{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x7hr-w5r2-h6wg", "name": "prismjs: GHSA-x7hr-w5r2-h6wg", "shortDescription": {"text": "prismjs: GHSA-x7hr-w5r2-h6wg"}, "fullDescription": {"text": "PrismJS DOM Clobbering vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x77j-w7wf-fjmw", "name": "nunjucks: GHSA-x77j-w7wf-fjmw", "shortDescription": {"text": "nunjucks: GHSA-x77j-w7wf-fjmw"}, "fullDescription": {"text": "Nunjucks autoescape bypass leads to cross site scripting"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-952p-6rrq-rcjv", "name": "micromatch: GHSA-952p-6rrq-rcjv", "shortDescription": {"text": "micromatch: GHSA-952p-6rrq-rcjv"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in micromatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38c4-r59v-3vqw", "name": "markdown-it: GHSA-38c4-r59v-3vqw", "shortDescription": {"text": "markdown-it: GHSA-38c4-r59v-3vqw"}, "fullDescription": {"text": "markdown-it is has a Regular Expression Denial of Service (ReDoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v273-448j-v4qj", "name": "liquidjs: GHSA-v273-448j-v4qj", "shortDescription": {"text": "liquidjs: GHSA-v273-448j-v4qj"}, "fullDescription": {"text": "LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rv5g-f82m-qrvv", "name": "liquidjs: GHSA-rv5g-f82m-qrvv", "shortDescription": {"text": "liquidjs: GHSA-rv5g-f82m-qrvv"}, "fullDescription": {"text": "LiquidJS: ownPropertyOnly bypass via sort_natural filter \u2014 prototype property information disclosure through sorting side-channel"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9x9p-qf8f-mvjg", "name": "liquidjs: GHSA-9x9p-qf8f-mvjg", "shortDescription": {"text": "liquidjs: GHSA-9x9p-qf8f-mvjg"}, "fullDescription": {"text": "LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8xx9-69p8-7jp3", "name": "liquidjs: GHSA-8xx9-69p8-7jp3", "shortDescription": {"text": "liquidjs: GHSA-8xx9-69p8-7jp3"}, "fullDescription": {"text": "LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2qv6-9wx5-cwv4", "name": "liquidjs: GHSA-2qv6-9wx5-cwv4", "shortDescription": {"text": "liquidjs: GHSA-2qv6-9wx5-cwv4"}, "fullDescription": {"text": "LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7rx3-28cr-v5wh", "name": "handlebars: GHSA-7rx3-28cr-v5wh", "shortDescription": {"text": "handlebars: GHSA-7rx3-28cr-v5wh"}, "fullDescription": {"text": "Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2qvq-rjwj-gvw9", "name": "handlebars: GHSA-2qvq-rjwj-gvw9", "shortDescription": {"text": "handlebars: GHSA-2qvq-rjwj-gvw9"}, "fullDescription": {"text": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-968p-4wvh-cqc8", "name": "@babel/runtime: GHSA-968p-4wvh-cqc8", "shortDescription": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "fullDescription": {"text": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `markdown-it-anchor` is 1 major version(s) behind (8.6.7 -> 9.2.0)", "shortDescription": {"text": "npm package `markdown-it-anchor` is 1 major version(s) behind (8.6.7 -> 9.2.0)"}, "fullDescription": {"text": "`markdown-it-anchor` is pinned/resolved at 8.6.7 but the latest stable release on the npm registry is 9.2.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-52f5-9888-hmc6", "name": "tmp: GHSA-52f5-9888-hmc6", "shortDescription": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "fullDescription": {"text": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mmg9-6m6j-jqqx", "name": "liquidjs: GHSA-mmg9-6m6j-jqqx", "shortDescription": {"text": "liquidjs: GHSA-mmg9-6m6j-jqqx"}, "fullDescription": {"text": "LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-442j-39wm-28r2", "name": "handlebars: GHSA-442j-39wm-28r2", "shortDescription": {"text": "handlebars: GHSA-442j-39wm-28r2"}, "fullDescription": {"text": "Handlebars.js has a Property Access Validation Bypass in container.lookup"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2qf-rxjj-qqgw", "name": "semver: GHSA-c2qf-rxjj-qqgw", "shortDescription": {"text": "semver: GHSA-c2qf-rxjj-qqgw"}, "fullDescription": {"text": "semver vulnerable to Regular Expression Denial of Service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wv6-86v2-598j", "name": "path-to-regexp: GHSA-9wv6-86v2-598j", "shortDescription": {"text": "path-to-regexp: GHSA-9wv6-86v2-598j"}, "fullDescription": {"text": "path-to-regexp outputs backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wmfp-5q7x-987x", "name": "liquidjs: GHSA-wmfp-5q7x-987x", "shortDescription": {"text": "liquidjs: GHSA-wmfp-5q7x-987x"}, "fullDescription": {"text": "liquidjs has a path traversal fallback vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r7g9-xpmj-5fcq", "name": "liquidjs: GHSA-r7g9-xpmj-5fcq", "shortDescription": {"text": "liquidjs: GHSA-r7g9-xpmj-5fcq"}, "fullDescription": {"text": "LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hh27-hf48-9f5q", "name": "liquidjs: GHSA-hh27-hf48-9f5q", "shortDescription": {"text": "liquidjs: GHSA-hh27-hf48-9f5q"}, "fullDescription": {"text": "LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9r5m-9576-7f6x", "name": "liquidjs: GHSA-9r5m-9576-7f6x", "shortDescription": {"text": "liquidjs: GHSA-9r5m-9576-7f6x"}, "fullDescription": {"text": "LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6q5m-63h6-5x4v", "name": "liquidjs: GHSA-6q5m-63h6-5x4v", "shortDescription": {"text": "liquidjs: GHSA-6q5m-63h6-5x4v"}, "fullDescription": {"text": "LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-56p5-8mhr-2fph", "name": "liquidjs: GHSA-56p5-8mhr-2fph", "shortDescription": {"text": "liquidjs: GHSA-56p5-8mhr-2fph"}, "fullDescription": {"text": "LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4rc3-7j7w-m548", "name": "liquidjs: GHSA-4rc3-7j7w-m548", "shortDescription": {"text": "liquidjs: GHSA-4rc3-7j7w-m548"}, "fullDescription": {"text": "liquidjs has a Denial of Service via circular block reference in layout"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pfq8-rq6v-vf5m", "name": "html-minifier: GHSA-pfq8-rq6v-vf5m", "shortDescription": {"text": "html-minifier: GHSA-pfq8-rq6v-vf5m"}, "fullDescription": {"text": "kangax html-minifier REDoS vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xjpj-3mr7-gcpf", "name": "handlebars: GHSA-xjpj-3mr7-gcpf", "shortDescription": {"text": "handlebars: GHSA-xjpj-3mr7-gcpf"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xhpv-hc6g-r9c6", "name": "handlebars: GHSA-xhpv-hc6g-r9c6", "shortDescription": {"text": "handlebars: GHSA-xhpv-hc6g-r9c6"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9cx6-37pm-9jff", "name": "handlebars: GHSA-9cx6-37pm-9jff", "shortDescription": {"text": "handlebars: GHSA-9cx6-37pm-9jff"}, "fullDescription": {"text": "Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3mfm-83xf-c92r", "name": "handlebars: GHSA-3mfm-83xf-c92r", "shortDescription": {"text": "handlebars: GHSA-3mfm-83xf-c92r"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3xgq-45jj-v275", "name": "cross-spawn: GHSA-3xgq-45jj-v275", "shortDescription": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in cross-spawn"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: peaceiris/actions-gh-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-gf2q-c269-pqgc", "name": "liquidjs: GHSA-gf2q-c269-pqgc", "shortDescription": {"text": "liquidjs: GHSA-gf2q-c269-pqgc"}, "fullDescription": {"text": "LiquidJS is Vulnerable to Remote Code Execution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2w6w-674q-4c4q", "name": "handlebars: GHSA-2w6w-674q-4c4q", "shortDescription": {"text": "handlebars: GHSA-2w6w-674q-4c4q"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/880"}, "properties": {"repository": "h5bp/Front-end-Developer-Interview-Questions", "repoUrl": "https://github.com/h5bp/Front-end-Developer-Interview-Questions", "branch": "main"}, "results": [{"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 81066, "scanner": "osv-scanner", "fingerprint": "1b788fa8525382946c739270c1849aaa868327cf2c4216daf211eef3de5db45b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x7hr-w5r2-h6wg", "level": "warning", "message": {"text": "prismjs: GHSA-x7hr-w5r2-h6wg"}, "properties": {"repobilityId": 81062, "scanner": "osv-scanner", "fingerprint": "157b635d72d58170eac9ac0d2c724dcb9490c2c813fa615976a752d1d7eeb6d8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-53382"], "package": "prismjs", "rule_id": "GHSA-x7hr-w5r2-h6wg", "scanner": "osv-scanner", "correlation_key": "vuln|prismjs|CVE-2024-53382|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 81060, "scanner": "osv-scanner", "fingerprint": "d01f2097e7b318fed09051dc9486d1856dda99f71ea520983bca2d575128e70d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x77j-w7wf-fjmw", "level": "warning", "message": {"text": "nunjucks: GHSA-x77j-w7wf-fjmw"}, "properties": {"repobilityId": 81058, "scanner": "osv-scanner", "fingerprint": "ef788f8a36713626d2982f1fe20a36dbce80da54588b577393b248d67dbdd346", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-2142"], "package": "nunjucks", "rule_id": "GHSA-x77j-w7wf-fjmw", "scanner": "osv-scanner", "correlation_key": "vuln|nunjucks|CVE-2023-2142|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-952p-6rrq-rcjv", "level": "warning", "message": {"text": "micromatch: GHSA-952p-6rrq-rcjv"}, "properties": {"repobilityId": 81054, "scanner": "osv-scanner", "fingerprint": "6074fdd4d1c7ccc86350f1ed269ae01ecab6612eecc17984fef4f3c455e1e6a6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-4067"], "package": "micromatch", "rule_id": "GHSA-952p-6rrq-rcjv", "scanner": "osv-scanner", "correlation_key": "vuln|micromatch|CVE-2024-4067|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38c4-r59v-3vqw", "level": "warning", "message": {"text": "markdown-it: GHSA-38c4-r59v-3vqw"}, "properties": {"repobilityId": 81053, "scanner": "osv-scanner", "fingerprint": "4b2763bfeea6020e8699a945a406fc5563cbb4ce2a8497ad5420d0bcbaa47abf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2327"], "package": "markdown-it", "rule_id": "GHSA-38c4-r59v-3vqw", "scanner": "osv-scanner", "correlation_key": "vuln|markdown-it|CVE-2026-2327|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 81052, "scanner": "osv-scanner", "fingerprint": "f047ccc7d9c1109aced3a5c21f0b53a27d6582174ed7660bc0f4dfe83bf08a1a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 81050, "scanner": "osv-scanner", "fingerprint": "de986ead824c9cd2225230d6fcc7a484a3f62fc4668bd948eb33bf3de3e73e26", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v273-448j-v4qj", "level": "warning", "message": {"text": "liquidjs: GHSA-v273-448j-v4qj"}, "properties": {"repobilityId": 81048, "scanner": "osv-scanner", "fingerprint": "6a67ddc05952e724691beccb6809127ec6ebd39c97fb83c1939e84bd93a915da", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39859"], "package": "liquidjs", "rule_id": "GHSA-v273-448j-v4qj", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-39859|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rv5g-f82m-qrvv", "level": "warning", "message": {"text": "liquidjs: GHSA-rv5g-f82m-qrvv"}, "properties": {"repobilityId": 81047, "scanner": "osv-scanner", "fingerprint": "d5276f3b08f210013c32c6ca581a3463a38f3145b8994d456b39bd422134e27e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39412"], "package": "liquidjs", "rule_id": "GHSA-rv5g-f82m-qrvv", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-39412|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9x9p-qf8f-mvjg", "level": "warning", "message": {"text": "liquidjs: GHSA-9x9p-qf8f-mvjg"}, "properties": {"repobilityId": 81042, "scanner": "osv-scanner", "fingerprint": "99cfa712eac89f829fbc93ebc64810aeec37e68419fd73e925bb33cfe1c39f50", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44646"], "package": "liquidjs", "rule_id": "GHSA-9x9p-qf8f-mvjg", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-44646|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8xx9-69p8-7jp3", "level": "warning", "message": {"text": "liquidjs: GHSA-8xx9-69p8-7jp3"}, "properties": {"repobilityId": 81040, "scanner": "osv-scanner", "fingerprint": "f5a1a648987c5ca2e16f05bc69e574fe6945cffa033acc14d74b46c2e4bdef96", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44645"], "package": "liquidjs", "rule_id": "GHSA-8xx9-69p8-7jp3", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-44645|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2qv6-9wx5-cwv4", "level": "warning", "message": {"text": "liquidjs: GHSA-2qv6-9wx5-cwv4"}, "properties": {"repobilityId": 81036, "scanner": "osv-scanner", "fingerprint": "d870d4d1a76ff342b3fce9df5b72c41cb4ba77bac0743f1909abc80645a29c2d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44644"], "package": "liquidjs", "rule_id": "GHSA-2qv6-9wx5-cwv4", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-44644|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 81035, "scanner": "osv-scanner", "fingerprint": "28d729fc1155c54fc66f4fb51841604d700ad2e22c31e413765f6dd36f601211", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7rx3-28cr-v5wh", "level": "warning", "message": {"text": "handlebars: GHSA-7rx3-28cr-v5wh"}, "properties": {"repobilityId": 81030, "scanner": "osv-scanner", "fingerprint": "205ba0da3c81d4bdf0e41d1e687d2f7afbe99652be5ce87ed6a3faffc7f7db5b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "handlebars", "rule_id": "GHSA-7rx3-28cr-v5wh", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|GHSA-7RX3-28CR-V5WH|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2qvq-rjwj-gvw9", "level": "warning", "message": {"text": "handlebars: GHSA-2qvq-rjwj-gvw9"}, "properties": {"repobilityId": 81026, "scanner": "osv-scanner", "fingerprint": "f15dce2c113f980c0bfbaa5e75474d7bc3cbbcb13d0fcb2d7e9b1ea9070d6cf4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33916"], "package": "handlebars", "rule_id": "GHSA-2qvq-rjwj-gvw9", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33916|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 81023, "scanner": "osv-scanner", "fingerprint": "e8eb0ab1ffbb15b3b127c7436af364aa04d69dbc42fb22d21fcb4f304d428269", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 81022, "scanner": "osv-scanner", "fingerprint": "1a021c51241fa6b167e8ea883b0ad2124ec3f45610123342d66941a8ba97193b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/runtime", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/runtime|CVE-2025-27789|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `markdown-it-anchor` is 1 major version(s) behind (8.6.7 -> 9.2.0)"}, "properties": {"repobilityId": 81019, "scanner": "repobility-dependency-currency", "fingerprint": "6caaea344977f932882d22de95db0125a15c932ce368cf2f95931babc9fd25ba", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "markdown-it-anchor", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.2.0", "correlation_key": "fp|6caaea344977f932882d22de95db0125a15c932ce368cf2f95931babc9fd25ba", "current_version": "8.6.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `markdown-it` is 1 major version(s) behind (13.0.2 -> 14.2.0)"}, "properties": {"repobilityId": 81018, "scanner": "repobility-dependency-currency", "fingerprint": "905493e10aef5767226bad481efa42031374eb405259c3777a636ba0560806b6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "markdown-it", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.2.0", "correlation_key": "fp|905493e10aef5767226bad481efa42031374eb405259c3777a636ba0560806b6", "current_version": "13.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@11ty/eleventy` is 1 major version(s) behind (2.0.1 -> 3.1.6)"}, "properties": {"repobilityId": 81015, "scanner": "repobility-dependency-currency", "fingerprint": "d1913b904073939df711c3e6ebf0c5e861e1d146ebb36afd89345fa18fd9aedb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@11ty/eleventy", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.6", "correlation_key": "fp|d1913b904073939df711c3e6ebf0c5e861e1d146ebb36afd89345fa18fd9aedb", "current_version": "2.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-52f5-9888-hmc6", "level": "note", "message": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "properties": {"repobilityId": 81064, "scanner": "osv-scanner", "fingerprint": "5003655454a65a37426e56993d1d8451b9df8dbc03f84f8701df78d520fd3ab5", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-54798"], "package": "tmp", "rule_id": "GHSA-52f5-9888-hmc6", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2025-54798|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mmg9-6m6j-jqqx", "level": "note", "message": {"text": "liquidjs: GHSA-mmg9-6m6j-jqqx"}, "properties": {"repobilityId": 81045, "scanner": "osv-scanner", "fingerprint": "f3cbd37e7b7faadb6c9525fc5a1f4a2e0b64b331640f32f9a521e1d7e5a7cb3c", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34166"], "package": "liquidjs", "rule_id": "GHSA-mmg9-6m6j-jqqx", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-34166|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-442j-39wm-28r2", "level": "note", "message": {"text": "handlebars: GHSA-442j-39wm-28r2"}, "properties": {"repobilityId": 81029, "scanner": "osv-scanner", "fingerprint": "f693f5240767efc980b13bd685d246a210891abb1150adb64e3563244584b2b7", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "handlebars", "rule_id": "GHSA-442j-39wm-28r2", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|GHSA-442J-39WM-28R2|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 81024, "scanner": "osv-scanner", "fingerprint": "3b771ed61f472eab02b4c9eb792b38e138cfec35c8ab51f877acaaca0e374b2d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `luxon` is minor version(s) behind (3.4.4 -> 3.7.2)"}, "properties": {"repobilityId": 81017, "scanner": "repobility-dependency-currency", "fingerprint": "8dd867b15660de056d34b13f9f9518db0f17068ff0f28ab76eabc90fceb8215f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "luxon", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.7.2", "correlation_key": "fp|8dd867b15660de056d34b13f9f9518db0f17068ff0f28ab76eabc90fceb8215f", "current_version": "3.4.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81021, "scanner": "repobility-threat-engine", "fingerprint": "416bd47a3a834fc777cf6cab0ee7758123833bfa41550859ac6a2ee6fcc31150", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|416bd47a3a834fc777cf6cab0ee7758123833bfa41550859ac6a2ee6fcc31150"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/_includes/assets/js/app.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81020, "scanner": "repobility-threat-engine", "fingerprint": "8f3c164331fa91124e9143a3db1a09c4eae57a798c7a5d086bdac764f6dc546a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f3c164331fa91124e9143a3db1a09c4eae57a798c7a5d086bdac764f6dc546a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/eleventy.config.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@11ty/eleventy-plugin-syntaxhighlight` is patch version(s) behind (5.0.0 -> 5.0.2)"}, "properties": {"repobilityId": 81016, "scanner": "repobility-dependency-currency", "fingerprint": "42d790537715b40c88f46f3ea2205596238375b470600e8f9c34a2ca1480bcd4", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@11ty/eleventy-plugin-syntaxhighlight", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.2", "correlation_key": "fp|42d790537715b40c88f46f3ea2205596238375b470600e8f9c34a2ca1480bcd4", "current_version": "5.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 81005, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 81065, "scanner": "osv-scanner", "fingerprint": "98d9d97f3f550caba1f6df39b82415945caad2b866cb40a32a12f4041deb865a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2qf-rxjj-qqgw", "level": "error", "message": {"text": "semver: GHSA-c2qf-rxjj-qqgw"}, "properties": {"repobilityId": 81063, "scanner": "osv-scanner", "fingerprint": "99a27955ef80d362141ad0a78ae49f493e9942bb5b0563c320b2990d69becaa1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-25883"], "package": "semver", "rule_id": "GHSA-c2qf-rxjj-qqgw", "scanner": "osv-scanner", "correlation_key": "vuln|semver|CVE-2022-25883|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 81061, "scanner": "osv-scanner", "fingerprint": "3cd93794643bff3fd4328203c06c842a2d7c54c53b7a77b0e6bc61b44cf4e561", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wv6-86v2-598j", "level": "error", "message": {"text": "path-to-regexp: GHSA-9wv6-86v2-598j"}, "properties": {"repobilityId": 81059, "scanner": "osv-scanner", "fingerprint": "f635acb6c06dd63fc843a1297afeda6ea144557ed6c9e162bc2f402c71790c4b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45296"], "package": "path-to-regexp", "rule_id": "GHSA-9wv6-86v2-598j", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2024-45296|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 81057, "scanner": "osv-scanner", "fingerprint": "eefef250e5a6e239df447b5946f207cdb0dd68151255b2332fb8ba8f476755c1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 81056, "scanner": "osv-scanner", "fingerprint": "51db4fe99f02113d5057e54849a1514660f72202efa765a619a8195e282ff31f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 81055, "scanner": "osv-scanner", "fingerprint": "f4f398661d95064420cba5942b7bc163815b09d09751c05f0247afa0ed407b54", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 81051, "scanner": "osv-scanner", "fingerprint": "069f9bb4f0a38c36ca2992b2ffe11f999b2e5befc1dec86319fea7bbf65a679b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wmfp-5q7x-987x", "level": "error", "message": {"text": "liquidjs: GHSA-wmfp-5q7x-987x"}, "properties": {"repobilityId": 81049, "scanner": "osv-scanner", "fingerprint": "cdc274f0ae55f0fde5200d80ea4b847905b7d837934e161a642d4470eb193300", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-30952"], "package": "liquidjs", "rule_id": "GHSA-wmfp-5q7x-987x", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-30952|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r7g9-xpmj-5fcq", "level": "error", "message": {"text": "liquidjs: GHSA-r7g9-xpmj-5fcq"}, "properties": {"repobilityId": 81046, "scanner": "osv-scanner", "fingerprint": "8076a16e305623396fb104643255b5170489f2113ebae802a83dc926f7309772", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45617"], "package": "liquidjs", "rule_id": "GHSA-r7g9-xpmj-5fcq", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-45617|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hh27-hf48-9f5q", "level": "error", "message": {"text": "liquidjs: GHSA-hh27-hf48-9f5q"}, "properties": {"repobilityId": 81044, "scanner": "osv-scanner", "fingerprint": "3e6d02d3dab222bf8fd8783615e02aaae078c7dec2cca74878195b542d0468f4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45357"], "package": "liquidjs", "rule_id": "GHSA-hh27-hf48-9f5q", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-45357|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9r5m-9576-7f6x", "level": "error", "message": {"text": "liquidjs: GHSA-9r5m-9576-7f6x"}, "properties": {"repobilityId": 81041, "scanner": "osv-scanner", "fingerprint": "c6ee6261c749cb0665d941269ed6d20344ebd1d817c1593ffb0c340a1c04230e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33285"], "package": "liquidjs", "rule_id": "GHSA-9r5m-9576-7f6x", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-33285|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6q5m-63h6-5x4v", "level": "error", "message": {"text": "liquidjs: GHSA-6q5m-63h6-5x4v"}, "properties": {"repobilityId": 81039, "scanner": "osv-scanner", "fingerprint": "d78483a8e532eae7e23400a30e3f23857f8dc2457c44270e06e1937fe874ee72", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33287"], "package": "liquidjs", "rule_id": "GHSA-6q5m-63h6-5x4v", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-33287|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-56p5-8mhr-2fph", "level": "error", "message": {"text": "liquidjs: GHSA-56p5-8mhr-2fph"}, "properties": {"repobilityId": 81038, "scanner": "osv-scanner", "fingerprint": "6af16810ab5c1a6a23d6373f669a2da1be7b70339f402de0a62fa132272fda9c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-35525"], "package": "liquidjs", "rule_id": "GHSA-56p5-8mhr-2fph", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-35525|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4rc3-7j7w-m548", "level": "error", "message": {"text": "liquidjs: GHSA-4rc3-7j7w-m548"}, "properties": {"repobilityId": 81037, "scanner": "osv-scanner", "fingerprint": "b1f9c4fe36d3bdec5f58dd9e05a958eee2c3193c4028b22cbbfb3e533201c1cd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41311"], "package": "liquidjs", "rule_id": "GHSA-4rc3-7j7w-m548", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-41311|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pfq8-rq6v-vf5m", "level": "error", "message": {"text": "html-minifier: GHSA-pfq8-rq6v-vf5m"}, "properties": {"repobilityId": 81034, "scanner": "osv-scanner", "fingerprint": "77193165ba11921627843242ad9a2d771bf35ab00136835489e67675245669bb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-37620"], "package": "html-minifier", "rule_id": "GHSA-pfq8-rq6v-vf5m", "scanner": "osv-scanner", "correlation_key": "vuln|html-minifier|CVE-2022-37620|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xjpj-3mr7-gcpf", "level": "error", "message": {"text": "handlebars: GHSA-xjpj-3mr7-gcpf"}, "properties": {"repobilityId": 81033, "scanner": "osv-scanner", "fingerprint": "5d68750694ce45c5c73f13d5eda300a594a83e7af0e195ec59ab5d7dca506556", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33941"], "package": "handlebars", "rule_id": "GHSA-xjpj-3mr7-gcpf", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33941|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xhpv-hc6g-r9c6", "level": "error", "message": {"text": "handlebars: GHSA-xhpv-hc6g-r9c6"}, "properties": {"repobilityId": 81032, "scanner": "osv-scanner", "fingerprint": "9b273d9e123082510c2554cce26e26ed646303fd95ec06b251fd281ede2255bc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33940"], "package": "handlebars", "rule_id": "GHSA-xhpv-hc6g-r9c6", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33940|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9cx6-37pm-9jff", "level": "error", "message": {"text": "handlebars: GHSA-9cx6-37pm-9jff"}, "properties": {"repobilityId": 81031, "scanner": "osv-scanner", "fingerprint": "d63ea04482fb309b9a67ecde9d929e7e3fda165410ce60a38784d6e9e9a660a7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33939"], "package": "handlebars", "rule_id": "GHSA-9cx6-37pm-9jff", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33939|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3mfm-83xf-c92r", "level": "error", "message": {"text": "handlebars: GHSA-3mfm-83xf-c92r"}, "properties": {"repobilityId": 81028, "scanner": "osv-scanner", "fingerprint": "24cf4acd490e0cdd986a541b65c8063ec4cd0e7a0ce5062f5a95f2043bd1b2d6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33938"], "package": "handlebars", "rule_id": "GHSA-3mfm-83xf-c92r", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33938|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3xgq-45jj-v275", "level": "error", "message": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "properties": {"repobilityId": 81025, "scanner": "osv-scanner", "fingerprint": "d2e8ad2e78fcc589de2192cb324111e4957895ae7347a6d0ae3a1bff7c881c9d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-21538"], "package": "cross-spawn", "rule_id": "GHSA-3xgq-45jj-v275", "scanner": "osv-scanner", "correlation_key": "vuln|cross-spawn|CVE-2024-21538|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 81014, "scanner": "repobility-supply-chain", "fingerprint": "a5b161930b1bd0c1fe18cc142b1665e149d5c9416ccb8915ed9fc56fa9762138", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5b161930b1bd0c1fe18cc142b1665e149d5c9416ccb8915ed9fc56fa9762138"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages-build.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `TartanLlama/actions-eleventy` pinned to mutable ref `@master`"}, "properties": {"repobilityId": 81013, "scanner": "repobility-supply-chain", "fingerprint": "0fce2370e1b644ae91d90ca9cc6a48184b30753ed60d86c86f7b70badab21043", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fce2370e1b644ae91d90ca9cc6a48184b30753ed60d86c86f7b70badab21043"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages-build.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 81012, "scanner": "repobility-supply-chain", "fingerprint": "a5fc4ff51749b77b8fe3fa377e764dec45ba8410d13b1450bb31f5bcd50f2d8e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5fc4ff51749b77b8fe3fa377e764dec45ba8410d13b1450bb31f5bcd50f2d8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages-build.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 81011, "scanner": "repobility-supply-chain", "fingerprint": "ce3c69f66c5b4ae2db47568a145e83e7bd40fea642d42b93017542b675a05b1d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce3c69f66c5b4ae2db47568a145e83e7bd40fea642d42b93017542b675a05b1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages-build.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@master`"}, "properties": {"repobilityId": 81010, "scanner": "repobility-supply-chain", "fingerprint": "07d04ca13705fc4d9ae8bf4a473375a474409de394b475446f47eb378e4b2ffb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07d04ca13705fc4d9ae8bf4a473375a474409de394b475446f47eb378e4b2ffb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh-pages-build.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/analyze` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 81009, "scanner": "repobility-supply-chain", "fingerprint": "6ff2066f7fb417a1340948f3242eb17da579878051de402b0c8423c0cad24fdf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ff2066f7fb417a1340948f3242eb17da579878051de402b0c8423c0cad24fdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/autobuild` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 81008, "scanner": "repobility-supply-chain", "fingerprint": "76385f71fd2bd39a87cba04c16fbf45b134b7039ff984b168e02499a6d09096f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76385f71fd2bd39a87cba04c16fbf45b134b7039ff984b168e02499a6d09096f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/init` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 81007, "scanner": "repobility-supply-chain", "fingerprint": "bc9c7dca6598216e0d2d997414636e0fa4e684878a8dd17a8e434a860072c67b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc9c7dca6598216e0d2d997414636e0fa4e684878a8dd17a8e434a860072c67b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 81006, "scanner": "repobility-supply-chain", "fingerprint": "8cd2c96dba32d094769b67d1e793d9f72b5f95deedbd2c3d168111dcab8ba174", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cd2c96dba32d094769b67d1e793d9f72b5f95deedbd2c3d168111dcab8ba174"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "GHSA-gf2q-c269-pqgc", "level": "error", "message": {"text": "liquidjs: GHSA-gf2q-c269-pqgc"}, "properties": {"repobilityId": 81043, "scanner": "osv-scanner", "fingerprint": "19ebfacc6f8748029ad6e67caf7592cdc0cb927f1628ad0ea82af42712a80f5c", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45618"], "package": "liquidjs", "rule_id": "GHSA-gf2q-c269-pqgc", "scanner": "osv-scanner", "correlation_key": "vuln|liquidjs|CVE-2026-45618|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2w6w-674q-4c4q", "level": "error", "message": {"text": "handlebars: GHSA-2w6w-674q-4c4q"}, "properties": {"repobilityId": 81027, "scanner": "osv-scanner", "fingerprint": "63049d0268f20b2dd39a40f605bc45c983245e1c3efd3d64bfd68449d15f7255", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33937"], "package": "handlebars", "rule_id": "GHSA-2w6w-674q-4c4q", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33937|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}]}]}