6145953455b930050b4bff8e87ae", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4926"], "package": "path-to-regexp", "rule_id": "GHSA-j3q9-mxjg-w52f", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4926|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 124168, "scanner": "osv-scanner", "fingerprint": "b762c93567c5f60a297039f6b9054f7c8016d8e7ce6168bf4a703ab8e6a58711", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 124167, "scanner": "osv-scanner", "fingerprint": "96795b6493ddf3ea7a02507d59ab1901ba2a7f9ec18d6c8c71d8e4bbf5c0e452", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 124166, "scanner": "osv-scanner", "fingerprint": "cd7b9b08190e414e8d19fe1b224f76b1a6f465388724874e315c1b17af8eaa21", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 124161, "scanner": "osv-scanner", "fingerprint": "36b6c6b11f949f945e981348efba43a68bbd8a71a4d0784a4df43d2dc84b66d8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash-es", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-4800|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 124159, "scanner": "osv-scanner", "fingerprint": "67753c4f5a3c30a29ac9694b61cb8eb9d960823ce1d17f316f1114e8bc78891a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8gc5-j5rx-235r", "level": "error", "message": {"text": "fast-xml-parser: GHSA-8gc5-j5rx-235r"}, "properties": {"repobilityId": 124137, "scanner": "osv-scanner", "fingerprint": "6e6db78809d78423789d3788a4e8903c8b1eda0b82d1ff29ad8da9b47e4dd1dd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33036"], "package": "fast-xml-parser", "rule_id": "GHSA-8gc5-j5rx-235r", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-26278|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5wm8-gmm8-39j9", "level": "error", "message": {"text": "fast-xml-builder: GHSA-5wm8-gmm8-39j9"}, "properties": {"repobilityId": 124136, "scanner": "osv-scanner", "fingerprint": "f878f32b4b0b96cddff75ae4395cdfff6cfde4fa2ee7ec48c41e739bb36985a0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44665"], "package": "fast-xml-builder", "rule_id": "GHSA-5wm8-gmm8-39j9", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-builder|CVE-2026-44665|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 124135, "scanner": "osv-scanner", "fingerprint": "b87461134b954ff3d1d0654ca74e6bd922f0849b797eac517eaa396c0e4e4265", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 124134, "scanner": "osv-scanner", "fingerprint": "9adc7ebfbf76f3718ed84419e316a2b7a3227f964182e34fdfa1c2734ae77b5e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jjp3-mq3x-295m", "level": "error", "message": {"text": "electron: GHSA-jjp3-mq3x-295m"}, "properties": {"repobilityId": 124129, "scanner": "osv-scanner", "fingerprint": "bcaf106b3d35bbf5ffd32e7461b98b6219f57dd3ba1437bec3b2f06afbe150b9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34770"], "package": "electron", "rule_id": "GHSA-jjp3-mq3x-295m", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34770|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wfr-w7mm-pc7f", "level": "error", "message": {"text": "electron: GHSA-9wfr-w7mm-pc7f"}, "properties": {"repobilityId": 124125, "scanner": "osv-scanner", "fingerprint": "a5391a24fcad882a50e1ee1e89aab803ebb7f34334f9d7f7dc5aea404c44ff61", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34769"], "package": "electron", "rule_id": "GHSA-9wfr-w7mm-pc7f", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34769|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8337-3p73-46f4", "level": "error", "message": {"text": "electron: GHSA-8337-3p73-46f4"}, "properties": {"repobilityId": 124121, "scanner": "osv-scanner", "fingerprint": "0c9bf1d14cbd97c59f38ab3872264f84c2092ad9e1ad6b90af3776a38578ed8d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34771"], "package": "electron", "rule_id": "GHSA-8337-3p73-46f4", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34771|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-532v-xpq5-8h95", "level": "error", "message": {"text": "electron: GHSA-532v-xpq5-8h95"}, "properties": {"repobilityId": 124119, "scanner": "osv-scanner", "fingerprint": "dd72cbe9a6cef966eab0cb025418986a0ab7be9c4b0fd2c632811a27df6c9681", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34774"], "package": "electron", "rule_id": "GHSA-532v-xpq5-8h95", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34774|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-737v-mqg7-c878", "level": "error", "message": {"text": "defu: GHSA-737v-mqg7-c878"}, "properties": {"repobilityId": 124108, "scanner": "osv-scanner", "fingerprint": "d7a4aa0b3e922f4eff760712853789a62e47d94b78640b431e583694f8bcda3c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-35209"], "package": "defu", "rule_id": "GHSA-737v-mqg7-c878", "scanner": "osv-scanner", "correlation_key": "vuln|defu|CVE-2026-35209|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8qp-cvcw-x6jj", "level": "error", "message": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "properties": {"repobilityId": 124101, "scanner": "osv-scanner", "fingerprint": "624f946e42fbe4d498da4c6e8f0c0e8d976c89fc1d60b3b7898f3c7cc3e30f40", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42264"], "package": "axios", "rule_id": "GHSA-q8qp-cvcw-x6jj", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42264|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pf86-5x62-jrwf", "level": "error", "message": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "properties": {"repobilityId": 124100, "scanner": "osv-scanner", "fingerprint": "ab0d0579116b2769fc12e228dfd218f99ed8e3ee7595e1e60e56f161baa1eb10", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42033"], "package": "axios", "rule_id": "GHSA-pf86-5x62-jrwf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42033|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p92q-9vqr-4j8v", "level": "error", "message": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "properties": {"repobilityId": 124099, "scanner": "osv-scanner", "fingerprint": "4648f8354d6c09bab246ec5f41c050648f09c3a8f91f7672a2428012fa8343f9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44487"], "package": "axios", "rule_id": "GHSA-p92q-9vqr-4j8v", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44487|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j5f8-grm9-p9fc", "level": "error", "message": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "properties": {"repobilityId": 124097, "scanner": "osv-scanner", "fingerprint": "609f15a1d01279784c2aca3983f0ae91f26cbdb59aa3da89f06cf4d893342a19", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44486"], "package": "axios", "rule_id": "GHSA-j5f8-grm9-p9fc", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44486|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hfxv-24rg-xrqf", "level": "error", "message": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "properties": {"repobilityId": 124096, "scanner": "osv-scanner", "fingerprint": "cb86c646fce71a84621dae87641e1ca9dcf4c7684099058ecb5ace7d902964f3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44496"], "package": "axios", "rule_id": "GHSA-hfxv-24rg-xrqf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44496|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-777c-7fjr-54vf", "level": "error", "message": {"text": "axios: GHSA-777c-7fjr-54vf"}, "properties": {"repobilityId": 124093, "scanner": "osv-scanner", "fingerprint": "3fe9a06391a2ea0f4763ef4cd759fb2ef1110437a2c0184207b895e5d0b17e38", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44488"], "package": "axios", "rule_id": "GHSA-777c-7fjr-54vf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44488|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6chq-wfr3-2hj9", "level": "error", "message": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "properties": {"repobilityId": 124092, "scanner": "osv-scanner", "fingerprint": "141264064e41574e68d0cbab3c4561da7c848425af52cc26f440b61785783718", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42035"], "package": "axios", "rule_id": "GHSA-6chq-wfr3-2hj9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42035|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjwm-pj3p-43mv", "level": "error", "message": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "properties": {"repobilityId": 124087, "scanner": "osv-scanner", "fingerprint": "f5d6c668e3e19a66de13df0e5072240475a6272d860459a4a4c73d6ea44842cf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44492"], "package": "axios", "rule_id": "GHSA-pjwm-pj3p-43mv", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2025-62718|packages/aionui/bun.lock", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-3p68-rc4w-qgx5", "GHSA-pjwm-pj3p-43mv", "GHSA-pmwg-cvhr-8vh7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2f4718864d87b3e3e46c734cfbe08aa1840f4f98a5f3c4f6e893decd106c5d22", "75feda4e0e31718d7e9ec05ade4f2b527b07137cad59fd9fefdf8ec91baf7a43", "f5d6c668e3e19a66de13df0e5072240475a6272d860459a4a4c73d6ea44842cf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3g43-6gmg-66jw", "level": "error", "message": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "properties": {"repobilityId": 124086, "scanner": "osv-scanner", "fingerprint": "a565c47b9b156ef80b5f5ff5bde7727846f0caa3efc0d35190477c614a7fa988", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44495"], "package": "axios", "rule_id": "GHSA-3g43-6gmg-66jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44495|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-35jp-ww65-95wh", "level": "error", "message": {"text": "axios: GHSA-35jp-ww65-95wh"}, "properties": {"repobilityId": 124085, "scanner": "osv-scanner", "fingerprint": "587424bb96ad81102507632ea998ff2edeaf5ee2459c4496b2553a55493fbb7b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44494"], "package": "axios", "rule_id": "GHSA-35jp-ww65-95wh", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44494|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x6wf-f3px-wcqx", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "properties": {"repobilityId": 124084, "scanner": "osv-scanner", "fingerprint": "1ced863037c13aca5b48e87f4a4a80c0005c07602c1f03ada6650371239d3298", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41675"], "package": "@xmldom/xmldom", "rule_id": "GHSA-x6wf-f3px-wcqx", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41675|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wh4c-j3r5-mjhp", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp"}, "properties": {"repobilityId": 124083, "scanner": "osv-scanner", "fingerprint": "2be5d3879af4d7ad400009076e5cf45c15257156325977732ea10c6b77569f1a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34601"], "package": "@xmldom/xmldom", "rule_id": "GHSA-wh4c-j3r5-mjhp", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-34601|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j759-j44w-7fr8", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "properties": {"repobilityId": 124082, "scanner": "osv-scanner", "fingerprint": "696bf7b8be38e0e657e28028b4a601bb8c2e562bbfc9e20fff84cec47204c9f7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41672"], "package": "@xmldom/xmldom", "rule_id": "GHSA-j759-j44w-7fr8", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41672|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f6ww-3ggp-fr8h", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "properties": {"repobilityId": 124081, "scanner": "osv-scanner", "fingerprint": "4fe7feaee6bfba70c3c859fadd9c811792762323b084f82cc8a9be5e79bcec5e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41674"], "package": "@xmldom/xmldom", "rule_id": "GHSA-f6ww-3ggp-fr8h", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41674|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2v35-w6hq-6mfw", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "properties": {"repobilityId": 124080, "scanner": "osv-scanner", "fingerprint": "9088853936696a5eb575d062847faee4b31d580f6291bd5978bc63ef46d32d19", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41673"], "package": "@xmldom/xmldom", "rule_id": "GHSA-2v35-w6hq-6mfw", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41673|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q7rr-3cgh-j5r3", "level": "error", "message": {"text": "@opentelemetry/sdk-node: GHSA-q7rr-3cgh-j5r3"}, "properties": {"repobilityId": 124077, "scanner": "osv-scanner", "fingerprint": "a701c371e9f1c42d24722e7e1fe8d2abf59f06f82abdd0892414b6c00c7d97e2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44902"], "package": "@opentelemetry/sdk-node", "rule_id": "GHSA-q7rr-3cgh-j5r3", "scanner": "osv-scanner", "correlation_key": "vuln|opentelemetry/sdk-node|CVE-2026-44902|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q7rr-3cgh-j5r3", "level": "error", "message": {"text": "@opentelemetry/exporter-prometheus: GHSA-q7rr-3cgh-j5r3"}, "properties": {"repobilityId": 124076, "scanner": "osv-scanner", "fingerprint": "9f3faeb4c1836767d8a9921848a573ebd3444f477e1b7243127f4b890d6feb56", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44902"], "package": "@opentelemetry/exporter-prometheus", "rule_id": "GHSA-q7rr-3cgh-j5r3", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44902|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC080", "level": "error", "message": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "properties": {"repobilityId": 124072, "scanner": "repobility-threat-engine", "fingerprint": "8fe611484e3cc99d79bdbf6cfcf44263989e2d8f08ee8992ebb99576fbeb2fd8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tar.extractfile(member)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC080", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8fe611484e3cc99d79bdbf6cfcf44263989e2d8f08ee8992ebb99576fbeb2fd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/codex-acp/update.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 124071, "scanner": "repobility-threat-engine", "fingerprint": "6a9f93c0ca8e514d2d5bf6d7099745bdb4c3ccf22210b90bc7e2fbc498e98a0c", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(\n                        r'source = \"git\\+https://github\\.com/([^/]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|61|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/codex-acp/update.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 124070, "scanner": "repobility-threat-engine", "fingerprint": "ec49ac09ef809021fb1519fbac443d02647983ca45079d5560d8e0ccd6c7bfbd", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'rev\\s*=\\s*\"v([^\"]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|36|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/claudebox/update.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 124068, "scanner": "repobility-threat-engine", "fingerprint": "5a1e524d9f1a46f31562efc7ac2a55a6c6cab00397645c4bb26b4a1999dffb4c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5a1e524d9f1a46f31562efc7ac2a55a6c6cab00397645c4bb26b4a1999dffb4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/backlog-md/update.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 124067, "scanner": "repobility-threat-engine", "fingerprint": "09743cd18e83348c0b79b29376183007eb335d5419a3d51fb7bb95745fc12aba", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|09743cd18e83348c0b79b29376183007eb335d5419a3d51fb7bb95745fc12aba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/update.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 124066, "scanner": "repobility-threat-engine", "fingerprint": "6ed1ce434f8012ae6cffe027f01db31848248b738b47a46eaddc70899a9c7621", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6ed1ce434f8012ae6cffe027f01db31848248b738b47a46eaddc70899a9c7621"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/ci/update.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 124059, "scanner": "repobility-threat-engine", "fingerprint": "7b1d62b5c7f5b662a66699a2d7cfcd6b910265cb48032640eb46f01f8ea800e0", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "branch = f\"update", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|.github/ci/create_pr.py|62|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/ci/create_pr.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Mic92/auto-merge` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 124051, "scanner": "repobility-supply-chain", "fingerprint": "423718eb8678fd7e8bbd378a9f4ae71e7e3592d090f2ee7172ae4604ff5c8bde", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|423718eb8678fd7e8bbd378a9f4ae71e7e3592d090f2ee7172ae4604ff5c8bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-merge.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `cachix/install-nix-action` pinned to mutable ref `@v31`"}, "properties": {"repobilityId": 124050, "scanner": "repobility-supply-chain", "fingerprint": "8559a7ff9ca8b67c5aed6789573809048edd62ed739e98328c8fa31b671a616b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8559a7ff9ca8b67c5aed6789573809048edd62ed739e98328c8fa31b671a616b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-readme.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 124049, "scanner": "repobility-supply-chain", "fingerprint": "f97f6b3e3397f3e72ccb015b167c0ce5c26fdcc07a92f14d49b741a2217f046c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f97f6b3e3397f3e72ccb015b167c0ce5c26fdcc07a92f14d49b741a2217f046c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-readme.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `cachix/install-nix-action` pinned to mutable ref `@v31`"}, "properties": {"repobilityId": 124048, "scanner": "repobility-supply-chain", "fingerprint": "32dd01f721e135c76d38d622d24d8077a9dcd5520164eee391ef509fe9df11a3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|32dd01f721e135c76d38d622d24d8077a9dcd5520164eee391ef509fe9df11a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 124047, "scanner": "repobility-supply-chain", "fingerprint": "57bc106f8dc479876e9c3bd621b9ea1fdf44ddde9c8c760fb5048af0a2c7dc10", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57bc106f8dc479876e9c3bd621b9ea1fdf44ddde9c8c760fb5048af0a2c7dc10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/create-github-app-token` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 124046, "scanner": "repobility-supply-chain", "fingerprint": "d9f3d553461e770c203bc01de8206e12f16102149338e84abf288285a35e7a75", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9f3d553461e770c203bc01de8206e12f16102149338e84abf288285a35e7a75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `cachix/install-nix-action` pinned to mutable ref `@v31`"}, "properties": {"repobilityId": 124045, "scanner": "repobility-supply-chain", "fingerprint": "aa4cad56e163f64b510b184fc82dca1d7955d30817a03d09c9f0f797336359ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa4cad56e163f64b510b184fc82dca1d7955d30817a03d09c9f0f797336359ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 124044, "scanner": "repobility-supply-chain", "fingerprint": "741b71f3bc3f2351065086f2acb83e92c68db539a3c3c40405f774513304fab3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|741b71f3bc3f2351065086f2acb83e92c68db539a3c3c40405f774513304fab3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/create-github-app-token` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 124043, "scanner": "repobility-supply-chain", "fingerprint": "0fe70b985de0cf2634fc9f4e7d5f126eb41e014294a39574887d473b46195495", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fe70b985de0cf2634fc9f4e7d5f126eb41e014294a39574887d473b46195495"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `cachix/install-nix-action` pinned to mutable ref `@v31`"}, "properties": {"repobilityId": 124042, "scanner": "repobility-supply-chain", "fingerprint": "5f9a11390dc91b1f709e98cd1d62bfe6799b7989f8069eef98402728b621a9d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f9a11390dc91b1f709e98cd1d62bfe6799b7989f8069eef98402728b621a9d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 124041, "scanner": "repobility-supply-chain", "fingerprint": "1b06392cdfac060258cc34e2973f8ebc58f6e427b67bb7e6d4cf170e83232f16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b06392cdfac060258cc34e2973f8ebc58f6e427b67bb7e6d4cf170e83232f16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-flake.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `cachix/install-nix-action` pinned to mutable ref `@v31`"}, "properties": {"repobilityId": 124040, "scanner": "repobility-supply-chain", "fingerprint": "3ef9045001de62916f1441a2b436ccf2d87f423703b3976459b25fc773261d5a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ef9045001de62916f1441a2b436ccf2d87f423703b3976459b25fc773261d5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-maintainers.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 124039, "scanner": "repobility-supply-chain", "fingerprint": "de98239fafca6ccd9981f651f3d6d30835fb425e78d9bea1ed5d17b5bd01a6e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|de98239fafca6ccd9981f651f3d6d30835fb425e78d9bea1ed5d17b5bd01a6e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-maintainers.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 124022, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "GHSA-5xrq-8626-4rwp", "level": "error", "message": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "properties": {"repobilityId": 124205, "scanner": "osv-scanner", "fingerprint": "c209ee548a179742823415b3a08849ba4685b9f48487f782441245730f3fe9b4", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-47429"], "package": "vitest", "rule_id": "GHSA-5xrq-8626-4rwp", "scanner": "osv-scanner", "correlation_key": "vuln|vitest|CVE-2026-47429|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-5xrq-8626-4rwp"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["a375057381a6db51f84f8d8806ceaa81bc5e3161257e98a1f21b9b4f11911058", "ada3db25297e1a09607c97f473639df48436af9f0cec3034b244b2d8e1667896", "c209ee548a179742823415b3a08849ba4685b9f48487f782441245730f3fe9b4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/iflow-cli/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fjxv-7rqg-78g4", "level": "error", "message": {"text": "form-data: GHSA-fjxv-7rqg-78g4"}, "properties": {"repobilityId": 124200, "scanner": "osv-scanner", "fingerprint": "8c9e59523da6b1f36a199f00cd16322b985054817f6aaa629331e1c9c8b7e07c", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-7783"], "package": "form-data", "rule_id": "GHSA-fjxv-7rqg-78g4", "scanner": "osv-scanner", "correlation_key": "vuln|form-data|CVE-2025-7783|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/iflow-cli/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xq3m-2v4x-88gg", "level": "error", "message": {"text": "protobufjs: GHSA-xq3m-2v4x-88gg"}, "properties": {"repobilityId": 124182, "scanner": "osv-scanner", "fingerprint": "086d2c1f0f5728b385a1262c85a8472db402a7e251e795db2ba237ac304dd3f2", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41242"], "package": "protobufjs", "rule_id": "GHSA-xq3m-2v4x-88gg", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-41242|packages/aionui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/aionui/bun.lock"}, "region": {"startLine": 1}}}]}]}]}