{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)", "shortDescription": {"text": "GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)"}, "fullDescription": {"text": "`uses: actions/upload-artifact@v4` is 3 major version(s) behind the latest published release v7.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `html-to-text` is 1 major version(s) behind (9.0.5 -> 10.0.0)", "shortDescription": {"text": "npm package `html-to-text` is 1 major version(s) behind (9.0.5 -> 10.0.0)"}, "fullDescription": {"text": "`html-to-text` is pinned/resolved at 9.0.5 but the latest stable release on the npm registry is 10.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 3 more): Same pattern found in 3 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/upload-artifact` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "jwt", "name": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.", "shortDescription": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1162"}, "properties": {"repository": "microsoft/vscode-azuretools", "repoUrl": "https://github.com/microsoft/vscode-azuretools", "branch": "main"}, "results": [{"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 116627, "scanner": "repobility-threat-engine", "fingerprint": "b7a40b261a324e95eaddafcfa51ac187c16a255976270654649385107e1cdf73", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * (maximumExclusive - minimumInclusive)) + minimumInclusiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b7a40b261a324e95eaddafcfa51ac187c16a255976270654649385107e1cdf73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/utils/randomUtils.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 116614, "scanner": "repobility-threat-engine", "fingerprint": "9eaa2c86d0d910912b97a56dad35ed281d07559d59ad123d9b47b675009b567f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|utils/src/parseerror.ts|236|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/parseError.ts"}, "region": {"startLine": 236}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 116613, "scanner": "repobility-threat-engine", "fingerprint": "90548da9470678b2322cf635eb557027fcd7f38d547e5275ab05beb25ea57d35", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|81|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "azure/src/utils/FeedMirrorPolicy.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 116612, "scanner": "repobility-threat-engine", "fingerprint": "6b581f294e7e1442254098879f8add1bcc9e766ef3c809820b4fc8f5aa364eda", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|auth/src/utils/screen.ts|22|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth/src/utils/screen.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 116590, "scanner": "repobility-agent-runtime", "fingerprint": "2066a1ad877aa9e63f2f8b28ae7957ef9c05a2daec420ab23c1a442357844e52", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2066a1ad877aa9e63f2f8b28ae7957ef9c05a2daec420ab23c1a442357844e52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/index.d.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 116589, "scanner": "repobility-dependency-currency", "fingerprint": "349bd445ea8f12263ecbe4cc1120c6e66cdcac7b1494633a0980d5727e56c730", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|349bd445ea8f12263ecbe4cc1120c6e66cdcac7b1494633a0980d5727e56c730", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jobs.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v3` is 3 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 116588, "scanner": "repobility-dependency-currency", "fingerprint": "aadb715bc8f3643f0ae6688f10ba7e5e46c585945db0b4d125aebac0eaa8e433", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|aadb715bc8f3643f0ae6688f10ba7e5e46c585945db0b4d125aebac0eaa8e433", "current_version": "v3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jobs.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `pnpm/action-setup@v4` is 2 major version(s) behind (latest v6.0.8)"}, "properties": {"repobilityId": 116587, "scanner": "repobility-dependency-currency", "fingerprint": "75c52270e57b3814faef424bfb47032a0dc09f3e790534f33e5c69ebc87657e9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "pnpm/action-setup", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.8", "correlation_key": "fp|75c52270e57b3814faef424bfb47032a0dc09f3e790534f33e5c69ebc87657e9", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jobs.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v3` is 3 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 116586, "scanner": "repobility-dependency-currency", "fingerprint": "8c506a94d1c5ec51aa93779a333b76ad7096867d04f2f5d6bfbd0e9161e33303", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|8c506a94d1c5ec51aa93779a333b76ad7096867d04f2f5d6bfbd0e9161e33303", "current_version": "v3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jobs.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/github-script@v8` is 1 major version(s) behind (latest v9.0.0)"}, "properties": {"repobilityId": 116585, "scanner": "repobility-dependency-currency", "fingerprint": "17fe62e30c48ad183c08f7d3b00684ca0b9d53cbcebd16176248e64d03ad9b24", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/github-script", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v9.0.0", "correlation_key": "fp|17fe62e30c48ad183c08f7d3b00684ca0b9d53cbcebd16176248e64d03ad9b24", "current_version": "v8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/info-needed-closer.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/github-script@v8` is 1 major version(s) behind (latest v9.0.0)"}, "properties": {"repobilityId": 116584, "scanner": "repobility-dependency-currency", "fingerprint": "1faf87bff37b7362f0f40dc7f3b5b0aed809a8f66bbaff3361d684fdccaa672f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/github-script", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v9.0.0", "correlation_key": "fp|1faf87bff37b7362f0f40dc7f3b5b0aed809a8f66bbaff3361d684fdccaa672f", "current_version": "v8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/locker.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 116583, "scanner": "repobility-dependency-currency", "fingerprint": "4b11e63360e2296da22e4678ed360a9b37666f97d1a7f0268df686e153347c20", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|4b11e63360e2296da22e4678ed360a9b37666f97d1a7f0268df686e153347c20", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-pipeline-templates.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/create-github-app-token@v1` is 2 major version(s) behind (latest v3.2.0)"}, "properties": {"repobilityId": 116582, "scanner": "repobility-dependency-currency", "fingerprint": "b6c8da97a64e20235c122606e275ed22f1bdeb0ff813f5690810edb90606d4e2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/create-github-app-token", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v3.2.0", "correlation_key": "fp|b6c8da97a64e20235c122606e275ed22f1bdeb0ff813f5690810edb90606d4e2", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-pipeline-templates.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `html-to-text` is 1 major version(s) behind (9.0.5 -> 10.0.0)"}, "properties": {"repobilityId": 116568, "scanner": "repobility-dependency-currency", "fingerprint": "1775d0ec892405795994ab36d61e4b73ed7e7b6490ff66520f6647fa69bc0aa4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "html-to-text", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.0", "correlation_key": "fp|1775d0ec892405795994ab36d61e4b73ed7e7b6490ff66520f6647fa69bc0aa4", "current_version": "9.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@eslint/js` is 1 major version(s) behind (9.39.1 -> 10.0.1)"}, "properties": {"repobilityId": 116558, "scanner": "repobility-dependency-currency", "fingerprint": "390d34a2c90b8d14d4aba7b77159324021cbd9a13b55be956c1f98e13410480d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|390d34a2c90b8d14d4aba7b77159324021cbd9a13b55be956c1f98e13410480d", "current_version": "9.39.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 116639, "scanner": "osv-scanner", "fingerprint": "4e9aaf2395d359616cdab3992ec82cb5f26f7a8ae14a2148aef7b743c6f6dd7b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|webview/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 116638, "scanner": "osv-scanner", "fingerprint": "0960743e0b37509b4f17ef811e8c9b2eecc73f466b04e0878938cb085a4b4d69", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|utils/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 116637, "scanner": "osv-scanner", "fingerprint": "0bb30c507ac1096cd841a5143d8cf76e0b7082fa2f0e13855f13691ae677d591", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|github/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "github/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 116636, "scanner": "osv-scanner", "fingerprint": "1a2782650ff97434480543a88761646198be575caa1f0529f3a32bc2bceb73c1", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|eng/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 116635, "scanner": "osv-scanner", "fingerprint": "9a404d5535ed3e5ea730a6ba5baf2b6589dbe3e7acf75a918efeaf35aff6187f", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|azure/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "azure/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 116634, "scanner": "osv-scanner", "fingerprint": "fc84b8e53b7ba08d6d3e36c621ffbdf6cd6f49d4c93a48c051a1c083c2f48d15", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|auth/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 116633, "scanner": "osv-scanner", "fingerprint": "f003dfd05e8eb739c14614d4db0810af75c706f4f40b6abaa13daa16c28a5efe", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-73rr-hh4g-fpgx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["cb2257a568b07f5d900a407f6be2d572a0cf681faf5f6c8074a1e5d522f70d41", "f003dfd05e8eb739c14614d4db0810af75c706f4f40b6abaa13daa16c28a5efe"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appservice/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (1.105.0 -> 1.120.0)"}, "properties": {"repobilityId": 116575, "scanner": "repobility-dependency-currency", "fingerprint": "93a7e198b822632ad78ffed614d691c8f8c49bebd90381391f9d76a2446a84c8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|93a7e198b822632ad78ffed614d691c8f8c49bebd90381391f9d76a2446a84c8", "current_version": "1.105.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "github/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (1.105.0 -> 1.120.0)"}, "properties": {"repobilityId": 116572, "scanner": "repobility-dependency-currency", "fingerprint": "1a04add6f36bebf979a014d1c1bd892845aae7c9210691abd22e50f5063ef7e9", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|1a04add6f36bebf979a014d1c1bd892845aae7c9210691abd22e50f5063ef7e9", "current_version": "1.105.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (1.105.0 -> 1.120.0)"}, "properties": {"repobilityId": 116571, "scanner": "repobility-dependency-currency", "fingerprint": "eb78d9e640a6a92f49b44683576cdf1bcbc398e3b2cff571ecf64f133257b407", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|eb78d9e640a6a92f49b44683576cdf1bcbc398e3b2cff571ecf64f133257b407", "current_version": "1.105.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `vscode-tas-client` is minor version(s) behind (0.1.84 -> 0.2.1)"}, "properties": {"repobilityId": 116570, "scanner": "repobility-dependency-currency", "fingerprint": "9fd6e07e727022d83f2550c64282960c71f8b5fd483c31933cd2ea0623a2f445", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "vscode-tas-client", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.2.1", "correlation_key": "fp|9fd6e07e727022d83f2550c64282960c71f8b5fd483c31933cd2ea0623a2f445", "current_version": "0.1.84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (1.105.0 -> 1.120.0)"}, "properties": {"repobilityId": 116566, "scanner": "repobility-dependency-currency", "fingerprint": "c7f9986f1945fb3d1217bcfa403d97b9bf9850b77ef628afde46774f84491261", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|c7f9986f1945fb3d1217bcfa403d97b9bf9850b77ef628afde46774f84491261", "current_version": "1.105.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "azure/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)"}, "properties": {"repobilityId": 116562, "scanner": "repobility-dependency-currency", "fingerprint": "0668156f2725acd843d26e90909edc217328fc08f42708f8fa3d09ea6402ffd2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|0668156f2725acd843d26e90909edc217328fc08f42708f8fa3d09ea6402ffd2", "current_version": "4.21.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tony.ganchev/eslint-plugin-header` is minor version(s) behind (3.2.1 -> 3.4.4)"}, "properties": {"repobilityId": 116559, "scanner": "repobility-dependency-currency", "fingerprint": "f887da7d2647400bb931d60db2e73312bbd1351e7f32f934d1afa065f9fededa", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tony.ganchev/eslint-plugin-header", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.4.4", "correlation_key": "fp|f887da7d2647400bb931d60db2e73312bbd1351e7f32f934d1afa065f9fededa", "current_version": "3.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (1.105.0 -> 1.120.0)"}, "properties": {"repobilityId": 116557, "scanner": "repobility-dependency-currency", "fingerprint": "1a5f8679448990962139f5722752a87de1da11bf613cc75746874cb5ff5175f1", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|1a5f8679448990962139f5722752a87de1da11bf613cc75746874cb5ff5175f1", "current_version": "1.105.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appsettings/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116546, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd58b43085895d8ef201e025b8f7fe8c6ba86421da4f1c14ed07d0bc2296f0aa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "webview/src/webview/TemplateGallery/components/TemplateCard.tsx", "duplicate_line": 23, "correlation_key": "fp|fd58b43085895d8ef201e025b8f7fe8c6ba86421da4f1c14ed07d0bc2296f0aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/src/webview/TemplateGallery/components/TemplateConfigView.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116545, "scanner": "repobility-ai-code-hygiene", "fingerprint": "142837806411be5c9a26ba2548013a0f12773ec1eead2f7fe11f837383ba47d2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "appservice/src/createAppService/AppInsightsCreateStep.ts", "duplicate_line": 85, "correlation_key": "fp|142837806411be5c9a26ba2548013a0f12773ec1eead2f7fe11f837383ba47d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appservice/src/createAppService/AppServicePlanCreateStep.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 116630, "scanner": "repobility-threat-engine", "fingerprint": "ec8416c1720289ab9b0949465d6b8f7ba40de7f9fb9d825c8edb7f171b3f8152", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec8416c1720289ab9b0949465d6b8f7ba40de7f9fb9d825c8edb7f171b3f8152"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/src/webview/TemplateGallery/components/TemplateConfigView.tsx"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 116629, "scanner": "repobility-threat-engine", "fingerprint": "ece3c886fee2bddc1bd7a6b3922d9ef47bd5ebf6126eb70a7ac42a4783d70743", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ece3c886fee2bddc1bd7a6b3922d9ef47bd5ebf6126eb70a7ac42a4783d70743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/src/webview/TemplateGallery/components/TemplateConfigView.tsx"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 116628, "scanner": "repobility-threat-engine", "fingerprint": "d09e9f2521a3500eb1acb34f5177cf176346357545ba10f2ed4508012d27201c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d09e9f2521a3500eb1acb34f5177cf176346357545ba10f2ed4508012d27201c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/src/webview/LoadingView.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 116626, "scanner": "repobility-threat-engine", "fingerprint": "0ab893ecb663a596471c11f2884109838cf3a5053d6ee4a79a37446e9710e7a6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ab893ecb663a596471c11f2884109838cf3a5053d6ee4a79a37446e9710e7a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/browser/crypto.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 116622, "scanner": "repobility-threat-engine", "fingerprint": "3eeb0184ea59cd4304ee823c3834023268f895a0ec0b4135af603e87001559be", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3eeb0184ea59cd4304ee823c3834023268f895a0ec0b4135af603e87001559be", "aggregated_count": 7}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 116621, "scanner": "repobility-threat-engine", "fingerprint": "09e122bd32e6a6a4bf4b2bffccce7c591f1fb5cd4be9dcc2ec9193c2be5166d5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09e122bd32e6a6a4bf4b2bffccce7c591f1fb5cd4be9dcc2ec9193c2be5166d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/createTelemetryReporter.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 116620, "scanner": "repobility-threat-engine", "fingerprint": "24816aba3bbd09ffd9836b9db0e8b5f251777aa66bb6c30b3e311566d285e89e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|24816aba3bbd09ffd9836b9db0e8b5f251777aa66bb6c30b3e311566d285e89e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/DebugReporter.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 116619, "scanner": "repobility-threat-engine", "fingerprint": "5f9fab9b341c6c8285579bf9c64bac318507752123e4cf87d5fe976d91b48003", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5f9fab9b341c6c8285579bf9c64bac318507752123e4cf87d5fe976d91b48003"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/src/esbuild/esbuildConfigs.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 116611, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 116607, "scanner": "repobility-threat-engine", "fingerprint": "22f086d0fdc97d81b8738c7e9d19e5d21469b0073a89ebfc090d5326c2797492", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|22f086d0fdc97d81b8738c7e9d19e5d21469b0073a89ebfc090d5326c2797492"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 116606, "scanner": "repobility-threat-engine", "fingerprint": "9d9a576ca0622a5505b3b0a7ac9ace660443e923cffdfd3e1d021864ba440510", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|39|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/activityLog/activities/ExecuteActivity.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 116605, "scanner": "repobility-threat-engine", "fingerprint": "219016fc61e606c13b383a9e2bc51272aae3a7e1a19028af3296c8bedc308825", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|74|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/activityLog/Activity.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 116604, "scanner": "repobility-threat-engine", "fingerprint": "1a319b7b3f35f3734c2b08737455ed64abb03e4851487cde31d13452edf90c9f", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|141|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth/src/providers/AzureDevOpsSubscriptionProvider.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 116602, "scanner": "repobility-threat-engine", "fingerprint": "14ce4ae7a22d633b8fe645d2ab2c7e5422f6d980891ae5a572bf746a645a7bfd", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|14ce4ae7a22d633b8fe645d2ab2c7e5422f6d980891ae5a572bf746a645a7bfd"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 116598, "scanner": "repobility-threat-engine", "fingerprint": "c045cf9d21c96aaf56df16c8ec2ed9c63beb43d6fa265653594c1ef215491fe3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c045cf9d21c96aaf56df16c8ec2ed9c63beb43d6fa265653594c1ef215491fe3", "aggregated_count": 15}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 116597, "scanner": "repobility-threat-engine", "fingerprint": "56b34d69e278b3f4bb7448fbf4c367cf47e955c8b54b2060a3b3c550bf840962", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|56b34d69e278b3f4bb7448fbf4c367cf47e955c8b54b2060a3b3c550bf840962"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appservice/src/deploy/wizard/PostDeployTaskExecuteStep.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 116596, "scanner": "repobility-threat-engine", "fingerprint": "85ecc4b92364889b420d994e681bfc6757ab4f2585bddbe205844564ff0f4dde", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|85ecc4b92364889b420d994e681bfc6757ab4f2585bddbe205844564ff0f4dde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appservice/src/createSlot/DeploymentSlotCreateStep.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 116595, "scanner": "repobility-threat-engine", "fingerprint": "b2a9f1598fa22a5b8694a8f8963580fa82f7a9e35e595db74392e6be4e9a6648", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b2a9f1598fa22a5b8694a8f8963580fa82f7a9e35e595db74392e6be4e9a6648"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appservice/src/TunnelProxy.ts"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 116594, "scanner": "repobility-threat-engine", "fingerprint": "dc495931fe10ccd594ead31c7c77f06bc2fd305548c052c38b6f9feadb646876", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dc495931fe10ccd594ead31c7c77f06bc2fd305548c052c38b6f9feadb646876", "aggregated_count": 4}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 116593, "scanner": "repobility-threat-engine", "fingerprint": "7a90ef66f3b347354aaf0bc8c37b1de7617d3123cea24bd1d1ba05fb3acb3a5a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a90ef66f3b347354aaf0bc8c37b1de7617d3123cea24bd1d1ba05fb3acb3a5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth/src/utils/map/CaselessMap.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 116592, "scanner": "repobility-threat-engine", "fingerprint": "21cbddaa5642fe8e46b84df1616786c2840871833a76d5bdfd8a9056d203edde", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21cbddaa5642fe8e46b84df1616786c2840871833a76d5bdfd8a9056d203edde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth/src/utils/Limiter.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 116591, "scanner": "repobility-threat-engine", "fingerprint": "3b001fc057b53246c5acd182b8183cf00c85c7ba86726ed1bde6d6718cc484a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b001fc057b53246c5acd182b8183cf00c85c7ba86726ed1bde6d6718cc484a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appservice/src/KuduModels.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `dorny/paths-filter@v4` is patch version(s) behind (latest v4.0.1)"}, "properties": {"repobilityId": 116581, "scanner": "repobility-dependency-currency", "fingerprint": "74add4a03c38e858a626cc3b55e44f2fc6d9ab6101baa17535beefcdac824fcb", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "dorny/paths-filter", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v4.0.1", "correlation_key": "fp|74add4a03c38e858a626cc3b55e44f2fc6d9ab6101baa17535beefcdac824fcb", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `marked` is patch version(s) behind (18.0.3 -> 18.0.5)"}, "properties": {"repobilityId": 116580, "scanner": "repobility-dependency-currency", "fingerprint": "15f76bb760aa23c55e8869b5fab0fa396175f85e0a1b14f39e4c18515e7176a7", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "marked", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.5", "correlation_key": "fp|15f76bb760aa23c55e8869b5fab0fa396175f85e0a1b14f39e4c18515e7176a7", "current_version": "18.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `dompurify` is patch version(s) behind (3.4.3 -> 3.4.8)"}, "properties": {"repobilityId": 116579, "scanner": "repobility-dependency-currency", "fingerprint": "3ee59270ae7999d4ddcf6b56e452e36d683aaf85aabbabce7ae563cbb7d1def0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dompurify", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.4.8", "correlation_key": "fp|3ee59270ae7999d4ddcf6b56e452e36d683aaf85aabbabce7ae563cbb7d1def0", "current_version": "3.4.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vscode/codicons` is patch version(s) behind (0.0.38 -> 0.0.45)"}, "properties": {"repobilityId": 116578, "scanner": "repobility-dependency-currency", "fingerprint": "a3a879d9122d342ec39f3258fb459102f5b8f0c215cdbe6d7b4579938d7cbe18", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vscode/codicons", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.0.45", "correlation_key": "fp|a3a879d9122d342ec39f3258fb459102f5b8f0c215cdbe6d7b4579938d7cbe18", "current_version": "0.0.38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@microsoft/vscode-azext-utils` is patch version(s) behind (4.1.0 -> 4.1.1)"}, "properties": {"repobilityId": 116577, "scanner": "repobility-dependency-currency", "fingerprint": "72fa0fb8f1774611f5f5628c0bc6566664f1217137a20d28ca4367c0bbd781b4", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@microsoft/vscode-azext-utils", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.1", "correlation_key": "fp|72fa0fb8f1774611f5f5628c0bc6566664f1217137a20d28ca4367c0bbd781b4", "current_version": "4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@fluentui/react-icons` is patch version(s) behind (2.0.324 -> 2.0.328)"}, "properties": {"repobilityId": 116576, "scanner": "repobility-dependency-currency", "fingerprint": "c06d85f83310ac72be7b312a34ae960e5e9d909c33c1da7d1f12593d23eeba34", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@fluentui/react-icons", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.328", "correlation_key": "fp|c06d85f83310ac72be7b312a34ae960e5e9d909c33c1da7d1f12593d23eeba34", "current_version": "2.0.324"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@microsoft/vscode-azureresources-api` is patch version(s) behind (3.1.0 -> 3.1.1)"}, "properties": {"repobilityId": 116574, "scanner": "repobility-dependency-currency", "fingerprint": "b1d2a1762d1e7f401ec74e84085a1c7096a76755b303e6eb81f68420a38cfbe2", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@microsoft/vscode-azureresources-api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.1", "correlation_key": "fp|b1d2a1762d1e7f401ec74e84085a1c7096a76755b303e6eb81f68420a38cfbe2", "current_version": "3.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "github/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@microsoft/vscode-azext-utils` is patch version(s) behind (4.1.0 -> 4.1.1)"}, "properties": {"repobilityId": 116573, "scanner": "repobility-dependency-currency", "fingerprint": "330fb72408cc009536d3a1975eb7a035209856b6f63a80c392428d8c4a808dc9", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@microsoft/vscode-azext-utils", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.1", "correlation_key": "fp|330fb72408cc009536d3a1975eb7a035209856b6f63a80c392428d8c4a808dc9", "current_version": "4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "github/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `semver` is patch version(s) behind (7.8.1 -> 7.8.2)"}, "properties": {"repobilityId": 116569, "scanner": "repobility-dependency-currency", "fingerprint": "a7bde4bce1cf778c15a7ec872003c378b220a582ccfeaa9e3e99c25a168098e6", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "semver", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.8.2", "correlation_key": "fp|a7bde4bce1cf778c15a7ec872003c378b220a582ccfeaa9e3e99c25a168098e6", "current_version": "7.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@microsoft/vscode-azureresources-api` is patch version(s) behind (3.1.0 -> 3.1.1)"}, "properties": {"repobilityId": 116567, "scanner": "repobility-dependency-currency", "fingerprint": "2aef2a5e85c0849e055d34970798ab0d93f7033e543b7e0c0ac551ceb51a10bb", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@microsoft/vscode-azureresources-api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.1", "correlation_key": "fp|2aef2a5e85c0849e055d34970798ab0d93f7033e543b7e0c0ac551ceb51a10bb", "current_version": "3.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `semver` is patch version(s) behind (7.8.1 -> 7.8.2)"}, "properties": {"repobilityId": 116565, "scanner": "repobility-dependency-currency", "fingerprint": "d8f820ccc42129efeaa93a6c6e2d255a8124a996078fbbaa566250f05367a21f", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "semver", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.8.2", "correlation_key": "fp|d8f820ccc42129efeaa93a6c6e2d255a8124a996078fbbaa566250f05367a21f", "current_version": "7.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "azure/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@microsoft/vscode-azureresources-api` is patch version(s) behind (3.1.0 -> 3.1.1)"}, "properties": {"repobilityId": 116564, "scanner": "repobility-dependency-currency", "fingerprint": "420521b7ca7fd998f6853d3bbf50f80d95d2c13622b1a6ac6169dbfe6a183ed5", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@microsoft/vscode-azureresources-api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.1", "correlation_key": "fp|420521b7ca7fd998f6853d3bbf50f80d95d2c13622b1a6ac6169dbfe6a183ed5", "current_version": "3.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "azure/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@microsoft/vscode-azext-utils` is patch version(s) behind (4.1.0 -> 4.1.1)"}, "properties": {"repobilityId": 116563, "scanner": "repobility-dependency-currency", "fingerprint": "7640a37fc5fc04f9a3a82f1093dff57539feec5d1ea2c56f6f7e386ed23c3a76", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@microsoft/vscode-azext-utils", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.1", "correlation_key": "fp|7640a37fc5fc04f9a3a82f1093dff57539feec5d1ea2c56f6f7e386ed23c3a76", "current_version": "4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "azure/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vscode/vsce` is patch version(s) behind (^3.9.1 -> 3.9.2)"}, "properties": {"repobilityId": 116561, "scanner": "repobility-dependency-currency", "fingerprint": "cc91d1eb2094f75b88634d63cb32175471267c2f367222baa400ece72dc63c98", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vscode/vsce", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.9.2", "correlation_key": "fp|cc91d1eb2094f75b88634d63cb32175471267c2f367222baa400ece72dc63c98", "current_version": "^3.9.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `chai` is patch version(s) behind (6.2.1 -> 6.2.2)"}, "properties": {"repobilityId": 116560, "scanner": "repobility-dependency-currency", "fingerprint": "c8fa491846056499e89975b6edd192bd7235f163b2633cf5a088a466fd43727e", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.2.2", "correlation_key": "fp|c8fa491846056499e89975b6edd192bd7235f163b2633cf5a088a466fd43727e", "current_version": "6.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@microsoft/vscode-azext-utils` is patch version(s) behind (4.1.0 -> 4.1.1)"}, "properties": {"repobilityId": 116556, "scanner": "repobility-dependency-currency", "fingerprint": "f6a3c0f6a582ad3165063d8f523baf40e5e68db6a6724628bf0c5190538b33c4", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@microsoft/vscode-azext-utils", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.1", "correlation_key": "fp|f6a3c0f6a582ad3165063d8f523baf40e5e68db6a6724628bf0c5190538b33c4", "current_version": "4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appsettings/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 116631, "scanner": "repobility-threat-engine", "fingerprint": "0f108df71ca41681b82a6a4d54c209b5753b21b8e4913a9b72781c676ae44c05", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0f108df71ca41681b82a6a4d54c209b5753b21b8e4913a9b72781c676ae44c05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webview/src/webview/TemplateGallery/utils/renderMarkdown.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 116625, "scanner": "repobility-threat-engine", "fingerprint": "ebd417c64ab0e7cb63d6a40e5f3fb9a6b729c73373e39ae9710ef2f61e93b3c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(invalidCharsRegExp", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ebd417c64ab0e7cb63d6a40e5f3fb9a6b729c73373e39ae9710ef2f61e93b3c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/wizard/AzureNameStep.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 116624, "scanner": "repobility-threat-engine", "fingerprint": "6041263aa66a28b9c59f3560871e62a92b27d0bdb77b5c74fa4d46ac41852620", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(escapeRegExp", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6041263aa66a28b9c59f3560871e62a92b27d0bdb77b5c74fa4d46ac41852620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/masking.ts"}, "region": {"startLine": 139}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 116623, "scanner": "repobility-threat-engine", "fingerprint": "d3b3303f5aa7ca0df0257f31a04281683a8d1238256913f460e4433d16838512", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(activityFailContext", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d3b3303f5aa7ca0df0257f31a04281683a8d1238256913f460e4433d16838512"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/activityLog/activities/ExecuteActivity.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC005", "level": "error", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 116618, "scanner": "repobility-threat-engine", "fingerprint": "c3b02230a0d4285a86dd3f41f8dc5b4b86aa394b2cf70b4dc5a928bc9a93ca77", "category": "injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Command source appears controllable (config/plugin/argv/user input)", "evidence": {"match": "exec(request", "reason": "Command source appears controllable (config/plugin/argv/user input)", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|injection|token|81|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "azure/src/utils/FeedMirrorPolicy.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 116617, "scanner": "repobility-threat-engine", "fingerprint": "b5f447d2c1d6cb5b7ea8f426d6003a1ed3be17bcd1c39daa20a405f07b951cf3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b5f447d2c1d6cb5b7ea8f426d6003a1ed3be17bcd1c39daa20a405f07b951cf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/src/parseError.ts"}, "region": {"startLine": 236}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 116616, "scanner": "repobility-threat-engine", "fingerprint": "015e1e250619937259b5a6e043a8896ccb278e04e392900fd91479bf11c427d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|015e1e250619937259b5a6e043a8896ccb278e04e392900fd91479bf11c427d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "azure/src/utils/FeedMirrorPolicy.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 116615, "scanner": "repobility-threat-engine", "fingerprint": "fb0b7d3c9564ed992b03046a5f5d6b226c84b6a2eef055c92a24792fc6f8518c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(accountOrTenant", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fb0b7d3c9564ed992b03046a5f5d6b226c84b6a2eef055c92a24792fc6f8518c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth/src/utils/screen.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 116610, "scanner": "repobility-threat-engine", "fingerprint": "fe8803e2948ea56bbbb4dab32cde50b642777236a7ba418ca047afe36b4fcec9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "request.headers.delete('Authorization');", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fe8803e2948ea56bbbb4dab32cde50b642777236a7ba418ca047afe36b4fcec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "azure/src/utils/FeedMirrorPolicy.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 116609, "scanner": "repobility-threat-engine", "fingerprint": "4c2abc8182101b91e80d8ca81e07c07a0b76764babfa69999db98ec5e9e47a89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "innerMap2.delete(key1);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c2abc8182101b91e80d8ca81e07c07a0b76764babfa69999db98ec5e9e47a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth/src/utils/map/TwoKeyCaselessMap.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 116608, "scanner": "repobility-threat-engine", "fingerprint": "7d3d6b131bf7f878e2e7dfc3cabcaf22546a691f883448890fd67835be2e8b68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.availableSubscriptionsPromises.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7d3d6b131bf7f878e2e7dfc3cabcaf22546a691f883448890fd67835be2e8b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth/src/providers/VSCodeAzureSubscriptionProvider.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 116601, "scanner": "repobility-threat-engine", "fingerprint": "4fcad60a811bfe6bafc4e33f05585ed8e367f2ecb30cfb1d9071ff828cfee366", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4fcad60a811bfe6bafc4e33f05585ed8e367f2ecb30cfb1d9071ff828cfee366"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appservice/src/siteFiles.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 116600, "scanner": "repobility-threat-engine", "fingerprint": "9811e0eeb0f0a7f94f1a39cc5cf97dd8a5fe30183eb89269d5cf6b8fb14c1bc1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9811e0eeb0f0a7f94f1a39cc5cf97dd8a5fe30183eb89269d5cf6b8fb14c1bc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appservice/src/deploy/deployToStorageAccount.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 116599, "scanner": "repobility-threat-engine", "fingerprint": "6a50c4e47a1e753b47615f55960f2bcf72b220791e50fa7b398a7d87eaa53743", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6a50c4e47a1e753b47615f55960f2bcf72b220791e50fa7b398a7d87eaa53743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appservice/src/createAppService/SiteDomainNameLabelScopeStep.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 116555, "scanner": "repobility-supply-chain", "fingerprint": "257ed1f26fb3eb035edd09f589aece75db42370f41f6d78653ec70c0d4f193ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|257ed1f26fb3eb035edd09f589aece75db42370f41f6d78653ec70c0d4f193ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jobs.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 116554, "scanner": "repobility-supply-chain", "fingerprint": "11a8bf4c2468234617ab3c2c818be0f8c67fabb83ea9541b286466670553c5ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11a8bf4c2468234617ab3c2c818be0f8c67fabb83ea9541b286466670553c5ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jobs.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 116553, "scanner": "repobility-supply-chain", "fingerprint": "09e755fe7e7a8525dc962ba68ea043233c49333a42fb9f98cac987a27b0ab634", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09e755fe7e7a8525dc962ba68ea043233c49333a42fb9f98cac987a27b0ab634"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jobs.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 116552, "scanner": "repobility-supply-chain", "fingerprint": "84139f4bcb6bd7fc0cf1a7c15862111a162f37256ce22ec52ba1576c35aba4b1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84139f4bcb6bd7fc0cf1a7c15862111a162f37256ce22ec52ba1576c35aba4b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jobs.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 116551, "scanner": "repobility-supply-chain", "fingerprint": "742efaf4f078209c4cc4ecae01dd3524fe9d766886eaf7e1427a7cf0bfdd6aa4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|742efaf4f078209c4cc4ecae01dd3524fe9d766886eaf7e1427a7cf0bfdd6aa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/info-needed-closer.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 116550, "scanner": "repobility-supply-chain", "fingerprint": "02f098f69b3bd00b60eb81ee79a7ad30705cd9d89f98b9dbff4396a1d4e292d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02f098f69b3bd00b60eb81ee79a7ad30705cd9d89f98b9dbff4396a1d4e292d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/locker.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 116549, "scanner": "repobility-supply-chain", "fingerprint": "41e3f64467e01dd500c607314ad569daff04fc12fb6f4fbb091f19e665a7263b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41e3f64467e01dd500c607314ad569daff04fc12fb6f4fbb091f19e665a7263b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-pipeline-templates.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/create-github-app-token` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 116548, "scanner": "repobility-supply-chain", "fingerprint": "52b4d9b011f6e79c7e662bb61737f19fd216745a98a8d968eada82d8df26edf3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52b4d9b011f6e79c7e662bb61737f19fd216745a98a8d968eada82d8df26edf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-pipeline-templates.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dorny/paths-filter` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 116547, "scanner": "repobility-supply-chain", "fingerprint": "7228e035f74f4bdcb300fe0c54869dee9ed927844e4bda54cfed535b2173a394", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7228e035f74f4bdcb300fe0c54869dee9ed927844e4bda54cfed535b2173a394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 116632, "scanner": "gitleaks", "fingerprint": "e2f2b2a02ed301df258e2e56c5c8999de022bc9e94ec4a4e866034e1c6a5ac53", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED'", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|utils/test/masking.test.ts|21|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["jwt"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["1d11c77b5f5bd49d3b0deeace47182dc037eb4cb02de3e76c6c45044d7a4e95c", "e2f2b2a02ed301df258e2e56c5c8999de022bc9e94ec4a4e866034e1c6a5ac53"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/test/masking.test.ts"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 116603, "scanner": "repobility-threat-engine", "fingerprint": "ccc96f8d0c8b20b9a63a2dcfa40e54e7270a33c06ceb9e159dadf2a651a84ee1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ccc96f8d0c8b20b9a63a2dcfa40e54e7270a33c06ceb9e159dadf2a651a84ee1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appservice/src/deploy/localGitDeploy.ts"}, "region": {"startLine": 36}}}]}]}]}