{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j8xg-fqg3-53r7", "name": "word-wrap: GHSA-j8xg-fqg3-53r7", "shortDescription": {"text": "word-wrap: GHSA-j8xg-fqg3-53r7"}, "fullDescription": {"text": "word-wrap vulnerable to Regular Expression Denial of Service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9jgg-88mc-972h", "name": "webpack-dev-server: GHSA-9jgg-88mc-972h", "shortDescription": {"text": "webpack-dev-server: GHSA-9jgg-88mc-972h"}, "fullDescription": {"text": "webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-79cf-xcqc-c78w", "name": "webpack-dev-server: GHSA-79cf-xcqc-c78w", "shortDescription": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "fullDescription": {"text": "webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4v9v-hfq4-rm2v", "name": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v", "shortDescription": {"text": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v"}, "fullDescription": {"text": "webpack-dev-server users' source code may be stolen when they access a malicious web site"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4vvj-4cpr-p986", "name": "webpack: GHSA-4vvj-4cpr-p986", "shortDescription": {"text": "webpack: GHSA-4vvj-4cpr-p986"}, "fullDescription": {"text": "Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-72xf-g2v4-qvf3", "name": "tough-cookie: GHSA-72xf-g2v4-qvf3", "shortDescription": {"text": "tough-cookie: GHSA-72xf-g2v4-qvf3"}, "fullDescription": {"text": "tough-cookie Prototype Pollution vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-76p7-773f-r4q5", "name": "serialize-javascript: GHSA-76p7-773f-r4q5", "shortDescription": {"text": "serialize-javascript: GHSA-76p7-773f-r4q5"}, "fullDescription": {"text": "Cross-site Scripting (XSS) in serialize-javascript"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9jcx-v3wj-wh4m", "name": "react-router: GHSA-9jcx-v3wj-wh4m", "shortDescription": {"text": "react-router: GHSA-9jcx-v3wj-wh4m"}, "fullDescription": {"text": "React Router has unexpected external redirect via untrusted paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6rw7-vpxm-498p", "name": "qs: GHSA-6rw7-vpxm-498p", "shortDescription": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "fullDescription": {"text": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7fh5-64p2-3v2j", "name": "postcss: GHSA-7fh5-64p2-3v2j", "shortDescription": {"text": "postcss: GHSA-7fh5-64p2-3v2j"}, "fullDescription": {"text": "PostCSS line return parsing error"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-65ch-62r8-g69g", "name": "node-forge: GHSA-65ch-62r8-g69g", "shortDescription": {"text": "node-forge: GHSA-65ch-62r8-g69g"}, "fullDescription": {"text": "node-forge is vulnerable to ASN.1 OID Integer Truncation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwcw-c2x4-8c55", "name": "nanoid: GHSA-mwcw-c2x4-8c55", "shortDescription": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "fullDescription": {"text": "Predictable results in nanoid generation when given non-integer values"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-952p-6rrq-rcjv", "name": "micromatch: GHSA-952p-6rrq-rcjv", "shortDescription": {"text": "micromatch: GHSA-952p-6rrq-rcjv"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in micromatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9gqv-wp59-fq42", "name": "http-proxy-middleware: GHSA-9gqv-wp59-fq42", "shortDescription": {"text": "http-proxy-middleware: GHSA-9gqv-wp59-fq42"}, "fullDescription": {"text": "http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4www-5p9h-95mh", "name": "http-proxy-middleware: GHSA-4www-5p9h-95mh", "shortDescription": {"text": "http-proxy-middleware: GHSA-4www-5p9h-95mh"}, "fullDescription": {"text": "http-proxy-middleware can call writeBody twice because \"else if\" is not used"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jchw-25xp-jwwc", "name": "follow-redirects: GHSA-jchw-25xp-jwwc", "shortDescription": {"text": "follow-redirects: GHSA-jchw-25xp-jwwc"}, "fullDescription": {"text": "Follow Redirects improperly handles URLs in the url.parse() function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cxjh-pqwp-8mfp", "name": "follow-redirects: GHSA-cxjh-pqwp-8mfp", "shortDescription": {"text": "follow-redirects: GHSA-cxjh-pqwp-8mfp"}, "fullDescription": {"text": "follow-redirects' Proxy-Authorization header kept across hosts"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rv95-896h-c2vc", "name": "express: GHSA-rv95-896h-c2vc", "shortDescription": {"text": "express: GHSA-rv95-896h-c2vc"}, "fullDescription": {"text": "Express.js Open Redirect in malformed URLs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ghr5-ch3p-vcr6", "name": "ejs: GHSA-ghr5-ch3p-vcr6", "shortDescription": {"text": "ejs: GHSA-ghr5-ch3p-vcr6"}, "fullDescription": {"text": "ejs lacks certain pollution protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-968p-4wvh-cqc8", "name": "@babel/runtime-corejs3: GHSA-968p-4wvh-cqc8", "shortDescription": {"text": "@babel/runtime-corejs3: GHSA-968p-4wvh-cqc8"}, "fullDescription": {"text": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `web-vitals` is 3 major version(s) behind (^2.1.4 -> 5.3.0)", "shortDescription": {"text": "npm package `web-vitals` is 3 major version(s) behind (^2.1.4 -> 5.3.0)"}, "fullDescription": {"text": "`web-vitals` is pinned/resolved at ^2.1.4 but the latest stable release on the npm registry is 5.3.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "GHSA-8fgc-7cc6-rx7x", "name": "webpack: GHSA-8fgc-7cc6-rx7x", "shortDescription": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "fullDescription": {"text": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38r7-794h-5758", "name": "webpack: GHSA-38r7-794h-5758", "shortDescription": {"text": "webpack: GHSA-38r7-794h-5758"}, "fullDescription": {"text": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects \u2192 SSRF + cache persistence"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cm22-4g7w-348p", "name": "serve-static: GHSA-cm22-4g7w-348p", "shortDescription": {"text": "serve-static: GHSA-cm22-4g7w-348p"}, "fullDescription": {"text": "serve-static vulnerable to template injection that can lead to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m6fv-jmcg-4jfg", "name": "send: GHSA-m6fv-jmcg-4jfg", "shortDescription": {"text": "send: GHSA-m6fv-jmcg-4jfg"}, "fullDescription": {"text": "send vulnerable to template injection that can lead to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w7fw-mjwx-w883", "name": "qs: GHSA-w7fw-mjwx-w883", "shortDescription": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "fullDescription": {"text": "qs's arrayLimit bypass in comma parsing allows denial of service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-76c9-3jph-rj3q", "name": "on-headers: GHSA-76c9-3jph-rj3q", "shortDescription": {"text": "on-headers: GHSA-76c9-3jph-rj3q"}, "fullDescription": {"text": "on-headers is vulnerable to http response header manipulation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qw6h-vgh9-j6wx", "name": "express: GHSA-qw6h-vgh9-j6wx", "shortDescription": {"text": "express: GHSA-qw6h-vgh9-j6wx"}, "fullDescription": {"text": "express vulnerable to XSS via response.redirect()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pxg6-pf52-xh8x", "name": "cookie: GHSA-pxg6-pf52-xh8x", "shortDescription": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "fullDescription": {"text": "cookie accepts cookie name, path, and domain with out of bounds characters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vpq2-c234-7xj6", "name": "@tootallnate/once: GHSA-vpq2-c234-7xj6", "shortDescription": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "fullDescription": {"text": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-3h5v-q93c-6h6q", "name": "ws: GHSA-3h5v-q93c-6h6q", "shortDescription": {"text": "ws: GHSA-3h5v-q93c-6h6q"}, "fullDescription": {"text": "ws affected by a DoS when handling a request with many HTTP headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wr3j-pwj9-hqq6", "name": "webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6", "shortDescription": {"text": "webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6"}, "fullDescription": {"text": "Path traversal in webpack-dev-middleware"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4wf5-vphf-c2xc", "name": "terser: GHSA-4wf5-vphf-c2xc", "shortDescription": {"text": "terser: GHSA-4wf5-vphf-c2xc"}, "fullDescription": {"text": "Terser insecure use of regular expressions leads to ReDoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xpqw-6gx7-v673", "name": "svgo: GHSA-xpqw-6gx7-v673", "shortDescription": {"text": "svgo: GHSA-xpqw-6gx7-v673"}, "fullDescription": {"text": "SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2qf-rxjj-qqgw", "name": "semver: GHSA-c2qf-rxjj-qqgw", "shortDescription": {"text": "semver: GHSA-c2qf-rxjj-qqgw"}, "fullDescription": {"text": "semver vulnerable to Regular Expression Denial of Service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gcx4-mw62-g8wm", "name": "rollup: GHSA-gcx4-mw62-g8wm", "shortDescription": {"text": "rollup: GHSA-gcx4-mw62-g8wm"}, "fullDescription": {"text": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rhx6-c78j-4q9w", "name": "path-to-regexp: GHSA-rhx6-c78j-4q9w", "shortDescription": {"text": "path-to-regexp: GHSA-rhx6-c78j-4q9w"}, "fullDescription": {"text": "path-to-regexp contains a ReDoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wv6-86v2-598j", "name": "path-to-regexp: GHSA-9wv6-86v2-598j", "shortDescription": {"text": "path-to-regexp: GHSA-9wv6-86v2-598j"}, "fullDescription": {"text": "path-to-regexp outputs backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37ch-88jc-xwx2", "name": "path-to-regexp: GHSA-37ch-88jc-xwx2", "shortDescription": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rp65-9cf3-cjxr", "name": "nth-check: GHSA-rp65-9cf3-cjxr", "shortDescription": {"text": "nth-check: GHSA-rp65-9cf3-cjxr"}, "fullDescription": {"text": "Inefficient Regular Expression Complexity in nth-check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q67f-28xg-22rw", "name": "node-forge: GHSA-q67f-28xg-22rw", "shortDescription": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "fullDescription": {"text": "Forge has signature forgery in Ed25519 due to missing S > L check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ppp5-5v6c-4jwp", "name": "node-forge: GHSA-ppp5-5v6c-4jwp", "shortDescription": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "fullDescription": {"text": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field  "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5m6q-g25r-mvwx", "name": "node-forge: GHSA-5m6q-g25r-mvwx", "shortDescription": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "fullDescription": {"text": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5gfm-wpxj-wjgq", "name": "node-forge: GHSA-5gfm-wpxj-wjgq", "shortDescription": {"text": "node-forge: GHSA-5gfm-wpxj-wjgq"}, "fullDescription": {"text": "node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-554w-wpv2-vw27", "name": "node-forge: GHSA-554w-wpv2-vw27", "shortDescription": {"text": "node-forge: GHSA-554w-wpv2-vw27"}, "fullDescription": {"text": "node-forge has ASN.1 Unbounded Recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2328-f5f3-gj25", "name": "node-forge: GHSA-2328-f5f3-gj25", "shortDescription": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "fullDescription": {"text": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f8q6-p94x-37v3", "name": "minimatch: GHSA-f8q6-p94x-37v3", "shortDescription": {"text": "minimatch: GHSA-f8q6-p94x-37v3"}, "fullDescription": {"text": "minimatch ReDoS vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hhq3-ff78-jv3g", "name": "loader-utils: GHSA-hhq3-ff78-jv3g", "shortDescription": {"text": "loader-utils: GHSA-hhq3-ff78-jv3g"}, "fullDescription": {"text": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3rfm-jhwj-7488", "name": "loader-utils: GHSA-3rfm-jhwj-7488", "shortDescription": {"text": "loader-utils: GHSA-3rfm-jhwj-7488"}, "fullDescription": {"text": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9c47-m6qq-7p4h", "name": "json5: GHSA-9c47-m6qq-7p4h", "shortDescription": {"text": "json5: GHSA-9c47-m6qq-7p4h"}, "fullDescription": {"text": "Prototype Pollution in JSON5 via Parse Method"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c7qv-q95q-8v27", "name": "http-proxy-middleware: GHSA-c7qv-q95q-8v27", "shortDescription": {"text": "http-proxy-middleware: GHSA-c7qv-q95q-8v27"}, "fullDescription": {"text": "Denial of service in http-proxy-middleware"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w573-4hg7-7wgq", "name": "decode-uri-component: GHSA-w573-4hg7-7wgq", "shortDescription": {"text": "decode-uri-component: GHSA-w573-4hg7-7wgq"}, "fullDescription": {"text": "decode-uri-component vulnerable to Denial of Service (DoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3xgq-45jj-v275", "name": "cross-spawn: GHSA-3xgq-45jj-v275", "shortDescription": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in cross-spawn"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-grv7-fg5c-xmjg", "name": "braces: GHSA-grv7-fg5c-xmjg", "shortDescription": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "fullDescription": {"text": "Uncontrolled resource consumption in braces"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qwcr-r2fm-qrc7", "name": "body-parser: GHSA-qwcr-r2fm-qrc7", "shortDescription": {"text": "body-parser: GHSA-qwcr-r2fm-qrc7"}, "fullDescription": {"text": "body-parser vulnerable to denial of service when url encoding is enabled"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fv7c-fp4j-7gwp", "name": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp", "shortDescription": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "fullDescription": {"text": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-hc6q-2mpp-qw7j", "name": "webpack: GHSA-hc6q-2mpp-qw7j", "shortDescription": {"text": "webpack: GHSA-hc6q-2mpp-qw7j"}, "fullDescription": {"text": "Cross-realm object access in Webpack 5"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-76p3-8jx3-jpfq", "name": "loader-utils: GHSA-76p3-8jx3-jpfq", "shortDescription": {"text": "loader-utils: GHSA-76p3-8jx3-jpfq"}, "fullDescription": {"text": "Prototype pollution in webpack loader-utils"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fjxv-7rqg-78g4", "name": "form-data: GHSA-fjxv-7rqg-78g4", "shortDescription": {"text": "form-data: GHSA-fjxv-7rqg-78g4"}, "fullDescription": {"text": "form-data uses unsafe random function in form-data for choosing boundary"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67hx-6x53-jw92", "name": "@babel/traverse: GHSA-67hx-6x53-jw92", "shortDescription": {"text": "@babel/traverse: GHSA-67hx-6x53-jw92"}, "fullDescription": {"text": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1103"}, "properties": {"repository": "Azim-Ahmed/Node-flow-diagram", "repoUrl": "https://github.com/Azim-Ahmed/Node-flow-diagram", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 108520, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 108519, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 108515, "scanner": "repobility-journey-contract", "fingerprint": "fffb87cd2a990d35fd8a5248300b9861b59eb915e9063db7c45a9d7d4f0d0f38", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|37|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/redux/actions/auth.actions.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 108514, "scanner": "repobility-journey-contract", "fingerprint": "642383eafc9b903ac4c7f12144fcc40004b31c64ed303ee78f31050d77a7ed5c", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|15|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/redux/actions/auth.actions.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 108513, "scanner": "osv-scanner", "fingerprint": "70d0d7460be007a4193e90cfe82eaea7100a07bfac6179c6be94dea5dedb7db0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 108512, "scanner": "osv-scanner", "fingerprint": "de906a0edbb25093a2e18157d27e7650c5d59dfb14b06382f6f170c04d020630", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j8xg-fqg3-53r7", "level": "warning", "message": {"text": "word-wrap: GHSA-j8xg-fqg3-53r7"}, "properties": {"repobilityId": 108510, "scanner": "osv-scanner", "fingerprint": "155b2e48e0522aa2f44c527f2197dc0631ed232ccc8ec184e8ce8c9d43c39846", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-26115"], "package": "word-wrap", "rule_id": "GHSA-j8xg-fqg3-53r7", "scanner": "osv-scanner", "correlation_key": "vuln|word-wrap|CVE-2023-26115|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9jgg-88mc-972h", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-9jgg-88mc-972h"}, "properties": {"repobilityId": 108509, "scanner": "osv-scanner", "fingerprint": "fb09520fde1a4f84497af33937c571ff33f5a999d173c0c4f6e01ec825d9cf94", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30360"], "package": "webpack-dev-server", "rule_id": "GHSA-9jgg-88mc-972h", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2025-30360|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-79cf-xcqc-c78w", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "properties": {"repobilityId": 108508, "scanner": "osv-scanner", "fingerprint": "1e32bfd8f5f15c2b79a2ab7f97395b72ecd1e2b62a9021c254ab19741e717999", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6402"], "package": "webpack-dev-server", "rule_id": "GHSA-79cf-xcqc-c78w", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2026-6402|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4v9v-hfq4-rm2v", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v"}, "properties": {"repobilityId": 108507, "scanner": "osv-scanner", "fingerprint": "1d4c33131915734da58bcd31a8095da17f72f842ce2c37a2c8e6e415426f344d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30359"], "package": "webpack-dev-server", "rule_id": "GHSA-4v9v-hfq4-rm2v", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2025-30359|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4vvj-4cpr-p986", "level": "warning", "message": {"text": "webpack: GHSA-4vvj-4cpr-p986"}, "properties": {"repobilityId": 108503, "scanner": "osv-scanner", "fingerprint": "71cdd46db3b7008ab6a77a6dcf99b940ad6579adee0fdb02dc69c35626dbf619", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-43788"], "package": "webpack", "rule_id": "GHSA-4vvj-4cpr-p986", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2024-43788|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 108501, "scanner": "osv-scanner", "fingerprint": "43ffcb0a2ce37f02f11229414b326bf3461eff0a2313382f704b9797828a6315", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-72xf-g2v4-qvf3", "level": "warning", "message": {"text": "tough-cookie: GHSA-72xf-g2v4-qvf3"}, "properties": {"repobilityId": 108500, "scanner": "osv-scanner", "fingerprint": "e23e9578ce623bfa10f448bab1b472d86f9465fc137b1ebcec06c146ce70104d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-26136"], "package": "tough-cookie", "rule_id": "GHSA-72xf-g2v4-qvf3", "scanner": "osv-scanner", "correlation_key": "vuln|tough-cookie|CVE-2023-26136|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 108496, "scanner": "osv-scanner", "fingerprint": "1c59ef4afe92099f003e3ffa513ad410d787a2b56fa73570cd1239ea05bfa2d4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-76p7-773f-r4q5", "level": "warning", "message": {"text": "serialize-javascript: GHSA-76p7-773f-r4q5"}, "properties": {"repobilityId": 108495, "scanner": "osv-scanner", "fingerprint": "654b8274e8396c27b09579959931df8c9fbccb0ce111d6aa8dfd8a7197bb1806", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-11831"], "package": "serialize-javascript", "rule_id": "GHSA-76p7-773f-r4q5", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2024-11831|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9jcx-v3wj-wh4m", "level": "warning", "message": {"text": "react-router: GHSA-9jcx-v3wj-wh4m"}, "properties": {"repobilityId": 108489, "scanner": "osv-scanner", "fingerprint": "1f490824150f8a564586f3b0da97659e7a3d123045f473e189949d660f45631e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68470"], "package": "react-router", "rule_id": "GHSA-9jcx-v3wj-wh4m", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2025-68470|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rw7-vpxm-498p", "level": "warning", "message": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "properties": {"repobilityId": 108487, "scanner": "osv-scanner", "fingerprint": "c779d54649dfa2aea4b3707fb8234eaa558924c2a9cef66e77ea99b5ca63f967", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-15284"], "package": "qs", "rule_id": "GHSA-6rw7-vpxm-498p", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2025-15284|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 108486, "scanner": "osv-scanner", "fingerprint": "88e6b1a808a46d1254fb003a71496f6f03cc18938cf18c56646c44245e0d824a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7fh5-64p2-3v2j", "level": "warning", "message": {"text": "postcss: GHSA-7fh5-64p2-3v2j"}, "properties": {"repobilityId": 108485, "scanner": "osv-scanner", "fingerprint": "69b33eb0acfc3533b8ac1117f647b15a9d1dde9f768514bfd25f4671304264d8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-44270"], "package": "postcss", "rule_id": "GHSA-7fh5-64p2-3v2j", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2023-44270|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 108483, "scanner": "osv-scanner", "fingerprint": "462b6f9a41343b35a2309e55c043ca31f20f04b7f9e15cb869e7180ff7fc1d96", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65ch-62r8-g69g", "level": "warning", "message": {"text": "node-forge: GHSA-65ch-62r8-g69g"}, "properties": {"repobilityId": 108475, "scanner": "osv-scanner", "fingerprint": "232e3c82353060cd62b877d2e5d07ac6731f93acfdd90a3aa5416735c07613c2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66030"], "package": "node-forge", "rule_id": "GHSA-65ch-62r8-g69g", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-66030|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwcw-c2x4-8c55", "level": "warning", "message": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "properties": {"repobilityId": 108470, "scanner": "osv-scanner", "fingerprint": "b46495bb996b07b4016922b4f008333e26310d8940f96a6ae884b6e8bfb6a123", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-55565"], "package": "nanoid", "rule_id": "GHSA-mwcw-c2x4-8c55", "scanner": "osv-scanner", "correlation_key": "vuln|nanoid|CVE-2024-55565|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-952p-6rrq-rcjv", "level": "warning", "message": {"text": "micromatch: GHSA-952p-6rrq-rcjv"}, "properties": {"repobilityId": 108465, "scanner": "osv-scanner", "fingerprint": "1844d4adcb808b3531a9ec10043983ee4443488011c1df185a2f0a5192524f70", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-4067"], "package": "micromatch", "rule_id": "GHSA-952p-6rrq-rcjv", "scanner": "osv-scanner", "correlation_key": "vuln|micromatch|CVE-2024-4067|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 108464, "scanner": "osv-scanner", "fingerprint": "0427cc1b83db25772dd274a032fe254d85953b384c3b3531b80429e8cc479457", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 108462, "scanner": "osv-scanner", "fingerprint": "174be1ded9183860e3d5e821e9b0862b5a7d9031f040161d32e9de5dd713e808", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 108457, "scanner": "osv-scanner", "fingerprint": "a6fb91e8f613cd9af90c71675d02191330b4012dbca773f6ae2506c416145b90", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9gqv-wp59-fq42", "level": "warning", "message": {"text": "http-proxy-middleware: GHSA-9gqv-wp59-fq42"}, "properties": {"repobilityId": 108455, "scanner": "osv-scanner", "fingerprint": "4bd582b3e150bceaf42669a8bd7a99950ef804d2955d3a4223af34075bf17735", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-32997"], "package": "http-proxy-middleware", "rule_id": "GHSA-9gqv-wp59-fq42", "scanner": "osv-scanner", "correlation_key": "vuln|http-proxy-middleware|CVE-2025-32997|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4www-5p9h-95mh", "level": "warning", "message": {"text": "http-proxy-middleware: GHSA-4www-5p9h-95mh"}, "properties": {"repobilityId": 108454, "scanner": "osv-scanner", "fingerprint": "48b4de469779029bfdba6b6b15b601e0bec2cd0753e2f9fb43d8844396ccc8df", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-32996"], "package": "http-proxy-middleware", "rule_id": "GHSA-4www-5p9h-95mh", "scanner": "osv-scanner", "correlation_key": "vuln|http-proxy-middleware|CVE-2025-32996|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 108452, "scanner": "osv-scanner", "fingerprint": "7f5e23cd7a08776d807d82a9403b2d99acd2805bce2a7f200327957657d49d10", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jchw-25xp-jwwc", "level": "warning", "message": {"text": "follow-redirects: GHSA-jchw-25xp-jwwc"}, "properties": {"repobilityId": 108451, "scanner": "osv-scanner", "fingerprint": "2b45d13044a8e9feafd4e3b092480a72b3415d9d0cfa4a08a230c4f17431fd3a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-26159"], "package": "follow-redirects", "rule_id": "GHSA-jchw-25xp-jwwc", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|CVE-2023-26159|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cxjh-pqwp-8mfp", "level": "warning", "message": {"text": "follow-redirects: GHSA-cxjh-pqwp-8mfp"}, "properties": {"repobilityId": 108450, "scanner": "osv-scanner", "fingerprint": "2f09d553ce1317fa389df720b5dde778d7532ccd29242505d140b2ece7f28bdc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-28849"], "package": "follow-redirects", "rule_id": "GHSA-cxjh-pqwp-8mfp", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|CVE-2024-28849|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rv95-896h-c2vc", "level": "warning", "message": {"text": "express: GHSA-rv95-896h-c2vc"}, "properties": {"repobilityId": 108447, "scanner": "osv-scanner", "fingerprint": "b5d202f32ddc3b24fe26669cbb8a0a41b14b013e5639c5d7dfbf79eac7829dd9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-29041"], "package": "express", "rule_id": "GHSA-rv95-896h-c2vc", "scanner": "osv-scanner", "correlation_key": "vuln|express|CVE-2024-29041|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ghr5-ch3p-vcr6", "level": "warning", "message": {"text": "ejs: GHSA-ghr5-ch3p-vcr6"}, "properties": {"repobilityId": 108445, "scanner": "osv-scanner", "fingerprint": "45a72add54ac331e0c0f1e97113e3798473f4cabef2bcb0129acfa271fbb1c74", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-33883"], "package": "ejs", "rule_id": "GHSA-ghr5-ch3p-vcr6", "scanner": "osv-scanner", "correlation_key": "vuln|ejs|CVE-2024-33883|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 108439, "scanner": "osv-scanner", "fingerprint": "d4b419a31e0e9347bcfafa58b7ad490de2bf201d666b0f13dc4b2518b663d57c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 108437, "scanner": "osv-scanner", "fingerprint": "128d26ea5f5b40a60e9c47ea7ffd50a69def1874a9520acb5439503c3ca8a9e7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/runtime-corejs3: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 108434, "scanner": "osv-scanner", "fingerprint": "4797124e3b2a0f59fc61308cbb3696677dd8d50cf7832488bdf58c62b937b213", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/runtime-corejs3", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/runtime-corejs3|CVE-2025-27789|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 108433, "scanner": "osv-scanner", "fingerprint": "51f589bb23167d7f3187da2b247ac3c84f30fe6965633ac81e12b7c3bf7d3f84", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/runtime", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/runtime|CVE-2025-27789|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/helpers: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 108431, "scanner": "osv-scanner", "fingerprint": "0317e860dd98cf6e3994a385479616ff4dfbdec5fc4f213e13763c29937de720", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/helpers", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/helpers|CVE-2025-27789|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `web-vitals` is 3 major version(s) behind (^2.1.4 -> 5.3.0)"}, "properties": {"repobilityId": 108424, "scanner": "repobility-dependency-currency", "fingerprint": "2024df959af128e11070aafeb14469cdfbab55fe0f3068d502881475d1d4854e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "web-vitals", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.3.0", "correlation_key": "fp|2024df959af128e11070aafeb14469cdfbab55fe0f3068d502881475d1d4854e", "current_version": "^2.1.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `uuid` is 6 major version(s) behind (^8.3.2 -> 14.0.0)"}, "properties": {"repobilityId": 108423, "scanner": "repobility-dependency-currency", "fingerprint": "4f7377597d6cd0cfc363f267d17bd31b217d99ae6012a51a30449ec73d518b5e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "6 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "uuid", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.0.0", "correlation_key": "fp|4f7377597d6cd0cfc363f267d17bd31b217d99ae6012a51a30449ec73d518b5e", "current_version": "^8.3.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `redux-thunk` is 1 major version(s) behind (^2.4.1 -> 3.1.0)"}, "properties": {"repobilityId": 108422, "scanner": "repobility-dependency-currency", "fingerprint": "c815917bbb995cc9eeb51d3906968a419e31decee5759ac0e37a65a432687fd1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "redux-thunk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.0", "correlation_key": "fp|c815917bbb995cc9eeb51d3906968a419e31decee5759ac0e37a65a432687fd1", "current_version": "^2.4.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `redux` is 1 major version(s) behind (^4.2.0 -> 5.0.1)"}, "properties": {"repobilityId": 108421, "scanner": "repobility-dependency-currency", "fingerprint": "ab1e2276a8644377d1a04ac4ba8225ab1e67477a722f60a2af17800c353a0a26", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "redux", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.1", "correlation_key": "fp|ab1e2276a8644377d1a04ac4ba8225ab1e67477a722f60a2af17800c353a0a26", "current_version": "^4.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-resizable` is 1 major version(s) behind (^3.0.4 -> 4.0.1)"}, "properties": {"repobilityId": 108419, "scanner": "repobility-dependency-currency", "fingerprint": "b1e7cc8d7160882b6c698274a28e03d8f8f35be34b68c6e89c7a021f1f1c2293", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-resizable", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.1", "correlation_key": "fp|b1e7cc8d7160882b6c698274a28e03d8f8f35be34b68c6e89c7a021f1f1c2293", "current_version": "^3.0.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-redux` is 1 major version(s) behind (^8.0.2 -> 9.3.0)"}, "properties": {"repobilityId": 108418, "scanner": "repobility-dependency-currency", "fingerprint": "e249c5d199f34ca40aef80fede3b1647934fa3d27488694f3b9795e2b667f9c9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-redux", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.3.0", "correlation_key": "fp|e249c5d199f34ca40aef80fede3b1647934fa3d27488694f3b9795e2b667f9c9", "current_version": "^8.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-icons` is 1 major version(s) behind (^4.3.1 -> 5.6.0)"}, "properties": {"repobilityId": 108417, "scanner": "repobility-dependency-currency", "fingerprint": "422849515bc07ee0e47ef56031a9646c2418c2191ffe1f6f37ec7079c10f4af8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-icons", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.6.0", "correlation_key": "fp|422849515bc07ee0e47ef56031a9646c2418c2191ffe1f6f37ec7079c10f4af8", "current_version": "^4.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-final-form` is 1 major version(s) behind (^6.5.9 -> 7.0.1)"}, "properties": {"repobilityId": 108415, "scanner": "repobility-dependency-currency", "fingerprint": "c6743e8f148af00600633cd1673dc1d42cfb09cef14358391b9f8eb50267b483", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-final-form", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.0.1", "correlation_key": "fp|c6743e8f148af00600633cd1673dc1d42cfb09cef14358391b9f8eb50267b483", "current_version": "^6.5.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `final-form` is 1 major version(s) behind (^4.20.7 -> 5.0.1)"}, "properties": {"repobilityId": 108412, "scanner": "repobility-dependency-currency", "fingerprint": "1dc611c1f81766c54c0aad45cf4d42f02d791eb59f76466692ff1f84e4d788b1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "final-form", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.1", "correlation_key": "fp|1dc611c1f81766c54c0aad45cf4d42f02d791eb59f76466692ff1f84e4d788b1", "current_version": "^4.20.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@testing-library/user-event` is 1 major version(s) behind (^13.5.0 -> 14.6.1)"}, "properties": {"repobilityId": 108411, "scanner": "repobility-dependency-currency", "fingerprint": "fa920a22e9063792d9e463ee838af3ce3ea631c3a3f9463ea45b56d81fa313d6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@testing-library/user-event", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.6.1", "correlation_key": "fp|fa920a22e9063792d9e463ee838af3ce3ea631c3a3f9463ea45b56d81fa313d6", "current_version": "^13.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@testing-library/react` is 3 major version(s) behind (^13.2.0 -> 16.3.2)"}, "properties": {"repobilityId": 108410, "scanner": "repobility-dependency-currency", "fingerprint": "58ab15516f9b76674558b0d20ae494e1c9aa02d99c0787af8b38eeb7dfc2368c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@testing-library/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.3.2", "correlation_key": "fp|58ab15516f9b76674558b0d20ae494e1c9aa02d99c0787af8b38eeb7dfc2368c", "current_version": "^13.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@testing-library/jest-dom` is 1 major version(s) behind (^5.16.4 -> 6.9.1)"}, "properties": {"repobilityId": 108409, "scanner": "repobility-dependency-currency", "fingerprint": "d698cc660c727cec3d06c14340052d533bd639c84ded163f73f8d092c743d425", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@testing-library/jest-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.9.1", "correlation_key": "fp|d698cc660c727cec3d06c14340052d533bd639c84ded163f73f8d092c743d425", "current_version": "^5.16.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@mui/material` is 4 major version(s) behind (^5.7.0 -> 9.0.1)"}, "properties": {"repobilityId": 108408, "scanner": "repobility-dependency-currency", "fingerprint": "54948b7e74218cbab5a48bb21965484559d37fc9f5ba5e8171f5de8536e9d5b2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "4 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@mui/material", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.1", "correlation_key": "fp|54948b7e74218cbab5a48bb21965484559d37fc9f5ba5e8171f5de8536e9d5b2", "current_version": "^5.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 108404, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 108521, "scanner": "repobility-web-presence", "fingerprint": "12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 108518, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 108517, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 108516, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8fgc-7cc6-rx7x", "level": "note", "message": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "properties": {"repobilityId": 108504, "scanner": "osv-scanner", "fingerprint": "1d1496f3f5463d27a84b1945a0710436b7fcb4f9b8a8ad083b13e770574f8af2", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68458"], "package": "webpack", "rule_id": "GHSA-8fgc-7cc6-rx7x", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68458|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38r7-794h-5758", "level": "note", "message": {"text": "webpack: GHSA-38r7-794h-5758"}, "properties": {"repobilityId": 108502, "scanner": "osv-scanner", "fingerprint": "acb299e492e670bc1421e7fa1604c058c3132a5f962a2ee11f5a832c3e6e4925", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68157"], "package": "webpack", "rule_id": "GHSA-38r7-794h-5758", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68157|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cm22-4g7w-348p", "level": "note", "message": {"text": "serve-static: GHSA-cm22-4g7w-348p"}, "properties": {"repobilityId": 108497, "scanner": "osv-scanner", "fingerprint": "e9d42731245b86568f012f1a6bf30bf1855dd836405326e11334043609ed6601", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-43800"], "package": "serve-static", "rule_id": "GHSA-cm22-4g7w-348p", "scanner": "osv-scanner", "correlation_key": "vuln|serve-static|CVE-2024-43800|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m6fv-jmcg-4jfg", "level": "note", "message": {"text": "send: GHSA-m6fv-jmcg-4jfg"}, "properties": {"repobilityId": 108493, "scanner": "osv-scanner", "fingerprint": "08b87a2b6f5060068473ff2f1f77f4f1f3a84860127ea9a0108b9e11c5f2e2d5", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-43799"], "package": "send", "rule_id": "GHSA-m6fv-jmcg-4jfg", "scanner": "osv-scanner", "correlation_key": "vuln|send|CVE-2024-43799|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w7fw-mjwx-w883", "level": "note", "message": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "properties": {"repobilityId": 108488, "scanner": "osv-scanner", "fingerprint": "a73d559c3c203e434714cc09b29fe257901a825a427fc4bb71e23c8c69ec3490", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2391"], "package": "qs", "rule_id": "GHSA-w7fw-mjwx-w883", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-2391|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-76c9-3jph-rj3q", "level": "note", "message": {"text": "on-headers: GHSA-76c9-3jph-rj3q"}, "properties": {"repobilityId": 108479, "scanner": "osv-scanner", "fingerprint": "a7985f273708d19405671548c594a791d212fdc268ac7eb3aecf4a00ab7e5e50", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-7339"], "package": "on-headers", "rule_id": "GHSA-76c9-3jph-rj3q", "scanner": "osv-scanner", "correlation_key": "vuln|on-headers|CVE-2025-7339|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qw6h-vgh9-j6wx", "level": "note", "message": {"text": "express: GHSA-qw6h-vgh9-j6wx"}, "properties": {"repobilityId": 108446, "scanner": "osv-scanner", "fingerprint": "aed8227dd4329e2940830cc2918837192b939adf896c0bcf23135111ea4ee068", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-43796"], "package": "express", "rule_id": "GHSA-qw6h-vgh9-j6wx", "scanner": "osv-scanner", "correlation_key": "vuln|express|CVE-2024-43796|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pxg6-pf52-xh8x", "level": "note", "message": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "properties": {"repobilityId": 108442, "scanner": "osv-scanner", "fingerprint": "e4b330f5630ed01c82fba254f81c5567f3250984aca049c77d39a36c9f96533b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47764"], "package": "cookie", "rule_id": "GHSA-pxg6-pf52-xh8x", "scanner": "osv-scanner", "correlation_key": "vuln|cookie|CVE-2024-47764|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 108440, "scanner": "osv-scanner", "fingerprint": "1854d9dd5eb370302d7119641e8b8517081a2f7d14cd0cb0730993d4c09eb4d6", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vpq2-c234-7xj6", "level": "note", "message": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "properties": {"repobilityId": 108436, "scanner": "osv-scanner", "fingerprint": "0ef18dda7b85626926b854aa196699c8b8d982a1d5f3be718d15521643f4f62c", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3449"], "package": "@tootallnate/once", "rule_id": "GHSA-vpq2-c234-7xj6", "scanner": "osv-scanner", "correlation_key": "vuln|tootallnate/once|CVE-2026-3449|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `postcss` is minor version(s) behind (^8.4.13 -> 8.5.15)"}, "properties": {"repobilityId": 108426, "scanner": "repobility-dependency-currency", "fingerprint": "9852873a8f3dce7ab96dc6ed1f1a3f9660e5c770bd2900d492363ace3e524983", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "postcss", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.5.15", "correlation_key": "fp|9852873a8f3dce7ab96dc6ed1f1a3f9660e5c770bd2900d492363ace3e524983", "current_version": "^8.4.13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `autoprefixer` is minor version(s) behind (^10.4.7 -> 10.5.0)"}, "properties": {"repobilityId": 108425, "scanner": "repobility-dependency-currency", "fingerprint": "23a22d9672f4783eed402597906b07b9dc8785a9ee4d792076f98280f693088c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "autoprefixer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.5.0", "correlation_key": "fp|23a22d9672f4783eed402597906b07b9dc8785a9ee4d792076f98280f693088c", "current_version": "^10.4.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `react-flow-renderer` is minor version(s) behind (^10.2.2 -> 10.3.17)"}, "properties": {"repobilityId": 108416, "scanner": "repobility-dependency-currency", "fingerprint": "8f048a6c03e8668871ddbd120ced7cdcbdbff2cbe62dc74cae379fcb18ce8977", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-flow-renderer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.3.17", "correlation_key": "fp|8f048a6c03e8668871ddbd120ced7cdcbdbff2cbe62dc74cae379fcb18ce8977", "current_version": "^10.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@xyflow/react` is minor version(s) behind (^12.1.1 -> 12.11.0)"}, "properties": {"repobilityId": 108414, "scanner": "repobility-dependency-currency", "fingerprint": "23a7b56658742afabe99394a08999e66cf9637e3ba478870d473c60cc67bca2c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@xyflow/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.11.0", "correlation_key": "fp|23a7b56658742afabe99394a08999e66cf9637e3ba478870d473c60cc67bca2c", "current_version": "^12.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `html-to-image` is minor version(s) behind (^1.9.0 -> 1.11.13)"}, "properties": {"repobilityId": 108413, "scanner": "repobility-dependency-currency", "fingerprint": "8eb0e135ab547778ebb317140723cabfaa80d585f24c9e222029bcfb1de4786b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "html-to-image", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.11.13", "correlation_key": "fp|8eb0e135ab547778ebb317140723cabfaa80d585f24c9e222029bcfb1de4786b", "current_version": "^1.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@emotion/styled` is minor version(s) behind (^11.8.1 -> 11.14.1)"}, "properties": {"repobilityId": 108407, "scanner": "repobility-dependency-currency", "fingerprint": "8e88844956804a14a900c0d0df40dcaac94b3b64cb888a6743fa3f864145fc1d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@emotion/styled", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.14.1", "correlation_key": "fp|8e88844956804a14a900c0d0df40dcaac94b3b64cb888a6743fa3f864145fc1d", "current_version": "^11.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@emotion/react` is minor version(s) behind (^11.9.0 -> 11.14.0)"}, "properties": {"repobilityId": 108406, "scanner": "repobility-dependency-currency", "fingerprint": "6e34d0e9698485807fcbf526e1e7ffee85b915fc16bfef124fb712c0a8d12569", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@emotion/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.14.0", "correlation_key": "fp|6e34d0e9698485807fcbf526e1e7ffee85b915fc16bfef124fb712c0a8d12569", "current_version": "^11.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108405, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02bdb194acb5924a009cefdaf713aa285283738fc3d2a8c9b9ac2e078ed5eea0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/FlowComponents/Nodes/CircleNode.jsx", "duplicate_line": 16, "correlation_key": "fp|02bdb194acb5924a009cefdaf713aa285283738fc3d2a8c9b9ac2e078ed5eea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/FlowComponents/Nodes/DecisionNode.jsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 108403, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 108430, "scanner": "repobility-threat-engine", "fingerprint": "5e44bf3376b3b6dc42ad1c97e4e4e795dbc553b515332e2b80d37fbbaca71a06", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e44bf3376b3b6dc42ad1c97e4e4e795dbc553b515332e2b80d37fbbaca71a06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/redux/actions/user.actions.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 108428, "scanner": "repobility-threat-engine", "fingerprint": "f7ee7f4b65b08ae85fd2ad701341065ca55bdbe253ee54bb74eeeaebf4ff5fa3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f7ee7f4b65b08ae85fd2ad701341065ca55bdbe253ee54bb74eeeaebf4ff5fa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/FlowComponents/Nodes/CustomOutputNode.jsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 108427, "scanner": "repobility-threat-engine", "fingerprint": "91d3d551d8697a4ef1cb1760490c4f92b6aac84e6df0b54e5ece2a6978aa6db3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|91d3d551d8697a4ef1cb1760490c4f92b6aac84e6df0b54e5ece2a6978aa6db3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/FlowComponents/Nodes/CustomInputNode.jsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `reactjs-popup` is patch version(s) behind (^2.0.5 -> 2.0.6)"}, "properties": {"repobilityId": 108420, "scanner": "repobility-dependency-currency", "fingerprint": "6851b92c2e879d5dee613ae9dc058c11d42a8d7bef5adac3a88412e8cd42aaf5", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "reactjs-popup", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.6", "correlation_key": "fp|6851b92c2e879d5dee613ae9dc058c11d42a8d7bef5adac3a88412e8cd42aaf5", "current_version": "^2.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3h5v-q93c-6h6q", "level": "error", "message": {"text": "ws: GHSA-3h5v-q93c-6h6q"}, "properties": {"repobilityId": 108511, "scanner": "osv-scanner", "fingerprint": "2eae87ce778e87d74e791a8fc5de8be762fe93a135c285aa5b156041a72a9ffd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-37890"], "package": "ws", "rule_id": "GHSA-3h5v-q93c-6h6q", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2024-37890|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wr3j-pwj9-hqq6", "level": "error", "message": {"text": "webpack-dev-middleware: GHSA-wr3j-pwj9-hqq6"}, "properties": {"repobilityId": 108506, "scanner": "osv-scanner", "fingerprint": "e1a3ee9b19df8ced3facdce65c24aba090f31145b5e3c3b4818c45889676504a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-29180"], "package": "webpack-dev-middleware", "rule_id": "GHSA-wr3j-pwj9-hqq6", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-middleware|CVE-2024-29180|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4wf5-vphf-c2xc", "level": "error", "message": {"text": "terser: GHSA-4wf5-vphf-c2xc"}, "properties": {"repobilityId": 108499, "scanner": "osv-scanner", "fingerprint": "b68f6ba05003d07996b18cedfc9b9480339ce08031d295c8f9136483a74b4ea6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-25858"], "package": "terser", "rule_id": "GHSA-4wf5-vphf-c2xc", "scanner": "osv-scanner", "correlation_key": "vuln|terser|CVE-2022-25858|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xpqw-6gx7-v673", "level": "error", "message": {"text": "svgo: GHSA-xpqw-6gx7-v673"}, "properties": {"repobilityId": 108498, "scanner": "osv-scanner", "fingerprint": "f051f88a209c8782d870fe249e2d77f50a94bebeb934779c0bf5d44e16193bd7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29074"], "package": "svgo", "rule_id": "GHSA-xpqw-6gx7-v673", "scanner": "osv-scanner", "correlation_key": "vuln|svgo|CVE-2026-29074|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 108494, "scanner": "osv-scanner", "fingerprint": "1ef775a47df378c856c07b625124fda8dffefc3e2824185640a1944e77134c56", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2qf-rxjj-qqgw", "level": "error", "message": {"text": "semver: GHSA-c2qf-rxjj-qqgw"}, "properties": {"repobilityId": 108492, "scanner": "osv-scanner", "fingerprint": "a06744873de3c2e471d3ec587834ed8ebb60a9e5a34cbfa678929ea66cf22ead", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-25883"], "package": "semver", "rule_id": "GHSA-c2qf-rxjj-qqgw", "scanner": "osv-scanner", "correlation_key": "vuln|semver|CVE-2022-25883|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 108491, "scanner": "osv-scanner", "fingerprint": "73f564d6a3431a4b0c52ce5f7f721287d73dc9c95a1b664e1059f3ee63a81309", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gcx4-mw62-g8wm", "level": "error", "message": {"text": "rollup: GHSA-gcx4-mw62-g8wm"}, "properties": {"repobilityId": 108490, "scanner": "osv-scanner", "fingerprint": "bc648eb2b305e88faced732632f4a42066a56117b7bb6035ce920edc25fa0bda", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47068"], "package": "rollup", "rule_id": "GHSA-gcx4-mw62-g8wm", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2024-47068|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 108484, "scanner": "osv-scanner", "fingerprint": "ecad408982c8a867788b1b169f9773cfa4c952dae95c6913e1d2a58e3f6235b4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rhx6-c78j-4q9w", "level": "error", "message": {"text": "path-to-regexp: GHSA-rhx6-c78j-4q9w"}, "properties": {"repobilityId": 108482, "scanner": "osv-scanner", "fingerprint": "b1725ea62d0be4473ba2ac0d618cf54a859f1f15d693a6401003b6fe282ef5f7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-52798"], "package": "path-to-regexp", "rule_id": "GHSA-rhx6-c78j-4q9w", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2024-52798|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wv6-86v2-598j", "level": "error", "message": {"text": "path-to-regexp: GHSA-9wv6-86v2-598j"}, "properties": {"repobilityId": 108481, "scanner": "osv-scanner", "fingerprint": "235aa913e4ed3107705d6e4657282956bd9334be581edd8d08923f0cc986f049", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45296"], "package": "path-to-regexp", "rule_id": "GHSA-9wv6-86v2-598j", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2024-45296|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37ch-88jc-xwx2", "level": "error", "message": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "properties": {"repobilityId": 108480, "scanner": "osv-scanner", "fingerprint": "5742c339a39ab768b3eccf36b77e764e80f572d1c2004fb943c094a904543ff2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4867"], "package": "path-to-regexp", "rule_id": "GHSA-37ch-88jc-xwx2", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4867|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rp65-9cf3-cjxr", "level": "error", "message": {"text": "nth-check: GHSA-rp65-9cf3-cjxr"}, "properties": {"repobilityId": 108478, "scanner": "osv-scanner", "fingerprint": "1ad20722c6524647126ef54c050ae4bbb4c2747f932d744da6150fb769925057", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2021-3803"], "package": "nth-check", "rule_id": "GHSA-rp65-9cf3-cjxr", "scanner": "osv-scanner", "correlation_key": "vuln|nth-check|CVE-2021-3803|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q67f-28xg-22rw", "level": "error", "message": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "properties": {"repobilityId": 108477, "scanner": "osv-scanner", "fingerprint": "43fb970be98a452fd99c176264dece721b2453225d08eca95d7d5a2999b4dbe4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33895"], "package": "node-forge", "rule_id": "GHSA-q67f-28xg-22rw", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33895|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ppp5-5v6c-4jwp", "level": "error", "message": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "properties": {"repobilityId": 108476, "scanner": "osv-scanner", "fingerprint": "6b8cf59444f2239e6de25b8d18a6950d9fd91ccd8ee47cc0a509854c6c8546af", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33894"], "package": "node-forge", "rule_id": "GHSA-ppp5-5v6c-4jwp", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33894|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5m6q-g25r-mvwx", "level": "error", "message": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "properties": {"repobilityId": 108474, "scanner": "osv-scanner", "fingerprint": "6d3ca1f811fba33887bb8f62dea5c3066b38e0f33ce500df41842d8149f9fccd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33891"], "package": "node-forge", "rule_id": "GHSA-5m6q-g25r-mvwx", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33891|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5gfm-wpxj-wjgq", "level": "error", "message": {"text": "node-forge: GHSA-5gfm-wpxj-wjgq"}, "properties": {"repobilityId": 108473, "scanner": "osv-scanner", "fingerprint": "59a69c59f06bbffe35bee5356593e822251ec8d103202f50601c2ea96439a329", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-12816"], "package": "node-forge", "rule_id": "GHSA-5gfm-wpxj-wjgq", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-12816|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-554w-wpv2-vw27", "level": "error", "message": {"text": "node-forge: GHSA-554w-wpv2-vw27"}, "properties": {"repobilityId": 108472, "scanner": "osv-scanner", "fingerprint": "3f0d80d84286c0537cf5b9a0dc3c5ea135114a640a02837f7cca21657e4e7a8b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66031"], "package": "node-forge", "rule_id": "GHSA-554w-wpv2-vw27", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-66031|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2328-f5f3-gj25", "level": "error", "message": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "properties": {"repobilityId": 108471, "scanner": "osv-scanner", "fingerprint": "b465e7c54ffb8b50ab9e2b46bede355127e198fa857142efcbd686b486b3f13a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33896"], "package": "node-forge", "rule_id": "GHSA-2328-f5f3-gj25", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33896|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f8q6-p94x-37v3", "level": "error", "message": {"text": "minimatch: GHSA-f8q6-p94x-37v3"}, "properties": {"repobilityId": 108469, "scanner": "osv-scanner", "fingerprint": "50aec8093049806c1c7e12059db3d0507690b80356c2ad87e48c67dd21928620", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-3517"], "package": "minimatch", "rule_id": "GHSA-f8q6-p94x-37v3", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2022-3517|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 108468, "scanner": "osv-scanner", "fingerprint": "155d5f86682d4cca28cde02dfe1b84c1837cf98c6feba6adf8f141619cbe7278", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 108467, "scanner": "osv-scanner", "fingerprint": "09e3156d77e314926a52fbc6f5aec96b0f979198ea66c485cce13e20587eb10d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 108466, "scanner": "osv-scanner", "fingerprint": "221b16994c1c62dd68d3c52e72deae94054e851fa81062e507d061a803f51227", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 108463, "scanner": "osv-scanner", "fingerprint": "1e427b2a7906f8eadfed6f4e3eca44082674f46bb2550d3973211626ec08136c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hhq3-ff78-jv3g", "level": "error", "message": {"text": "loader-utils: GHSA-hhq3-ff78-jv3g"}, "properties": {"repobilityId": 108461, "scanner": "osv-scanner", "fingerprint": "7e8bf8068ab66afc0fe02dc761025537af13572ec0ac891c9c3287e953b42c16", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-37599"], "package": "loader-utils", "rule_id": "GHSA-hhq3-ff78-jv3g", "scanner": "osv-scanner", "correlation_key": "vuln|loader-utils|CVE-2022-37599|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3rfm-jhwj-7488", "level": "error", "message": {"text": "loader-utils: GHSA-3rfm-jhwj-7488"}, "properties": {"repobilityId": 108459, "scanner": "osv-scanner", "fingerprint": "0ef7df1ffefcdfefd0c2750d3b74a1877b26c992bd761563ae65a7116e7eb71e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-37603"], "package": "loader-utils", "rule_id": "GHSA-3rfm-jhwj-7488", "scanner": "osv-scanner", "correlation_key": "vuln|loader-utils|CVE-2022-37603|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9c47-m6qq-7p4h", "level": "error", "message": {"text": "json5: GHSA-9c47-m6qq-7p4h"}, "properties": {"repobilityId": 108458, "scanner": "osv-scanner", "fingerprint": "cea4c3964758efcdc5f35caf69fa2dc37d8f424a2978421d76abf305cfad08c9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-46175"], "package": "json5", "rule_id": "GHSA-9c47-m6qq-7p4h", "scanner": "osv-scanner", "correlation_key": "vuln|json5|CVE-2022-46175|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c7qv-q95q-8v27", "level": "error", "message": {"text": "http-proxy-middleware: GHSA-c7qv-q95q-8v27"}, "properties": {"repobilityId": 108456, "scanner": "osv-scanner", "fingerprint": "13428644976a3ebba474afc13666ef0289ed2fa62762534c9a1077e75c580d62", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-21536"], "package": "http-proxy-middleware", "rule_id": "GHSA-c7qv-q95q-8v27", "scanner": "osv-scanner", "correlation_key": "vuln|http-proxy-middleware|CVE-2024-21536|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 108449, "scanner": "osv-scanner", "fingerprint": "d0b9234ec2966d5cd1ae83b092076fc6f5a32dfd776078904598a2fa7f33a0c2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 108448, "scanner": "osv-scanner", "fingerprint": "c35df0a8f45b3093e14eb6817663ff04a68616414e8781d73a25447d74f0932f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w573-4hg7-7wgq", "level": "error", "message": {"text": "decode-uri-component: GHSA-w573-4hg7-7wgq"}, "properties": {"repobilityId": 108444, "scanner": "osv-scanner", "fingerprint": "5753d0d7d939c1f6b92f1047979a958a20965cb11f2fa9e04e09d45c97f076ce", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-38900"], "package": "decode-uri-component", "rule_id": "GHSA-w573-4hg7-7wgq", "scanner": "osv-scanner", "correlation_key": "vuln|decode-uri-component|CVE-2022-38900|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3xgq-45jj-v275", "level": "error", "message": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "properties": {"repobilityId": 108443, "scanner": "osv-scanner", "fingerprint": "9cc1de1071c2e2f2fdc8c844fe693a4651cd7dd56d5ed46ed510d674489c61ea", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-21538"], "package": "cross-spawn", "rule_id": "GHSA-3xgq-45jj-v275", "scanner": "osv-scanner", "correlation_key": "vuln|cross-spawn|CVE-2024-21538|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-grv7-fg5c-xmjg", "level": "error", "message": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "properties": {"repobilityId": 108441, "scanner": "osv-scanner", "fingerprint": "de698ba9d47cdaec1afb55cc773057536cee3b0c6ab5ca361872935bfe85dc87", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-4068"], "package": "braces", "rule_id": "GHSA-grv7-fg5c-xmjg", "scanner": "osv-scanner", "correlation_key": "vuln|braces|CVE-2024-4068|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qwcr-r2fm-qrc7", "level": "error", "message": {"text": "body-parser: GHSA-qwcr-r2fm-qrc7"}, "properties": {"repobilityId": 108438, "scanner": "osv-scanner", "fingerprint": "536667bdf74a40f24b05f9f53b8334700de36cb4003f97fb11224b48ba6950c1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45590"], "package": "body-parser", "rule_id": "GHSA-qwcr-r2fm-qrc7", "scanner": "osv-scanner", "correlation_key": "vuln|body-parser|CVE-2024-45590|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fv7c-fp4j-7gwp", "level": "error", "message": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "properties": {"repobilityId": 108432, "scanner": "osv-scanner", "fingerprint": "c2dc1a09078c71856886d8ce45758b5e18c5cb783464c9542246579d238e3b46", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44728"], "package": "@babel/plugin-transform-modules-systemjs", "rule_id": "GHSA-fv7c-fp4j-7gwp", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44728|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 108429, "scanner": "repobility-threat-engine", "fingerprint": "24710e86da78d4d212b8e02ac8fd9fa29b15f286ff39ad27815f52861003dd7e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|24710e86da78d4d212b8e02ac8fd9fa29b15f286ff39ad27815f52861003dd7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/helpers/index.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "GHSA-hc6q-2mpp-qw7j", "level": "error", "message": {"text": "webpack: GHSA-hc6q-2mpp-qw7j"}, "properties": {"repobilityId": 108505, "scanner": "osv-scanner", "fingerprint": "e0f57a67959f488a9a9cfa7472f42d396827d7c036f7918150d16d99b7691cc0", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-28154"], "package": "webpack", "rule_id": "GHSA-hc6q-2mpp-qw7j", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2023-28154|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-76p3-8jx3-jpfq", "level": "error", "message": {"text": "loader-utils: GHSA-76p3-8jx3-jpfq"}, "properties": {"repobilityId": 108460, "scanner": "osv-scanner", "fingerprint": "1dd0089f6fa9e6b2e002eda34ee58ac9b97ddcc39ef272e92c5990d7496f4286", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-37601"], "package": "loader-utils", "rule_id": "GHSA-76p3-8jx3-jpfq", "scanner": "osv-scanner", "correlation_key": "vuln|loader-utils|CVE-2022-37601|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fjxv-7rqg-78g4", "level": "error", "message": {"text": "form-data: GHSA-fjxv-7rqg-78g4"}, "properties": {"repobilityId": 108453, "scanner": "osv-scanner", "fingerprint": "658d14af1efb85daf76e8e580a220131eae8bd5c688a3325b96ee04b676a39a7", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-7783"], "package": "form-data", "rule_id": "GHSA-fjxv-7rqg-78g4", "scanner": "osv-scanner", "correlation_key": "vuln|form-data|CVE-2025-7783|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67hx-6x53-jw92", "level": "error", "message": {"text": "@babel/traverse: GHSA-67hx-6x53-jw92"}, "properties": {"repobilityId": 108435, "scanner": "osv-scanner", "fingerprint": "a8d8661b4cc58abf605e4ec12b3972b95d9fff9a0f6e512cddbfa0212236186f", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-45133"], "package": "@babel/traverse", "rule_id": "GHSA-67hx-6x53-jw92", "scanner": "osv-scanner", "correlation_key": "vuln|babel/traverse|CVE-2023-45133|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}]}]}