{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hcf7-66rw-9f5r", "name": "turbo: GHSA-hcf7-66rw-9f5r", "shortDescription": {"text": "turbo: GHSA-hcf7-66rw-9f5r"}, "fullDescription": {"text": "Trubo: Login callback CSRF/session fixation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xrhx-7g5j-rcj5", "name": "hono: GHSA-xrhx-7g5j-rcj5", "shortDescription": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "fullDescription": {"text": "Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f577-qrjj-4474", "name": "hono: GHSA-f577-qrjj-4474", "shortDescription": {"text": "hono: GHSA-f577-qrjj-4474"}, "fullDescription": {"text": "Hono: JWT middleware accepts any Authorization scheme, not only Bearer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3hrh-pfw6-9m5x", "name": "hono: GHSA-3hrh-pfw6-9m5x", "shortDescription": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "fullDescription": {"text": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2gcr-mfcq-wcc3", "name": "hono: GHSA-2gcr-mfcq-wcc3", "shortDescription": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "fullDescription": {"text": "Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `actions/cache@v4` is 1 major version(s) behind (latest v5.0.5)", "shortDescription": {"text": "GitHub Action `actions/cache@v4` is 1 major version(s) behind (latest v5.0.5)"}, "fullDescription": {"text": "`uses: actions/cache@v4` is 1 major version(s) behind the latest published release v5.0.5. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `jsdom` is 1 major version(s) behind (^28.1.0 -> 29.1.1)", "shortDescription": {"text": "npm package `jsdom` is 1 major version(s) behind (^28.1.0 -> 29.1.1)"}, "fullDescription": {"text": "`jsdom` is pinned/resolved at ^28.1.0 but the latest stable release on the npm registry is 29.1.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-3qcw-2rhx-2726", "name": "turbo: GHSA-3qcw-2rhx-2726", "shortDescription": {"text": "turbo: GHSA-3qcw-2rhx-2726"}, "fullDescription": {"text": "Turbo: Unexpected local code execution during Yarn Berry detection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/cache` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/cache` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/929"}, "properties": {"repository": "OpenCut-app/OpenCut", "repoUrl": "https://github.com/OpenCut-app/OpenCut", "branch": "main"}, "results": [{"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 87082, "scanner": "osv-scanner", "fingerprint": "7140a347f43d913d0ce0f89b1e8e1a29964282f71d7bf4231c29b3ff5bd1c5d2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hcf7-66rw-9f5r", "level": "warning", "message": {"text": "turbo: GHSA-hcf7-66rw-9f5r"}, "properties": {"repobilityId": 87081, "scanner": "osv-scanner", "fingerprint": "2ffe150111b45121beb933245c88b3f5d0b49d7e138adf82688a7d89b41db70b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45773"], "package": "turbo", "rule_id": "GHSA-hcf7-66rw-9f5r", "scanner": "osv-scanner", "correlation_key": "vuln|turbo|CVE-2026-45773|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 87079, "scanner": "osv-scanner", "fingerprint": "1c600810294331b7ac020d001388872c111ae0101ebb6b346b78598184c0cf6a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xrhx-7g5j-rcj5", "level": "warning", "message": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "properties": {"repobilityId": 87078, "scanner": "osv-scanner", "fingerprint": "bc61d173f23a6e1f59988756b0a0896f8dc55cf03fb22b10be16e2a9c6281ab1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47674"], "package": "hono", "rule_id": "GHSA-xrhx-7g5j-rcj5", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47674|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f577-qrjj-4474", "level": "warning", "message": {"text": "hono: GHSA-f577-qrjj-4474"}, "properties": {"repobilityId": 87077, "scanner": "osv-scanner", "fingerprint": "cb67ae2f285acd28e376583a84fafcb6ead2554f8be9eef29f1277a81875216e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47673"], "package": "hono", "rule_id": "GHSA-f577-qrjj-4474", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47673|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3hrh-pfw6-9m5x", "level": "warning", "message": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "properties": {"repobilityId": 87076, "scanner": "osv-scanner", "fingerprint": "71e94aec6b7e33310ace90626c362226fe54fb578470dd4468e34ce6ab2140e6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47675"], "package": "hono", "rule_id": "GHSA-3hrh-pfw6-9m5x", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47675|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2gcr-mfcq-wcc3", "level": "warning", "message": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "properties": {"repobilityId": 87075, "scanner": "osv-scanner", "fingerprint": "cb05adee456b1adfbe77feae514a5f8f64e248266e49a34661d4a28c74bf76b9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47676"], "package": "hono", "rule_id": "GHSA-2gcr-mfcq-wcc3", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47676|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/cache@v4` is 1 major version(s) behind (latest v5.0.5)"}, "properties": {"repobilityId": 87067, "scanner": "repobility-dependency-currency", "fingerprint": "4358ace7c03a3992b0d88e4d6037e7a1851f2dc0d3f8214c2b77fb5244eb4b5e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/cache", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v5.0.5", "correlation_key": "fp|4358ace7c03a3992b0d88e4d6037e7a1851f2dc0d3f8214c2b77fb5244eb4b5e", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bun-ci.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 87066, "scanner": "repobility-dependency-currency", "fingerprint": "07d0c0a7b05ee2c385cc138b59a9d78220bffb5eb381ee5c3cf0d8d6adb23ae3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|07d0c0a7b05ee2c385cc138b59a9d78220bffb5eb381ee5c3cf0d8d6adb23ae3", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bun-ci.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `jsdom` is 1 major version(s) behind (^28.1.0 -> 29.1.1)"}, "properties": {"repobilityId": 87065, "scanner": "repobility-dependency-currency", "fingerprint": "594645adbb17b2766b6c5f6b73d328edc3760ce862746cf1b2541219ed606a0a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsdom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "29.1.1", "correlation_key": "fp|594645adbb17b2766b6c5f6b73d328edc3760ce862746cf1b2541219ed606a0a", "current_version": "^28.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 87083, "scanner": "repobility-web-presence", "fingerprint": "36616afe73ce0d443ad888e95f916b1ce0401ccd6e655624b536bfa356e3dab4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|36616afe73ce0d443ad888e95f916b1ce0401ccd6e655624b536bfa356e3dab4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3qcw-2rhx-2726", "level": "note", "message": {"text": "turbo: GHSA-3qcw-2rhx-2726"}, "properties": {"repobilityId": 87080, "scanner": "osv-scanner", "fingerprint": "ac81882cc88ddc2930b5c6424756bf686072ec99041af16c160e2a9b714459d8", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45772"], "package": "turbo", "rule_id": "GHSA-3qcw-2rhx-2726", "scanner": "osv-scanner", "correlation_key": "vuln|turbo|CVE-2026-45772|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tailwind-merge` is minor version(s) behind (^3.5.0 -> 3.6.0)"}, "properties": {"repobilityId": 87060, "scanner": "repobility-dependency-currency", "fingerprint": "3643ceaeabe64cca1f738c2d783d4cc1f313cb93f5b951c521bd37ef7c84e655", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tailwind-merge", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.6.0", "correlation_key": "fp|3643ceaeabe64cca1f738c2d783d4cc1f313cb93f5b951c521bd37ef7c84e655", "current_version": "^3.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `shadcn` is minor version(s) behind (^4.7.0 -> 4.10.0)"}, "properties": {"repobilityId": 87059, "scanner": "repobility-dependency-currency", "fingerprint": "999c56247a20f5d304041c654e0fa7f8a6acf8b7fac1e8ae7ab4623e2225745c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shadcn", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.10.0", "correlation_key": "fp|999c56247a20f5d304041c654e0fa7f8a6acf8b7fac1e8ae7ab4623e2225745c", "current_version": "^4.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@hugeicons/core-free-icons` is minor version(s) behind (^4.1.2 -> 4.2.0)"}, "properties": {"repobilityId": 87055, "scanner": "repobility-dependency-currency", "fingerprint": "ecdb015da6820d9f83467314802bdba374437bcc476fc5e7f0bbb5c326a2224f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@hugeicons/core-free-icons", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.0", "correlation_key": "fp|ecdb015da6820d9f83467314802bdba374437bcc476fc5e7f0bbb5c326a2224f", "current_version": "^4.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@hookform/resolvers` is minor version(s) behind (^5.2.2 -> 5.4.0)"}, "properties": {"repobilityId": 87054, "scanner": "repobility-dependency-currency", "fingerprint": "f00bf4ffc54ab8faeed70ed80f067773f7bcc3ce922b684e208e39c10e3ef6d3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@hookform/resolvers", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.4.0", "correlation_key": "fp|f00bf4ffc54ab8faeed70ed80f067773f7bcc3ce922b684e208e39c10e3ef6d3", "current_version": "^5.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@base-ui/react` is minor version(s) behind (^1.4.1 -> 1.5.0)"}, "properties": {"repobilityId": 87053, "scanner": "repobility-dependency-currency", "fingerprint": "034ed51175829ee320a63ef0767e395d7b9d016515119dca185746cc163b4c0f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@base-ui/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.5.0", "correlation_key": "fp|034ed51175829ee320a63ef0767e395d7b9d016515119dca185746cc163b4c0f", "current_version": "^1.4.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 87074, "scanner": "repobility-threat-engine", "fingerprint": "87400ceffdd0863ddd302da717ba4af79d6006a2f2944fe8fe19f1b6635df7bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87400ceffdd0863ddd302da717ba4af79d6006a2f2944fe8fe19f1b6635df7bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/routeTree.gen.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 87073, "scanner": "repobility-threat-engine", "fingerprint": "3fc23c707c2f19d58b3ea628bbc6d26b8c56f7566cb403f77814b46ce5209e87", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3fc23c707c2f19d58b3ea628bbc6d26b8c56f7566cb403f77814b46ce5209e87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/ui/chart.tsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 87072, "scanner": "repobility-threat-engine", "fingerprint": "574f1166e5d1522e7111db0d2a2fca8ad58f340eb2492c6459e1592653c1ca6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|574f1166e5d1522e7111db0d2a2fca8ad58f340eb2492c6459e1592653c1ca6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/ui/slider.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 87071, "scanner": "repobility-threat-engine", "fingerprint": "28d8268af1c3b29139f86ed1de53c460a32d6252ffe7f12d381f8bb344a69307", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28d8268af1c3b29139f86ed1de53c460a32d6252ffe7f12d381f8bb344a69307"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/ui/field.tsx"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 87070, "scanner": "repobility-threat-engine", "fingerprint": "e385f21309118edf6d9bf6176c68f02f5392617da9c37aa1e5791a786764e70d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e385f21309118edf6d9bf6176c68f02f5392617da9c37aa1e5791a786764e70d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/ui/chart.tsx"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 87068, "scanner": "repobility-threat-engine", "fingerprint": "13bf0ec11fd302bbc3fc28c846df5772cd8f9b09a4296ac69f9b9f5be12eda99", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|13bf0ec11fd302bbc3fc28c846df5772cd8f9b09a4296ac69f9b9f5be12eda99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/ui/button-group.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vitejs/plugin-react` is patch version(s) behind (^6.0.1 -> 6.0.2)"}, "properties": {"repobilityId": 87064, "scanner": "repobility-dependency-currency", "fingerprint": "2cf8c6cda057c0a216f287fac3e9efcd221d64ec052148176dd49bea51557f93", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.2", "correlation_key": "fp|2cf8c6cda057c0a216f287fac3e9efcd221d64ec052148176dd49bea51557f93", "current_version": "^6.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/react-dom` is patch version(s) behind (^19.2.0 -> 19.2.3)"}, "properties": {"repobilityId": 87063, "scanner": "repobility-dependency-currency", "fingerprint": "fb4dde1d29d326c7f64fc282778c49608ba83bcd22e04505d8418032484d3286", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|fb4dde1d29d326c7f64fc282778c49608ba83bcd22e04505d8418032484d3286", "current_version": "^19.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@testing-library/react` is patch version(s) behind (^16.3.0 -> 16.3.2)"}, "properties": {"repobilityId": 87062, "scanner": "repobility-dependency-currency", "fingerprint": "1fa654c7314ed931aaaabcd338e204a3b7eccd7572c3a99104a4b0fa01e3c1a0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@testing-library/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.3.2", "correlation_key": "fp|1fa654c7314ed931aaaabcd338e204a3b7eccd7572c3a99104a4b0fa01e3c1a0", "current_version": "^16.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@tailwindcss/typography` is patch version(s) behind (^0.5.16 -> 0.5.19)"}, "properties": {"repobilityId": 87061, "scanner": "repobility-dependency-currency", "fingerprint": "5fcbab361429a529b2297db8d4825d732e94c9976488b63154b155fb26819366", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tailwindcss/typography", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.19", "correlation_key": "fp|5fcbab361429a529b2297db8d4825d732e94c9976488b63154b155fb26819366", "current_version": "^0.5.16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `recharts` is patch version(s) behind (3.8.0 -> 3.8.1)"}, "properties": {"repobilityId": 87058, "scanner": "repobility-dependency-currency", "fingerprint": "047fc7978361eefd50199b9fa68201a15fa02b6dfeb7787673cf9aa7a49b67be", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "recharts", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.1", "correlation_key": "fp|047fc7978361eefd50199b9fa68201a15fa02b6dfeb7787673cf9aa7a49b67be", "current_version": "3.8.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `react-resizable-panels` is patch version(s) behind (^4.11.0 -> 4.11.2)"}, "properties": {"repobilityId": 87057, "scanner": "repobility-dependency-currency", "fingerprint": "0185e2ca24fa3847678d9701dc88c657b2408975ab22d769f990700f58be5752", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-resizable-panels", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.11.2", "correlation_key": "fp|0185e2ca24fa3847678d9701dc88c657b2408975ab22d769f990700f58be5752", "current_version": "^4.11.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `react-day-picker` is patch version(s) behind (^10.0.0 -> 10.0.1)"}, "properties": {"repobilityId": 87056, "scanner": "repobility-dependency-currency", "fingerprint": "bf33792c52a6eda597e53e958cc1aacb297e32f0381dd5d4e04631d8460d2ec3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-day-picker", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|bf33792c52a6eda597e53e958cc1aacb297e32f0381dd5d4e04631d8460d2ec3", "current_version": "^10.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any