{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 75 more): Same pattern found in 75 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 75 more): Same pattern found in 75 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `shared26` pulled from URL/Git: `dependencies.shared26` = `https://GITHUB.com//bar/tree/bran", "shortDescription": {"text": "[MINED122] package.json dep `shared26` pulled from URL/Git: `dependencies.shared26` = `https://GITHUB.com//bar/tree/branch` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host "}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CODSPEED_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`,", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CODSPEED_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODSPEED_TOKEN }` lets a PR from any fork exfiltrate the secr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require() loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require() loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/853"}, "properties": {"repository": "webpack/webpack", "repoUrl": "https://github.com/webpack/webpack", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 76936, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 76935, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 76877, "scanner": "repobility-threat-engine", "fingerprint": "1813dcc5c1cdd7577b3d5e227ba8873cf23d4fb62da25f4e0162954f3954b980", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|setup/setup.js|37|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/setup.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 76876, "scanner": "repobility-threat-engine", "fingerprint": "bc6a719664ce20965d6ee69b8f287e06d3d157864bbff7d037e6cbc91bc3fa7d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|7|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/nodejs-addons/build.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 76875, "scanner": "repobility-threat-engine", "fingerprint": "b53bfa3f80db64a7cd60826cd04af902c13abf930c786a677de1b79bef2f9a3f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|examples/build-common.js|119|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/build-common.js"}, "region": {"startLine": 119}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 76934, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 76933, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 76932, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 76931, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76930, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c02c842497e1d5b57523cf08c3cf046263b8d39d6cf8e2293041e0778ad23524", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/errors/ModuleDependencyError.js", "duplicate_line": 9, "correlation_key": "fp|c02c842497e1d5b57523cf08c3cf046263b8d39d6cf8e2293041e0778ad23524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/errors/ModuleDependencyWarning.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76929, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fbcacae1af911f1653b29ea5e7f64c099ea051baea8fe7184638e1e942da092", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/dependencies/ImportParserPlugin.js", "duplicate_line": 212, "correlation_key": "fp|3fbcacae1af911f1653b29ea5e7f64c099ea051baea8fe7184638e1e942da092"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/dependencies/WorkerPlugin.js"}, "region": {"startLine": 201}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76928, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdc91fcd2bcdbd46b6a81baff7ef5b3968444757d2e066e471e741f26c372fbc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/dependencies/ImportContextDependency.js", "duplicate_line": 25, "correlation_key": "fp|bdc91fcd2bcdbd46b6a81baff7ef5b3968444757d2e066e471e741f26c372fbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/dependencies/URLContextDependency.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76927, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8db38b204f95a3e05948fd272217629d925fd6b2d466bd5bdced53e42ba8ddc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/dependencies/AMDRequireContextDependency.js", "duplicate_line": 17, "correlation_key": "fp|c8db38b204f95a3e05948fd272217629d925fd6b2d466bd5bdced53e42ba8ddc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/dependencies/RequireResolveContextDependency.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76926, "scanner": "repobility-ai-code-hygiene", "fingerprint": "764f892885a2d55e6907bd21977f56a3f2cdccb344e09dac47cac5ae4a212a4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/APIPlugin.js", "duplicate_line": 327, "correlation_key": "fp|764f892885a2d55e6907bd21977f56a3f2cdccb344e09dac47cac5ae4a212a4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/dependencies/ImportPlugin.js"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76925, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7bf896404e983f03f66f342b3772ee3f98536791a3d08767d6f2a206107b281", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/dependencies/ContextElementDependency.js", "duplicate_line": 58, "correlation_key": "fp|b7bf896404e983f03f66f342b3772ee3f98536791a3d08767d6f2a206107b281"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/dependencies/ImportDependency.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76924, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bfa874bfb2d9ec3eaa94ced69ebfb12698f9ed69fdd26a6feb9fe1b5c69098de", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/dependencies/HarmonyImportDependency.js", "duplicate_line": 65, "correlation_key": "fp|bfa874bfb2d9ec3eaa94ced69ebfb12698f9ed69fdd26a6feb9fe1b5c69098de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/dependencies/ImportDependency.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76923, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f765f53ecaa340c2aa1e98422a8876fcd26c2ac135ec544a64104abc68163c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/dependencies/CssUrlDependency.js", "duplicate_line": 118, "correlation_key": "fp|2f765f53ecaa340c2aa1e98422a8876fcd26c2ac135ec544a64104abc68163c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/dependencies/HtmlSourceDependency.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76922, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e18001642beb0b2981773361d6f8fab1476fdfa841698aede9439431d5eafcf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/ModuleInfoHeaderPlugin.js", "duplicate_line": 9, "correlation_key": "fp|6e18001642beb0b2981773361d6f8fab1476fdfa841698aede9439431d5eafcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/dependencies/HarmonyExportInitFragment.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76921, "scanner": "repobility-ai-code-hygiene", "fingerprint": "21f1aa50efc1c17091156885a513e900c4cf8d3339b694c19855e463ecfce802", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/dependencies/ExternalModuleDependency.js", "duplicate_line": 52, "correlation_key": "fp|21f1aa50efc1c17091156885a513e900c4cf8d3339b694c19855e463ecfce802"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/dependencies/ExternalModuleInitFragmentDependency.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76920, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0fe0481e40ae9c94046b696e547f19c6ef9d4979256708ab31f394a9231cc77b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/dependencies/AMDDefineDependencyParserPlugin.js", "duplicate_line": 72, "correlation_key": "fp|0fe0481e40ae9c94046b696e547f19c6ef9d4979256708ab31f394a9231cc77b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/dependencies/AMDRequireDependenciesBlockParserPlugin.js"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76919, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97223daa1bb7c768d7f9e3f77d13ab0c68b5e4be72f5cc2f259d78a50104c053", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/cache/MemoryCachePlugin.js", "duplicate_line": 22, "correlation_key": "fp|97223daa1bb7c768d7f9e3f77d13ab0c68b5e4be72f5cc2f259d78a50104c053"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/cache/MemoryWithGcCachePlugin.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76918, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de81d502533f1cb7b1cd9562d510eeb88b8c61abeac99970409f5a0473c7f8d5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/RawModule.js", "duplicate_line": 28, "correlation_key": "fp|de81d502533f1cb7b1cd9562d510eeb88b8c61abeac99970409f5a0473c7f8d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/asset/RawDataUrlModule.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76917, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f54436b5dd9df8b127bee73aa295a5f3dd80b4b2e261b0bc4e7af6957163ba66", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/asset/AssetBytesGenerator.js", "duplicate_line": 3, "correlation_key": "fp|f54436b5dd9df8b127bee73aa295a5f3dd80b4b2e261b0bc4e7af6957163ba66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/asset/AssetSourceGenerator.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76916, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f0e97ee0b70ddd9bf0fe05db7134362bf8334a82ca00dbeb99233886e917fac4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/asset/AssetBytesGenerator.js", "duplicate_line": 92, "correlation_key": "fp|f0e97ee0b70ddd9bf0fe05db7134362bf8334a82ca00dbeb99233886e917fac4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/asset/AssetGenerator.js"}, "region": {"startLine": 468}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76915, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab16c0ac9ac3f8d29cfbafd0955da6eb9111d3536fb2cba5d8e93f7ae22319ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/APIPlugin.js", "duplicate_line": 327, "correlation_key": "fp|ab16c0ac9ac3f8d29cfbafd0955da6eb9111d3536fb2cba5d8e93f7ae22319ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/WebpackIsIncludedPlugin.js"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76914, "scanner": "repobility-ai-code-hygiene", "fingerprint": "09a235122163177f6a21da2d5e87a353d1aafcb42f9cf2b237d0e6ff5dfb555c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/APIPlugin.js", "duplicate_line": 327, "correlation_key": "fp|09a235122163177f6a21da2d5e87a353d1aafcb42f9cf2b237d0e6ff5dfb555c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/UseStrictPlugin.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76913, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da2d7df618da3f694aac9623fd06ffeb480e0ff11a7c26480d61803ecf75ad3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/CompatibilityPlugin.js", "duplicate_line": 168, "correlation_key": "fp|da2d7df618da3f694aac9623fd06ffeb480e0ff11a7c26480d61803ecf75ad3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/UseStrictPlugin.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76912, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d8adaeeef473f744abdea37d245719cdcb725964de7d311cb90c1b82281c1a5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/APIPlugin.js", "duplicate_line": 327, "correlation_key": "fp|d8adaeeef473f744abdea37d245719cdcb725964de7d311cb90c1b82281c1a5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/ProvidePlugin.js"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76911, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be0c1fb76645cdb50848d8099bc872be0e7d7b5dfe5d7094b63847f20aa14ff4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/ChunkTemplate.js", "duplicate_line": 60, "correlation_key": "fp|be0c1fb76645cdb50848d8099bc872be0e7d7b5dfe5d7094b63847f20aa14ff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/MainTemplate.js"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76910, "scanner": "repobility-ai-code-hygiene", "fingerprint": "80de2b2c17772841fbf84de4e404c03f5be62d355b05f3ccd20977b08b37f947", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/APIPlugin.js", "duplicate_line": 327, "correlation_key": "fp|80de2b2c17772841fbf84de4e404c03f5be62d355b05f3ccd20977b08b37f947"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/JavascriptMetaInfoPlugin.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76909, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96be869343f74391e6519d0a73cd47230e0980823fd4d33bf92b75916436bf3a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/CompatibilityPlugin.js", "duplicate_line": 168, "correlation_key": "fp|96be869343f74391e6519d0a73cd47230e0980823fd4d33bf92b75916436bf3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/JavascriptMetaInfoPlugin.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76908, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e9f38cf1cedc80810410f4585398b94da7ffbd9b72f58ffe00b66509f033e1c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/APIPlugin.js", "duplicate_line": 327, "correlation_key": "fp|0e9f38cf1cedc80810410f4585398b94da7ffbd9b72f58ffe00b66509f033e1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/ExportsInfoApiPlugin.js"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76907, "scanner": "repobility-ai-code-hygiene", "fingerprint": "508c980c4834b3f1e00e4b85b89a9a920ec5998614bbdb9b5985dcaac47adea8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/CompatibilityPlugin.js", "duplicate_line": 169, "correlation_key": "fp|508c980c4834b3f1e00e4b85b89a9a920ec5998614bbdb9b5985dcaac47adea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/ExportsInfoApiPlugin.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76906, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e716e30c3ac9d5eea7932a2e5876637392f6527cc3fab7b48fd97771c1c399c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/ConstPlugin.js", "duplicate_line": 318, "correlation_key": "fp|9e716e30c3ac9d5eea7932a2e5876637392f6527cc3fab7b48fd97771c1c399c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/ExportsInfoApiPlugin.js"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76905, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b97f7777cec45289d48950d9c2c3e5b7625accb8a6a0616bebc0e73eb31c0ed8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/EvalDevToolModulePlugin.js", "duplicate_line": 74, "correlation_key": "fp|b97f7777cec45289d48950d9c2c3e5b7625accb8a6a0616bebc0e73eb31c0ed8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/EvalSourceMapDevToolPlugin.js"}, "region": {"startLine": 173}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76904, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72370ed6d7d448d7fd4438a5b2419170c71fb1830c1a3ec1ed38eb4f33b78c05", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/APIPlugin.js", "duplicate_line": 327, "correlation_key": "fp|72370ed6d7d448d7fd4438a5b2419170c71fb1830c1a3ec1ed38eb4f33b78c05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/ConstPlugin.js"}, "region": {"startLine": 321}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76903, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc2bfa3072e88932e792de63d57a26aa289ce909bba222574ecce9ee63193fb9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/CompatibilityPlugin.js", "duplicate_line": 169, "correlation_key": "fp|bc2bfa3072e88932e792de63d57a26aa289ce909bba222574ecce9ee63193fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/ConstPlugin.js"}, "region": {"startLine": 320}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76902, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe7a3e601f4218fa3a304707d2ac0aec9306615782f1a1ddb4f527424f341bd5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/APIPlugin.js", "duplicate_line": 327, "correlation_key": "fp|fe7a3e601f4218fa3a304707d2ac0aec9306615782f1a1ddb4f527424f341bd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/CompatibilityPlugin.js"}, "region": {"startLine": 170}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76901, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11341d1f7bef941eaae08bc33116cee3f4e9a269766cefb614563301f71bf251", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "hot/dev-server.js", "duplicate_line": 63, "correlation_key": "fp|11341d1f7bef941eaae08bc33116cee3f4e9a269766cefb614563301f71bf251"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hot/only-dev-server.js"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 76899, "scanner": "repobility-threat-engine", "fingerprint": "1bfac24cdeeb1701d9971d5866e300f0394ef4003f098adc1d9b215a68793c0d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"[HMR] Cannot apply update as a previous update \" +\n\t\t\t\t\t\tstatus +\n\t\t\t\t\t\t\"ed. Need to do a full relo", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1bfac24cdeeb1701d9971d5866e300f0394ef4003f098adc1d9b215a68793c0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hot/only-dev-server.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 76898, "scanner": "repobility-threat-engine", "fingerprint": "b70e978cf9e09b5088f459c88a93fc6ea0669c301f979b7ca7778d89970bc14b", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Running \" + ENV + \" build\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b70e978cf9e09b5088f459c88a93fc6ea0669c301f979b7ca7778d89970bc14b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/multi-compiler/example.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 76892, "scanner": "repobility-threat-engine", "fingerprint": "bf0bc38af7aba060e858811d0e1204849472cfdc44a751e6734451e4cc379de8", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = m", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|40|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/markdown/example.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 76891, "scanner": "repobility-threat-engine", "fingerprint": "b36313b4fb109fa696faba67b8ec1496dbfc6e184b55ea8a2a0dc4f454853f0e", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = f", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|examples/html/src/app.js|8|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/html/src/app.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 76897, "scanner": "repobility-threat-engine", "fingerprint": "43abfb354e30463dcadf5a59117ba17b7a4616410ea7f8a82f965568052b39c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|43abfb354e30463dcadf5a59117ba17b7a4616410ea7f8a82f965568052b39c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/dotenv/example.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 76896, "scanner": "repobility-threat-engine", "fingerprint": "1c9fe72da431d473a1ac33645a7b0f0c505d6dd2a6c43807ea34cd9823a25de1", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(process.env.NODE_ENV)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|1|console.log process.env.node_env"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/persistent-caching/example.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 76895, "scanner": "repobility-threat-engine", "fingerprint": "590df89d4e042c917cad168d30b0c2e38b4c92354843d3dfb3ec627cd627f07a", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(\"API URL:\", process.env.WEBPACK_API_URL)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|examples/dotenv/example.js|1|console.log api url: process.env.webpack_api_url"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/dotenv/example.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 76893, "scanner": "repobility-threat-engine", "fingerprint": "d9f1affcacb96541cb9dfea69fa7d055adaca1abde44138d49cbaaea5562cb22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d9f1affcacb96541cb9dfea69fa7d055adaca1abde44138d49cbaaea5562cb22"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 76886, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 76882, "scanner": "repobility-threat-engine", "fingerprint": "cd0c8e85bd308a46f755f44bc6ab20955e3c28a1f9d626cb3a3bf09c3b5d92c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd0c8e85bd308a46f755f44bc6ab20955e3c28a1f9d626cb3a3bf09c3b5d92c7", "aggregated_count": 5}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 76881, "scanner": "repobility-threat-engine", "fingerprint": "e7efcbc01480bd356cd362566779f0d210d966638e7321f5272da0a4a37f4bcd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7efcbc01480bd356cd362566779f0d210d966638e7321f5272da0a4a37f4bcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hot/dev-server.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 76880, "scanner": "repobility-threat-engine", "fingerprint": "a7e5efad3fe344aa9aff712ebc5bbcc2abcd9954e6d94ab502effa48828ef887", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7e5efad3fe344aa9aff712ebc5bbcc2abcd9954e6d94ab502effa48828ef887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/template-common.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 76879, "scanner": "repobility-threat-engine", "fingerprint": "06456a5b721ce96fbdcb2ce25cbca36f3d2553d32a247856b72507254a8a14ea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|06456a5b721ce96fbdcb2ce25cbca36f3d2553d32a247856b72507254a8a14ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/build-common.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 76878, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 75 more): Same pattern found in 75 additional files. Review if needed."}, "properties": {"repobilityId": 76871, "scanner": "repobility-threat-engine", "fingerprint": "40e46bf51d2298820d4c5d9b5ae955da5c390f633ae88a76991774f5820734bd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 75 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|40e46bf51d2298820d4c5d9b5ae955da5c390f633ae88a76991774f5820734bd", "aggregated_count": 75}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 76870, "scanner": "repobility-threat-engine", "fingerprint": "a0c7752c165b9ac8c9598d742fb0f7b12bd1f677b83369dc9dec02fa2e37fe4b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0c7752c165b9ac8c9598d742fb0f7b12bd1f677b83369dc9dec02fa2e37fe4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/aggressive-merging/common.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 76869, "scanner": "repobility-threat-engine", "fingerprint": "baeb57f733a728d92d5f4dc53767e6375381964e88e2cc159da95cc52b1a6a2d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|baeb57f733a728d92d5f4dc53767e6375381964e88e2cc159da95cc52b1a6a2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/publish-to-pkg-pr-new.mjs"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 76868, "scanner": "repobility-threat-engine", "fingerprint": "43b78f39259aa94435b0ec5e09eac0ca26ba258f0c886c3cac562adcbe5afc50", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|43b78f39259aa94435b0ec5e09eac0ca26ba258f0c886c3cac562adcbe5afc50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".changeset/changeset-validate.mjs"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared26` pulled from URL/Git: `dependencies.shared26` = `https://GITHUB.com//bar/tree/branch` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76956, "scanner": "repobility-supply-chain", "fingerprint": "d0dd7ba77ec136241dddd7d718beb409a9e4f6ecc3bbc998700e49418441d799", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0dd7ba77ec136241dddd7d718beb409a9e4f6ecc3bbc998700e49418441d799"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared25` pulled from URL/Git: `dependencies.shared25` = `git+https://GITLAB.com//bar` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76955, "scanner": "repobility-supply-chain", "fingerprint": "b89eda9cc692cd2eb50af56ae529774f3e66743bc8bacdd1a3a60b60c2821ea6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b89eda9cc692cd2eb50af56ae529774f3e66743bc8bacdd1a3a60b60c2821ea6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared24` pulled from URL/Git: `dependencies.shared24` = `git+https://gitlab.com//bar` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76954, "scanner": "repobility-supply-chain", "fingerprint": "ccc4d9e9243414f3bb54e598c8fdc4f91070270e6c737b95cd7812b152248ed7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ccc4d9e9243414f3bb54e598c8fdc4f91070270e6c737b95cd7812b152248ed7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared23` pulled from URL/Git: `dependencies.shared23` = `https://github.com//bar/tree/branch` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76953, "scanner": "repobility-supply-chain", "fingerprint": "7c3e245069264fe76ff0d9b0454d3f74e4254ea517063fcb3f350999e484e20d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c3e245069264fe76ff0d9b0454d3f74e4254ea517063fcb3f350999e484e20d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared22` pulled from URL/Git: `dependencies.shared22` = `https://foo/bar` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76952, "scanner": "repobility-supply-chain", "fingerprint": "9f88ad02c5da25d0886c34651086b765a88c2097c4876c88829ae33102cf9779", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f88ad02c5da25d0886c34651086b765a88c2097c4876c88829ae33102cf9779"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared20` pulled from URL/Git: `dependencies.shared20` = `github:foo%0N/bar` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76951, "scanner": "repobility-supply-chain", "fingerprint": "f2c26ab1fe0e88fa747386d985e5b831344ce3c0c7d535f8c691595a02f75c44", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2c26ab1fe0e88fa747386d985e5b831344ce3c0c7d535f8c691595a02f75c44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared19` pulled from URL/Git: `dependencies.shared19` = `https://github.com/foo/bar/tree/branch` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76950, "scanner": "repobility-supply-chain", "fingerprint": "aa94d975623f5ae901cac1de0357982b007ca8eb7e05f39b70b2e49003ba3fa7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa94d975623f5ae901cac1de0357982b007ca8eb7e05f39b70b2e49003ba3fa7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared17` pulled from URL/Git: `dependencies.shared17` = `git+ssh://git@other.com:foo/bar.git#v1.0.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76949, "scanner": "repobility-supply-chain", "fingerprint": "10412ecc7a2271447a51509b4586dbb7862f688edd73170bf29cad2fca9e72db", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10412ecc7a2271447a51509b4586dbb7862f688edd73170bf29cad2fca9e72db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared16` pulled from URL/Git: `dependencies.shared16` = `https://gist.github.com/foo/feed/raw/fix%2Fbug/` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76948, "scanner": "repobility-supply-chain", "fingerprint": "037306d5559ddf6669578637965f91928f64f39adb84d5e3ccb1887d28bfffc3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|037306d5559ddf6669578637965f91928f64f39adb84d5e3ccb1887d28bfffc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared15` pulled from URL/Git: `dependencies.shared15` = `git+ssh://:password@bitbucket.org:foo/bar.git#v1.1.1` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76947, "scanner": "repobility-supply-chain", "fingerprint": "ca95e66a6f6f946bf0cde7fc9309a618e9b04492258c876b3310edf8b851c134", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca95e66a6f6f946bf0cde7fc9309a618e9b04492258c876b3310edf8b851c134"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared14` pulled from URL/Git: `dependencies.shared14` = `https://bitbucket.org/foo/bar/get/archive.tar.gz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76946, "scanner": "repobility-supply-chain", "fingerprint": "f19fbe277ef2bb2b1d93bc79b2d009a16d8a395838f1fa1e72cb976064b0fe87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f19fbe277ef2bb2b1d93bc79b2d009a16d8a395838f1fa1e72cb976064b0fe87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared13` pulled from URL/Git: `dependencies.shared13` = `https://gitlab.com/foo/bar/repository/archive.tar.gz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76945, "scanner": "repobility-supply-chain", "fingerprint": "e47b71bb0430fa3d85756530c07c58d7a11dfcac90cd023d18795b85876bf05a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e47b71bb0430fa3d85756530c07c58d7a11dfcac90cd023d18795b85876bf05a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared12` pulled from URL/Git: `dependencies.shared12` = `https://github.com/foo/bar/test/branch` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76944, "scanner": "repobility-supply-chain", "fingerprint": "de4a78a2468f5c0ebc48b21a270ac174bd4f4188f453f6199e6efd8bb76a52d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|de4a78a2468f5c0ebc48b21a270ac174bd4f4188f453f6199e6efd8bb76a52d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared11` pulled from URL/Git: `dependencies.shared11` = `git://gist.github.com/feed.git#v1.0.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76943, "scanner": "repobility-supply-chain", "fingerprint": "9ec167444f1d7805efe639e183dfd9f161e23473084a675290f7b886bcf03819", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ec167444f1d7805efe639e183dfd9f161e23473084a675290f7b886bcf03819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared10` pulled from URL/Git: `dependencies.shared10` = `git+ssh://bitbucket.org:foo/bar#v1.0.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76942, "scanner": "repobility-supply-chain", "fingerprint": "dcc60d3e6fbaa416ac0645afaad7e89ff155be37d1bd268634e3b97bdbe4200d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dcc60d3e6fbaa416ac0645afaad7e89ff155be37d1bd268634e3b97bdbe4200d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared9` pulled from URL/Git: `dependencies.shared9` = `https://user@github.com/foo/bar#v1.0.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76941, "scanner": "repobility-supply-chain", "fingerprint": "568723ae3f4e6508cddd2a002f289f7f386d9f1770989558703702317dafcbfd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|568723ae3f4e6508cddd2a002f289f7f386d9f1770989558703702317dafcbfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared7` pulled from URL/Git: `dependencies.shared7` = `git://user:password@github.com/foo/bar#v1.0.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76940, "scanner": "repobility-supply-chain", "fingerprint": "9a88cc6b73be25bdded90d0597d73b589191d573ca19083d388598d3c252d182", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a88cc6b73be25bdded90d0597d73b589191d573ca19083d388598d3c252d182"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared6` pulled from URL/Git: `dependencies.shared6` = `github:foo/bar#v1.0.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76939, "scanner": "repobility-supply-chain", "fingerprint": "93a618828114a1d393d38a3870d5e94d03c269a339a90f055a244049fff094fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93a618828114a1d393d38a3870d5e94d03c269a339a90f055a244049fff094fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared4` pulled from URL/Git: `dependencies.shared4` = `git+ssh://git@gitlab.com:foo/bar.git#semver:^1.0.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76938, "scanner": "repobility-supply-chain", "fingerprint": "c80f07d3dd9b514a15638fc759eb9c07bc30c11f96b8f7aeaa1304b51b8bee78", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c80f07d3dd9b514a15638fc759eb9c07bc30c11f96b8f7aeaa1304b51b8bee78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `shared3` pulled from URL/Git: `dependencies.shared3` = `git+ssh://git@github.com:foo/bar.git#v1.0.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 76937, "scanner": "repobility-supply-chain", "fingerprint": "4d17520d2cbefdfcbc197143d72dbff757f84a7ebe50ce2281b9846bdb010bf4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d17520d2cbefdfcbc197143d72dbff757f84a7ebe50ce2281b9846bdb010bf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/configCases/sharing/consume-multiple-versions/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 76900, "scanner": "repobility-threat-engine", "fingerprint": "55bd45c2cc5391d7ca9156ac10c03e16bc4069ed3f153575f0319dbc3c6eeee8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(cwdRegExpStr", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55bd45c2cc5391d7ca9156ac10c03e16bc4069ed3f153575f0319dbc3c6eeee8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/template-common.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 76890, "scanner": "repobility-threat-engine", "fingerprint": "a2f9a37ac3e80f80942797d1d78897e8aaf84224966b4bbc77eb604453904d29", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = [", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|5|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/custom-json-modules/example.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 76889, "scanner": "repobility-threat-engine", "fingerprint": "207b03170f56d9ce369bd7ddd054c0de9b111339ae016a3359fa63c34a68c0c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "errorHandlers.delete(onError);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|207b03170f56d9ce369bd7ddd054c0de9b111339ae016a3359fa63c34a68c0c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hot/lazy-compilation-web.js"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 76888, "scanner": "repobility-threat-engine", "fingerprint": "0e2a6ab1c66db654ebb16aa39e5e186078618b9dbcd4a26f80ce92a9bebb8656", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "response.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e2a6ab1c66db654ebb16aa39e5e186078618b9dbcd4a26f80ce92a9bebb8656"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hot/lazy-compilation-node.js"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 76887, "scanner": "repobility-threat-engine", "fingerprint": "c08df784086be259cbda6ca22daa5b1831251c7e8ea8a64c18e2bce898c55d76", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c08df784086be259cbda6ca22daa5b1831251c7e8ea8a64c18e2bce898c55d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/code-splitting-harmony/example.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 76885, "scanner": "repobility-threat-engine", "fingerprint": "4ec951d3b0918e48c6840d71f3fcddb01599fb97033e4e2dc78e83add96b5b61", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4ec951d3b0918e48c6840d71f3fcddb01599fb97033e4e2dc78e83add96b5b61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/generate-runtime-code.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 76884, "scanner": "repobility-threat-engine", "fingerprint": "d878d0394ba7daea464dfad3873726fe6b0a831748464f420d8c21e5a579c622", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d878d0394ba7daea464dfad3873726fe6b0a831748464f420d8c21e5a579c622"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/setup.js"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 76883, "scanner": "repobility-threat-engine", "fingerprint": "b76d14d749549e5a3ecec33ea6744eb18fd9fef195421b2b9b2c2787f66d7c52", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b76d14d749549e5a3ecec33ea6744eb18fd9fef195421b2b9b2c2787f66d7c52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/buildAll.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 76874, "scanner": "repobility-threat-engine", "fingerprint": "6e99b163b26c4487ff0030853f0552bceee244854d33a615b18c242b24540677", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6e99b163b26c4487ff0030853f0552bceee244854d33a615b18c242b24540677"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/generate-html-entities.js"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 76873, "scanner": "repobility-threat-engine", "fingerprint": "be8cc0ea497f6f87efd3e2d2062b57b79f3f9758ec652387c861a0244860350a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|be8cc0ea497f6f87efd3e2d2062b57b79f3f9758ec652387c861a0244860350a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hot/lazy-compilation-universal.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 76872, "scanner": "repobility-threat-engine", "fingerprint": "07d34f72b47578b7628ea0c70ab6dcf16dbfbc149c051ae096d3ebe1d31eaca0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|07d34f72b47578b7628ea0c70ab6dcf16dbfbc149c051ae096d3ebe1d31eaca0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/asset/example.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any