{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xcj6-pq6g-qj4x", "name": "vite: GHSA-xcj6-pq6g-qj4x", "shortDescription": {"text": "vite: GHSA-xcj6-pq6g-qj4x"}, "fullDescription": {"text": "Vite allows server.fs.deny to be bypassed with .svg or relative paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x574-m823-4x7w", "name": "vite: GHSA-x574-m823-4x7w", "shortDescription": {"text": "vite: GHSA-x574-m823-4x7w"}, "fullDescription": {"text": "Vite bypasses server.fs.deny when using ?raw??"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vg6x-rcgg-rjx6", "name": "vite: GHSA-vg6x-rcgg-rjx6", "shortDescription": {"text": "vite: GHSA-vg6x-rcgg-rjx6"}, "fullDescription": {"text": "Websites were able to send any requests to the development server and read the response in vite"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9cwx-2883-4wfx", "name": "vite: GHSA-9cwx-2883-4wfx", "shortDescription": {"text": "vite: GHSA-9cwx-2883-4wfx"}, "fullDescription": {"text": "Vite's `server.fs.deny` is bypassed when using `?import&raw`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-93m4-6634-74q7", "name": "vite: GHSA-93m4-6634-74q7", "shortDescription": {"text": "vite: GHSA-93m4-6634-74q7"}, "fullDescription": {"text": "vite allows server.fs.deny bypass via backslash on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8jhw-289h-jh2g", "name": "vite: GHSA-8jhw-289h-jh2g", "shortDescription": {"text": "vite: GHSA-8jhw-289h-jh2g"}, "fullDescription": {"text": "Vite's `server.fs.deny` did not deny requests for patterns with directories."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-859w-5945-r5v3", "name": "vite: GHSA-859w-5945-r5v3", "shortDescription": {"text": "vite: GHSA-859w-5945-r5v3"}, "fullDescription": {"text": "Vite's server.fs.deny bypassed with /. for files under project root"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-64vr-g452-qvp3", "name": "vite: GHSA-64vr-g452-qvp3", "shortDescription": {"text": "vite: GHSA-64vr-g452-qvp3"}, "fullDescription": {"text": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4r4m-qw57-chr8", "name": "vite: GHSA-4r4m-qw57-chr8", "shortDescription": {"text": "vite: GHSA-4r4m-qw57-chr8"}, "fullDescription": {"text": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-356w-63v5-8wf4", "name": "vite: GHSA-356w-63v5-8wf4", "shortDescription": {"text": "vite: GHSA-356w-63v5-8wf4"}, "fullDescription": {"text": "Vite has an `server.fs.deny` bypass with an invalid `request-target`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-phc3-fgpg-7m6h", "name": "undici: GHSA-phc3-fgpg-7m6h", "shortDescription": {"text": "undici: GHSA-phc3-fgpg-7m6h"}, "fullDescription": {"text": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c76h-2ccp-4975", "name": "undici: GHSA-c76h-2ccp-4975", "shortDescription": {"text": "undici: GHSA-c76h-2ccp-4975"}, "fullDescription": {"text": "Use of Insufficiently Random Values in undici"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g9mf-h72j-4rw9", "name": "undici: GHSA-g9mf-h72j-4rw9", "shortDescription": {"text": "undici: GHSA-g9mf-h72j-4rw9"}, "fullDescription": {"text": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4992-7rv2-5pvq", "name": "undici: GHSA-4992-7rv2-5pvq", "shortDescription": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "fullDescription": {"text": "Undici has CRLF Injection in undici via `upgrade` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2mjp-6q6p-2qxm", "name": "undici: GHSA-2mjp-6q6p-2qxm", "shortDescription": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "fullDescription": {"text": "Undici has an HTTP Request/Response Smuggling issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p36q-q72m-gchr", "name": "srvx: GHSA-p36q-q72m-gchr", "shortDescription": {"text": "srvx: GHSA-p36q-q72m-gchr"}, "fullDescription": {"text": "srvx is vulnerable to middleware bypass via absolute URI in request line "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6rw7-vpxm-498p", "name": "qs: GHSA-6rw7-vpxm-498p", "shortDescription": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "fullDescription": {"text": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-952p-6rrq-rcjv", "name": "micromatch: GHSA-952p-6rrq-rcjv", "shortDescription": {"text": "micromatch: GHSA-952p-6rrq-rcjv"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in micromatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4fh9-h7wg-q85m", "name": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m", "shortDescription": {"text": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m"}, "fullDescription": {"text": "mdast-util-to-hast has unsanitized class attribute"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38c4-r59v-3vqw", "name": "markdown-it: GHSA-38c4-r59v-3vqw", "shortDescription": {"text": "markdown-it: GHSA-38c4-r59v-3vqw"}, "fullDescription": {"text": "markdown-it is has a Regular Expression Denial of Service (ReDoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xx6v-rp6x-q39c", "name": "axios: GHSA-xx6v-rp6x-q39c", "shortDescription": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "fullDescription": {"text": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w9j2-pvgh-6h63", "name": "axios: GHSA-w9j2-pvgh-6h63", "shortDescription": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "fullDescription": {"text": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vf2m-468p-8v99", "name": "axios: GHSA-vf2m-468p-8v99", "shortDescription": {"text": "axios: GHSA-vf2m-468p-8v99"}, "fullDescription": {"text": "Axios: HTTP adapter streamed responses bypass maxContentLength"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m7pr-hjqh-92cm", "name": "axios: GHSA-m7pr-hjqh-92cm", "shortDescription": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "fullDescription": {"text": "Axios: no_proxy bypass via IP alias allows SSRF"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fvcv-3m26-pcqx", "name": "axios: GHSA-fvcv-3m26-pcqx", "shortDescription": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "fullDescription": {"text": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-898c-q2cr-xwhg", "name": "axios: GHSA-898c-q2cr-xwhg", "shortDescription": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "fullDescription": {"text": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-62hf-57xw-28j9", "name": "axios: GHSA-62hf-57xw-28j9", "shortDescription": {"text": "axios: GHSA-62hf-57xw-28j9"}, "fullDescription": {"text": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c9x-8gcm-mpgx", "name": "axios: GHSA-5c9x-8gcm-mpgx", "shortDescription": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "fullDescription": {"text": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-445q-vr5w-6q77", "name": "axios: GHSA-445q-vr5w-6q77", "shortDescription": {"text": "axios: GHSA-445q-vr5w-6q77"}, "fullDescription": {"text": "Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3w6x-2g7m-8v23", "name": "axios: GHSA-3w6x-2g7m-8v23", "shortDescription": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "fullDescription": {"text": "Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-968p-4wvh-cqc8", "name": "@babel/runtime: GHSA-968p-4wvh-cqc8", "shortDescription": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "fullDescription": {"text": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@octokit/request` is 1 major version(s) behind (^9.1.3 -> 10.0.10)", "shortDescription": {"text": "npm package `@octokit/request` is 1 major version(s) behind (^9.1.3 -> 10.0.10)"}, "fullDescription": {"text": "`@octokit/request` is pinned/resolved at ^9.1.3 but the latest stable release on the npm registry is 10.0.10 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-8fgc-7cc6-rx7x", "name": "webpack: GHSA-8fgc-7cc6-rx7x", "shortDescription": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "fullDescription": {"text": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38r7-794h-5758", "name": "webpack: GHSA-38r7-794h-5758", "shortDescription": {"text": "webpack: GHSA-38r7-794h-5758"}, "fullDescription": {"text": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects \u2192 SSRF + cache persistence"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jqfw-vq24-v9c3", "name": "vite: GHSA-jqfw-vq24-v9c3", "shortDescription": {"text": "vite: GHSA-jqfw-vq24-v9c3"}, "fullDescription": {"text": "Vite's `server.fs` settings were not applied to HTML files"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g4jq-h2w9-997c", "name": "vite: GHSA-g4jq-h2w9-997c", "shortDescription": {"text": "vite: GHSA-g4jq-h2w9-997c"}, "fullDescription": {"text": "Vite middleware may serve files starting with the same name with the public directory"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cxrh-j4jr-qwg3", "name": "undici: GHSA-cxrh-j4jr-qwg3", "shortDescription": {"text": "undici: GHSA-cxrh-j4jr-qwg3"}, "fullDescription": {"text": "undici Denial of Service attack via bad certificate data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w7fw-mjwx-w883", "name": "qs: GHSA-w7fw-mjwx-w883", "shortDescription": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "fullDescription": {"text": "qs's arrayLimit bypass in comma parsing allows denial of service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-75v8-2h7p-7m2m", "name": "formidable: GHSA-75v8-2h7p-7m2m", "shortDescription": {"text": "formidable: GHSA-75v8-2h7p-7m2m"}, "fullDescription": {"text": "Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pxg6-pf52-xh8x", "name": "cookie: GHSA-pxg6-pf52-xh8x", "shortDescription": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "fullDescription": {"text": "cookie accepts cookie name, path, and domain with out of bounds characters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xhjh-pmcv-23jw", "name": "axios: GHSA-xhjh-pmcv-23jw", "shortDescription": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "fullDescription": {"text": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vpq2-c234-7xj6", "name": "@tootallnate/once: GHSA-vpq2-c234-7xj6", "shortDescription": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "fullDescription": {"text": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 62 more): Same pattern found in 62 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 13 more): Same pattern found in 13 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2wj-q39q-566r", "name": "vite: GHSA-v2wj-q39q-566r", "shortDescription": {"text": "vite: GHSA-v2wj-q39q-566r"}, "fullDescription": {"text": "Vite: `server.fs.deny` bypassed with queries"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9ff-h696-f583", "name": "vite: GHSA-p9ff-h696-f583", "shortDescription": {"text": "vite: GHSA-p9ff-h696-f583"}, "fullDescription": {"text": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c27g-q93r-2cwf", "name": "vite: GHSA-c27g-q93r-2cwf", "shortDescription": {"text": "vite: GHSA-c27g-q93r-2cwf"}, "fullDescription": {"text": "launch-editor vulnerable to command injection via the crafted request on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f269-vfmq-vjvj", "name": "undici: GHSA-f269-vfmq-vjvj", "shortDescription": {"text": "undici: GHSA-f269-vfmq-vjvj"}, "fullDescription": {"text": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vrm6-8vpv-qv8q", "name": "undici: GHSA-vrm6-8vpv-qv8q", "shortDescription": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "fullDescription": {"text": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v9p9-hfj2-hcw8", "name": "undici: GHSA-v9p9-hfj2-hcw8", "shortDescription": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "fullDescription": {"text": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vj76-c3g6-qr5v", "name": "tar-fs: GHSA-vj76-c3g6-qr5v", "shortDescription": {"text": "tar-fs: GHSA-vj76-c3g6-qr5v"}, "fullDescription": {"text": "tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rv78-f8rc-xrxh", "name": "react-server-dom-webpack: GHSA-rv78-f8rc-xrxh", "shortDescription": {"text": "react-server-dom-webpack: GHSA-rv78-f8rc-xrxh"}, "fullDescription": {"text": "Facebook React has a Denial of Service Vulnerability in React Server Components"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-83fc-fqcc-2hmg", "name": "react-server-dom-webpack: GHSA-83fc-fqcc-2hmg", "shortDescription": {"text": "react-server-dom-webpack: GHSA-83fc-fqcc-2hmg"}, "fullDescription": {"text": "React Server Components have multiple Denial of Service Vulnerabilities"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-479c-33wc-g2pg", "name": "react-server-dom-webpack: GHSA-479c-33wc-g2pg", "shortDescription": {"text": "react-server-dom-webpack: GHSA-479c-33wc-g2pg"}, "fullDescription": {"text": "React Server Components have a Denial of Service Vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37ch-88jc-xwx2", "name": "path-to-regexp: GHSA-37ch-88jc-xwx2", "shortDescription": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5j98-mcp5-4vw2", "name": "glob: GHSA-5j98-mcp5-4vw2", "shortDescription": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "fullDescription": {"text": "glob CLI: Command injection via -c/--cmd executes matches with shell:true"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-grv7-fg5c-xmjg", "name": "braces: GHSA-grv7-fg5c-xmjg", "shortDescription": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "fullDescription": {"text": "Uncontrolled resource consumption in braces"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rpmf-866q-6p89", "name": "basic-ftp: GHSA-rpmf-866q-6p89", "shortDescription": {"text": "basic-ftp: GHSA-rpmf-866q-6p89"}, "fullDescription": {"text": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rp42-5vxx-qpwr", "name": "basic-ftp: GHSA-rp42-5vxx-qpwr", "shortDescription": {"text": "basic-ftp: GHSA-rp42-5vxx-qpwr"}, "fullDescription": {"text": "basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6v7q-wjvx-w8wg", "name": "basic-ftp: GHSA-6v7q-wjvx-w8wg", "shortDescription": {"text": "basic-ftp: GHSA-6v7q-wjvx-w8wg"}, "fullDescription": {"text": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8qp-cvcw-x6jj", "name": "axios: GHSA-q8qp-cvcw-x6jj", "shortDescription": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "fullDescription": {"text": "Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pf86-5x62-jrwf", "name": "axios: GHSA-pf86-5x62-jrwf", "shortDescription": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "fullDescription": {"text": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p92q-9vqr-4j8v", "name": "axios: GHSA-p92q-9vqr-4j8v", "shortDescription": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "fullDescription": {"text": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jr5f-v2jv-69x6", "name": "axios: GHSA-jr5f-v2jv-69x6", "shortDescription": {"text": "axios: GHSA-jr5f-v2jv-69x6"}, "fullDescription": {"text": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j5f8-grm9-p9fc", "name": "axios: GHSA-j5f8-grm9-p9fc", "shortDescription": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "fullDescription": {"text": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hfxv-24rg-xrqf", "name": "axios: GHSA-hfxv-24rg-xrqf", "shortDescription": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "fullDescription": {"text": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8hc4-vh64-cxmj", "name": "axios: GHSA-8hc4-vh64-cxmj", "shortDescription": {"text": "axios: GHSA-8hc4-vh64-cxmj"}, "fullDescription": {"text": "Server-Side Request Forgery in axios"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6chq-wfr3-2hj9", "name": "axios: GHSA-6chq-wfr3-2hj9", "shortDescription": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "fullDescription": {"text": "Axios: Header Injection via Prototype Pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4hjh-wcwx-xvwj", "name": "axios: GHSA-4hjh-wcwx-xvwj", "shortDescription": {"text": "axios: GHSA-4hjh-wcwx-xvwj"}, "fullDescription": {"text": "Axios is vulnerable to DoS attack through lack of data size check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-43fc-jf86-j433", "name": "axios: GHSA-43fc-jf86-j433", "shortDescription": {"text": "axios: GHSA-43fc-jf86-j433"}, "fullDescription": {"text": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjwm-pj3p-43mv", "name": "axios: GHSA-pjwm-pj3p-43mv", "shortDescription": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "fullDescription": {"text": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3g43-6gmg-66jw", "name": "axios: GHSA-3g43-6gmg-66jw", "shortDescription": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "fullDescription": {"text": "axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-35jp-ww65-95wh", "name": "axios: GHSA-35jp-ww65-95wh", "shortDescription": {"text": "axios: GHSA-35jp-ww65-95wh"}, "fullDescription": {"text": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w94c-4vhp-22gx", "name": "@vitejs/plugin-rsc: GHSA-w94c-4vhp-22gx", "shortDescription": {"text": "@vitejs/plugin-rsc: GHSA-w94c-4vhp-22gx"}, "fullDescription": {"text": "@vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v457-wxvj-p9w9", "name": "@vitejs/plugin-rsc: GHSA-v457-wxvj-p9w9", "shortDescription": {"text": "@vitejs/plugin-rsc: GHSA-v457-wxvj-p9w9"}, "fullDescription": {"text": "@vitejs/plugin-rsc has a Denial of Service with React Server Components"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fv7c-fp4j-7gwp", "name": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp", "shortDescription": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "fullDescription": {"text": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-fjxv-7rqg-78g4", "name": "form-data: GHSA-fjxv-7rqg-78g4", "shortDescription": {"text": "form-data: GHSA-fjxv-7rqg-78g4"}, "fullDescription": {"text": "form-data uses unsafe random function in form-data for choosing boundary"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5rq4-664w-9x2c", "name": "basic-ftp: GHSA-5rq4-664w-9x2c", "shortDescription": {"text": "basic-ftp: GHSA-5rq4-664w-9x2c"}, "fullDescription": {"text": "Basic FTP has Path Traversal Vulnerability in its downloadToDir()\u00a0method"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.FORMAT_PAT` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.FORMAT_PAT` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FORMAT_PAT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/911"}, "properties": {"repository": "remix-run/react-router", "repoUrl": "https://github.com/remix-run/react-router", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 85513, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 85512, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 85508, "scanner": "repobility-journey-contract", "fingerprint": "7a40581eef7304c85c67e4a628e89ba8ffc643d1c4f7660aa605e56d790294e9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/data", "correlation_key": "fp|7a40581eef7304c85c67e4a628e89ba8ffc643d1c4f7660aa605e56d790294e9", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router-dev/vite/plugins/prerender.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 85507, "scanner": "repobility-journey-contract", "fingerprint": "e07ba3b8c1c633562534dfb0aae01a9f5bd984a8392de7e30dc2449a15512120", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/book", "correlation_key": "fp|e07ba3b8c1c633562534dfb0aae01a9f5bd984a8392de7e30dc2449a15512120", "backend_endpoint_count": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router/lib/components.tsx"}, "region": {"startLine": 1614}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 85505, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 9, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 85504, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 85503, "scanner": "osv-scanner", "fingerprint": "50bb42596af5c9f077010621340b47a31a4c2078f9d0e01ee2b787647b74301a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 85502, "scanner": "osv-scanner", "fingerprint": "d698c0969dae25e950d4f8b65b021df28bdeb91476dcc255cdcc9ca9ba3ee73e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xcj6-pq6g-qj4x", "level": "warning", "message": {"text": "vite: GHSA-xcj6-pq6g-qj4x"}, "properties": {"repobilityId": 85497, "scanner": "osv-scanner", "fingerprint": "a960bd48a03866f08540a7680f27cade2dadcba7b8e9f14be175c8aa9812b9d8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-31486"], "package": "vite", "rule_id": "GHSA-xcj6-pq6g-qj4x", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-31486|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x574-m823-4x7w", "level": "warning", "message": {"text": "vite: GHSA-x574-m823-4x7w"}, "properties": {"repobilityId": 85496, "scanner": "osv-scanner", "fingerprint": "fdfc30276c41176f164220d01358aa9adececa302592caee5fa6a01a0a0b1b2d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30208"], "package": "vite", "rule_id": "GHSA-x574-m823-4x7w", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-30208|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vg6x-rcgg-rjx6", "level": "warning", "message": {"text": "vite: GHSA-vg6x-rcgg-rjx6"}, "properties": {"repobilityId": 85495, "scanner": "osv-scanner", "fingerprint": "215068d5fc545fd0f2fe182c0c48fff625aa4e6c2f6fc87ae1f71593284d4905", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-24010"], "package": "vite", "rule_id": "GHSA-vg6x-rcgg-rjx6", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-24010|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9cwx-2883-4wfx", "level": "warning", "message": {"text": "vite: GHSA-9cwx-2883-4wfx"}, "properties": {"repobilityId": 85491, "scanner": "osv-scanner", "fingerprint": "633d1a6f3170cb24da130310845650f64b1b3ac99c86f96da4c65ad4b38d90e8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45811"], "package": "vite", "rule_id": "GHSA-9cwx-2883-4wfx", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2024-45811|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-93m4-6634-74q7", "level": "warning", "message": {"text": "vite: GHSA-93m4-6634-74q7"}, "properties": {"repobilityId": 85490, "scanner": "osv-scanner", "fingerprint": "754b1d6626e72d8691f7883f12f3362d54578372edf4ba20a02fcff80a0e4f2a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-62522"], "package": "vite", "rule_id": "GHSA-93m4-6634-74q7", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-62522|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8jhw-289h-jh2g", "level": "warning", "message": {"text": "vite: GHSA-8jhw-289h-jh2g"}, "properties": {"repobilityId": 85489, "scanner": "osv-scanner", "fingerprint": "ac93dd8688546d83fe519ae33c6e3b2dfcf797c579391df17f17efc8d7bab130", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-31207"], "package": "vite", "rule_id": "GHSA-8jhw-289h-jh2g", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2024-31207|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-859w-5945-r5v3", "level": "warning", "message": {"text": "vite: GHSA-859w-5945-r5v3"}, "properties": {"repobilityId": 85488, "scanner": "osv-scanner", "fingerprint": "55a3c810fba969dfe047948f3a24b268ae6ba154fede2b8564da926812ffb31d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-46565"], "package": "vite", "rule_id": "GHSA-859w-5945-r5v3", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-46565|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-64vr-g452-qvp3", "level": "warning", "message": {"text": "vite: GHSA-64vr-g452-qvp3"}, "properties": {"repobilityId": 85487, "scanner": "osv-scanner", "fingerprint": "97948f6af73ea6e0625edc73d8a9532cdb28dbbebf7e7cf0595a3053cd4229ab", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45812"], "package": "vite", "rule_id": "GHSA-64vr-g452-qvp3", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2024-45812|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 85486, "scanner": "osv-scanner", "fingerprint": "a2c12e2b28152cf8b2318c26eb42f38e3894a8280e15146de8ce046c997d7d89", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4r4m-qw57-chr8", "level": "warning", "message": {"text": "vite: GHSA-4r4m-qw57-chr8"}, "properties": {"repobilityId": 85485, "scanner": "osv-scanner", "fingerprint": "30bd17df1b32dafa65eb188f52ab15d0abeec482acb0c6c10c0d9da573b7e96c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-31125"], "package": "vite", "rule_id": "GHSA-4r4m-qw57-chr8", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-31125|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-356w-63v5-8wf4", "level": "warning", "message": {"text": "vite: GHSA-356w-63v5-8wf4"}, "properties": {"repobilityId": 85484, "scanner": "osv-scanner", "fingerprint": "0a4aab4113e3bc4a8b1ff9c32c8e904173f1d2982e95129ac32312c71543e24b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-32395"], "package": "vite", "rule_id": "GHSA-356w-63v5-8wf4", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-32395|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 85483, "scanner": "osv-scanner", "fingerprint": "fdef028f4a816ff49a3feddc8fea57767b8bd7a5285d824fe826196183701971", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-phc3-fgpg-7m6h", "level": "warning", "message": {"text": "undici: GHSA-phc3-fgpg-7m6h"}, "properties": {"repobilityId": 85482, "scanner": "osv-scanner", "fingerprint": "cb583340838efbe9f008841194902f9fe2e1cde7042d1a708e3958872453f56d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2581"], "package": "undici", "rule_id": "GHSA-phc3-fgpg-7m6h", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-2581|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c76h-2ccp-4975", "level": "warning", "message": {"text": "undici: GHSA-c76h-2ccp-4975"}, "properties": {"repobilityId": 85480, "scanner": "osv-scanner", "fingerprint": "631f5ffae457fa89987019c583ceec49a26f2d33619c300560f8175077b4c913", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-22150"], "package": "undici", "rule_id": "GHSA-c76h-2ccp-4975", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2025-22150|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g9mf-h72j-4rw9", "level": "warning", "message": {"text": "undici: GHSA-g9mf-h72j-4rw9"}, "properties": {"repobilityId": 85477, "scanner": "osv-scanner", "fingerprint": "783888cf99ccdd193a6bbf5808eb99a946b0897c275ba28a7321371df70feae9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-22036"], "package": "undici", "rule_id": "GHSA-g9mf-h72j-4rw9", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-22036|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4992-7rv2-5pvq", "level": "warning", "message": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "properties": {"repobilityId": 85475, "scanner": "osv-scanner", "fingerprint": "8115727bfcf9fb5c733f94951b6c76b53101eaf392c34bbf2e4981a84489f899", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1527"], "package": "undici", "rule_id": "GHSA-4992-7rv2-5pvq", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1527|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2mjp-6q6p-2qxm", "level": "warning", "message": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "properties": {"repobilityId": 85474, "scanner": "osv-scanner", "fingerprint": "27feada98ab5f326c7254750f715731608e011901400f45934a064cef0424d39", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1525"], "package": "undici", "rule_id": "GHSA-2mjp-6q6p-2qxm", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1525|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p36q-q72m-gchr", "level": "warning", "message": {"text": "srvx: GHSA-p36q-q72m-gchr"}, "properties": {"repobilityId": 85472, "scanner": "osv-scanner", "fingerprint": "d3f76db18fb17fd31740d94fc77d26f064ecb515a163cbc8d4ddb20b3ff1e427", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33732"], "package": "srvx", "rule_id": "GHSA-p36q-q72m-gchr", "scanner": "osv-scanner", "correlation_key": "vuln|srvx|CVE-2026-33732|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 85471, "scanner": "osv-scanner", "fingerprint": "e5adc7b8147d0f39d78debfb9b91e31cc337ef1e8ecd400a17dea5cbe1b23197", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 85464, "scanner": "osv-scanner", "fingerprint": "0727364e57c088dabd2840fd21980edb99b147969b7db2965e7188703dcea5f1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rw7-vpxm-498p", "level": "warning", "message": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "properties": {"repobilityId": 85463, "scanner": "osv-scanner", "fingerprint": "6d22fb6d155cd92273923764c4a42ac64c943a3e96e9afc41e845a7b5d2f24b9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-15284"], "package": "qs", "rule_id": "GHSA-6rw7-vpxm-498p", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2025-15284|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 85462, "scanner": "osv-scanner", "fingerprint": "0b1dff5c952a767b7990e67b0d60cc580116a9b63b14cf0d44b920a59028efbf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 85460, "scanner": "osv-scanner", "fingerprint": "d9d26d972991fffb51a1613b08ac1e8e722be1c10191fb43cced54b770250e8d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-952p-6rrq-rcjv", "level": "warning", "message": {"text": "micromatch: GHSA-952p-6rrq-rcjv"}, "properties": {"repobilityId": 85455, "scanner": "osv-scanner", "fingerprint": "7f5b885c50f81ed0daa6171ed0eeb8291fc1168ed770191f145325d8b2c16280", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-4067"], "package": "micromatch", "rule_id": "GHSA-952p-6rrq-rcjv", "scanner": "osv-scanner", "correlation_key": "vuln|micromatch|CVE-2024-4067|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4fh9-h7wg-q85m", "level": "warning", "message": {"text": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m"}, "properties": {"repobilityId": 85454, "scanner": "osv-scanner", "fingerprint": "039e2b36672f18dbf9d417665e7f3212fd1a283e5ef0c85f75995c2c417b7e4e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66400"], "package": "mdast-util-to-hast", "rule_id": "GHSA-4fh9-h7wg-q85m", "scanner": "osv-scanner", "correlation_key": "vuln|mdast-util-to-hast|CVE-2025-66400|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38c4-r59v-3vqw", "level": "warning", "message": {"text": "markdown-it: GHSA-38c4-r59v-3vqw"}, "properties": {"repobilityId": 85453, "scanner": "osv-scanner", "fingerprint": "4469383d894c69f2a72c8a45646cb30356ad3ed678bfa299a189ebfaf3838073", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2327"], "package": "markdown-it", "rule_id": "GHSA-38c4-r59v-3vqw", "scanner": "osv-scanner", "correlation_key": "vuln|markdown-it|CVE-2026-2327|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 85452, "scanner": "osv-scanner", "fingerprint": "75f1cf8ff29d8d132d579513aad4027dbb5a93646863d8e7bc0c89343d3402ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 85450, "scanner": "osv-scanner", "fingerprint": "529a8e201067f66e4bcd0d6408bc6eece689220a5a65ec65438a230ab5b7cf66", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 85449, "scanner": "osv-scanner", "fingerprint": "e1f1eee28e3c43746c892494085b271496e4ce012a6f7a57876b5d7ed32ae261", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 85448, "scanner": "osv-scanner", "fingerprint": "62020e206e8925629e9ce81503c184fb7740327a8f08e1c3e188f1738ecc7bb4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 85444, "scanner": "osv-scanner", "fingerprint": "6f390e2ea2dc5e15147a7d495e55d42a4ae00467d7b3f2ca1cebb7aa445a73b9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 85441, "scanner": "osv-scanner", "fingerprint": "41f281ca33e7758f3ed49d251cab103d4cb0c6de82ba0c8149194ad02717accb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 85437, "scanner": "osv-scanner", "fingerprint": "df9432682f1efa01d242974fb7d6c679d3a112195415b0ccdedda1d7decb9db5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 85435, "scanner": "osv-scanner", "fingerprint": "6ed3e11856b985dfd38b234bdeafe6eb9fdd6ace1789aa46a716324dba77d441", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xx6v-rp6x-q39c", "level": "warning", "message": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "properties": {"repobilityId": 85430, "scanner": "osv-scanner", "fingerprint": "f4d3c3e971d7c32a841a8e9d2274b919d584ebde00c287a5125977e4679b6d2d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42042"], "package": "axios", "rule_id": "GHSA-xx6v-rp6x-q39c", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42042|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w9j2-pvgh-6h63", "level": "warning", "message": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "properties": {"repobilityId": 85428, "scanner": "osv-scanner", "fingerprint": "aef4ea6bb9fe96970edb89df1c55d9328442cbb2c414e15426581c29b3bedf59", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42041"], "package": "axios", "rule_id": "GHSA-w9j2-pvgh-6h63", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42041|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vf2m-468p-8v99", "level": "warning", "message": {"text": "axios: GHSA-vf2m-468p-8v99"}, "properties": {"repobilityId": 85427, "scanner": "osv-scanner", "fingerprint": "a47bbf1de2621c9873c58bf61cf2c204783a954b09e8d45b85369186c7c69e26", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42036"], "package": "axios", "rule_id": "GHSA-vf2m-468p-8v99", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42036|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m7pr-hjqh-92cm", "level": "warning", "message": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "properties": {"repobilityId": 85423, "scanner": "osv-scanner", "fingerprint": "03d4415cb812368e8d2664c4c86ca75a3c61890e88ca76c80f41517bf7669472", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42038"], "package": "axios", "rule_id": "GHSA-m7pr-hjqh-92cm", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42038|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fvcv-3m26-pcqx", "level": "warning", "message": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "properties": {"repobilityId": 85419, "scanner": "osv-scanner", "fingerprint": "6fbc23ec83d856d901d25dadcdd98dd5cd74883327b0943a2bf510d4f9fa7c46", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40175"], "package": "axios", "rule_id": "GHSA-fvcv-3m26-pcqx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-40175|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-898c-q2cr-xwhg", "level": "warning", "message": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "properties": {"repobilityId": 85417, "scanner": "osv-scanner", "fingerprint": "910d37c8ab0a9f57c51541bccb64556608270912d3985e5a8f2de9867dc80925", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44490"], "package": "axios", "rule_id": "GHSA-898c-q2cr-xwhg", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44490|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-62hf-57xw-28j9", "level": "warning", "message": {"text": "axios: GHSA-62hf-57xw-28j9"}, "properties": {"repobilityId": 85415, "scanner": "osv-scanner", "fingerprint": "e3e69eb61e6bbd8b83d34773a4081c1394d54219655b834f554f2b965eaf1623", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42039"], "package": "axios", "rule_id": "GHSA-62hf-57xw-28j9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42039|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c9x-8gcm-mpgx", "level": "warning", "message": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "properties": {"repobilityId": 85414, "scanner": "osv-scanner", "fingerprint": "1abdff1fadfd9fcbb6b74f325b7aa939457126fb887d086666c3ebfc8ac20ccc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42034"], "package": "axios", "rule_id": "GHSA-5c9x-8gcm-mpgx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42034|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-445q-vr5w-6q77", "level": "warning", "message": {"text": "axios: GHSA-445q-vr5w-6q77"}, "properties": {"repobilityId": 85412, "scanner": "osv-scanner", "fingerprint": "0db634a898113ae16e2bd4144dfd4eb952edb9d68068ddd88f557973b18060db", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42037"], "package": "axios", "rule_id": "GHSA-445q-vr5w-6q77", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42037|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3w6x-2g7m-8v23", "level": "warning", "message": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "properties": {"repobilityId": 85410, "scanner": "osv-scanner", "fingerprint": "45fd17844151668e161c272e04ff12aa44bfa977c04e919a141551eabff14904", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42044"], "package": "axios", "rule_id": "GHSA-3w6x-2g7m-8v23", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42044|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 85406, "scanner": "osv-scanner", "fingerprint": "0b4075edd70eccc9e81ce84656b8a0c1040ecc83769ba1ed4fe7ce3796321c93", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 85402, "scanner": "osv-scanner", "fingerprint": "8226570f1a95192aa4fd0dc6689ea75a67b6fd3ba8d5359cbc505423970e95e0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/runtime", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/runtime|CVE-2025-27789|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 85394, "scanner": "repobility-threat-engine", "fingerprint": "b90ba3ae97464d19f5c988b37151b4428726006a065a6161704143265341049c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(\n        () => {}\n      )", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b90ba3ae97464d19f5c988b37151b4428726006a065a6161704143265341049c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/performance/scripts/bench.mjs"}, "region": {"startLine": 103}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 85393, "scanner": "repobility-threat-engine", "fingerprint": "4c05b69bb23edb634b6b79e31d9d10721271798277ce4b8bc98829d040a9dce2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c05b69bb23edb634b6b79e31d9d10721271798277ce4b8bc98829d040a9dce2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router-node/stream.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 85392, "scanner": "repobility-threat-engine", "fingerprint": "589dae19ee0169519d59596abab564bcde3082cf8f5db4922806334a68a3a228", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (\n          // eslint-disable-next-line @typescript-eslint/no-unused-vars\n          e", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|589dae19ee0169519d59596abab564bcde3082cf8f5db4922806334a68a3a228"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-react-router/prompts-prompt-base.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 85383, "scanner": "repobility-threat-engine", "fingerprint": "1bd41e5528cf46c03ed293e235161789167706c9d7865246e8e805db46dba24f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/changes/publish.ts|85|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/changes/publish.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 85382, "scanner": "repobility-threat-engine", "fingerprint": "cdd25b9acf1f6e5401a96b197757bed4bf5e26fb6a55e3d182baed85142313d7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|230|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/playwright-fixture.ts"}, "region": {"startLine": 230}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@octokit/request` is 1 major version(s) behind (^9.1.3 -> 10.0.10)"}, "properties": {"repobilityId": 85361, "scanner": "repobility-dependency-currency", "fingerprint": "2a49d2f713b054d5546a4e595257cfd108bfcff9519561619cf216b3d0e1dbe6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@octokit/request", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.10", "correlation_key": "fp|2a49d2f713b054d5546a4e595257cfd108bfcff9519561619cf216b3d0e1dbe6", "current_version": "^9.1.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `unist-util-remove` is 1 major version(s) behind (^3.1.0 -> 4.0.0)"}, "properties": {"repobilityId": 85360, "scanner": "repobility-dependency-currency", "fingerprint": "daa811fa9ce8fb3adcb3f61a8bb76a5faedefa9bab6238c7dea1dee9ffcc0200", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "unist-util-remove", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.0", "correlation_key": "fp|daa811fa9ce8fb3adcb3f61a8bb76a5faedefa9bab6238c7dea1dee9ffcc0200", "current_version": "^3.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `unified` is 1 major version(s) behind (^10.1.2 -> 11.0.5)"}, "properties": {"repobilityId": 85359, "scanner": "repobility-dependency-currency", "fingerprint": "6aac497727379b509e66dd508fe074b01bf155076a9136576581ba1438659ff7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "unified", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.0.5", "correlation_key": "fp|6aac497727379b509e66dd508fe074b01bf155076a9136576581ba1438659ff7", "current_version": "^10.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `remark-stringify` is 1 major version(s) behind (^10.0.2 -> 11.0.0)"}, "properties": {"repobilityId": 85356, "scanner": "repobility-dependency-currency", "fingerprint": "b630fc8f348a34736e0066fe2f9ea67ca79e210797f89f2b5ff0f0b8b55adce3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "remark-stringify", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.0.0", "correlation_key": "fp|b630fc8f348a34736e0066fe2f9ea67ca79e210797f89f2b5ff0f0b8b55adce3", "current_version": "^10.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `remark-parse` is 1 major version(s) behind (^10.0.1 -> 11.0.0)"}, "properties": {"repobilityId": 85355, "scanner": "repobility-dependency-currency", "fingerprint": "d18a894859caba55478ab69904802b946998155fd5d45304c6107033d644227a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "remark-parse", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.0.0", "correlation_key": "fp|d18a894859caba55478ab69904802b946998155fd5d45304c6107033d644227a", "current_version": "^10.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `remark-gfm` is 1 major version(s) behind (^3.0.1 -> 4.0.1)"}, "properties": {"repobilityId": 85354, "scanner": "repobility-dependency-currency", "fingerprint": "ad11b2c608a5e47410ce6fb8d777b974b7b922f89798057e2bbb46d6e61dc672", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "remark-gfm", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.1", "correlation_key": "fp|ad11b2c608a5e47410ce6fb8d777b974b7b922f89798057e2bbb46d6e61dc672", "current_version": "^3.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `jest` is 1 major version(s) behind (^29.6.4 -> 30.4.2)"}, "properties": {"repobilityId": 85351, "scanner": "repobility-dependency-currency", "fingerprint": "8796edf49c615d869eb1dab852ae0ee22ad4eff940938e839d9fd3ac00328301", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "30.4.2", "correlation_key": "fp|8796edf49c615d869eb1dab852ae0ee22ad4eff940938e839d9fd3ac00328301", "current_version": "^29.6.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `babel-jest` is 1 major version(s) behind (^29.7.0 -> 30.4.1)"}, "properties": {"repobilityId": 85347, "scanner": "repobility-dependency-currency", "fingerprint": "c05ec476048c4a4abefe1e4b7e4fbddeea1d807f8add829b34739ffdf57293ae", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "babel-jest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "30.4.1", "correlation_key": "fp|c05ec476048c4a4abefe1e4b7e4fbddeea1d807f8add829b34739ffdf57293ae", "current_version": "^29.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/jsdom` is 7 major version(s) behind (^21.1.1 -> 28.0.3)"}, "properties": {"repobilityId": 85345, "scanner": "repobility-dependency-currency", "fingerprint": "aa0bd61c86215de416897ccb4980b114628c16aa23796a6eddd59df0fa113d62", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "7 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/jsdom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "28.0.3", "correlation_key": "fp|aa0bd61c86215de416897ccb4980b114628c16aa23796a6eddd59df0fa113d62", "current_version": "^21.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/jest` is 1 major version(s) behind (^29.5.4 -> 30.0.0)"}, "properties": {"repobilityId": 85344, "scanner": "repobility-dependency-currency", "fingerprint": "379fc3854f95b58d81f8824b34c316983755ac1631d01341fcb5b0a0b5712cf4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/jest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "30.0.0", "correlation_key": "fp|379fc3854f95b58d81f8824b34c316983755ac1631d01341fcb5b0a0b5712cf4", "current_version": "^29.5.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@manypkg/get-packages` is 2 major version(s) behind (^1.1.3 -> 3.1.0)"}, "properties": {"repobilityId": 85342, "scanner": "repobility-dependency-currency", "fingerprint": "8d385e3b8e66feb4bb7d49fad6df65424fa00583b00ce111cb1010781cca460e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@manypkg/get-packages", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.0", "correlation_key": "fp|8d385e3b8e66feb4bb7d49fad6df65424fa00583b00ce111cb1010781cca460e", "current_version": "^1.1.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 85511, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 85510, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 85509, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 85506, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "GHSA-8fgc-7cc6-rx7x", "level": "note", "message": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "properties": {"repobilityId": 85501, "scanner": "osv-scanner", "fingerprint": "1993c610a1e199945bd3223101121d865411366cc66303a7a26ce1368fa7ffb3", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68458"], "package": "webpack", "rule_id": "GHSA-8fgc-7cc6-rx7x", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68458|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38r7-794h-5758", "level": "note", "message": {"text": "webpack: GHSA-38r7-794h-5758"}, "properties": {"repobilityId": 85500, "scanner": "osv-scanner", "fingerprint": "f17ee9fc81b3ebbf6275da2f4ff0c137ea8a2828a01f73eb453ed488df735491", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68157"], "package": "webpack", "rule_id": "GHSA-38r7-794h-5758", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68157|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jqfw-vq24-v9c3", "level": "note", "message": {"text": "vite: GHSA-jqfw-vq24-v9c3"}, "properties": {"repobilityId": 85494, "scanner": "osv-scanner", "fingerprint": "55b9c0c6074ff7e7bec72fec900b81ea097d13104e4591600c6c0df033ee54db", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58752"], "package": "vite", "rule_id": "GHSA-jqfw-vq24-v9c3", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-58752|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g4jq-h2w9-997c", "level": "note", "message": {"text": "vite: GHSA-g4jq-h2w9-997c"}, "properties": {"repobilityId": 85493, "scanner": "osv-scanner", "fingerprint": "ac702b3b19cafd97c1badc3a9596db8423888573e1f6e897415dba8562cf16fc", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58751"], "package": "vite", "rule_id": "GHSA-g4jq-h2w9-997c", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-58751|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cxrh-j4jr-qwg3", "level": "note", "message": {"text": "undici: GHSA-cxrh-j4jr-qwg3"}, "properties": {"repobilityId": 85476, "scanner": "osv-scanner", "fingerprint": "3cc07ade7eeffb287116e9b998809a062232a99bbf2fc80d37151f4e9e9b2b07", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-47279"], "package": "undici", "rule_id": "GHSA-cxrh-j4jr-qwg3", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2025-47279|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w7fw-mjwx-w883", "level": "note", "message": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "properties": {"repobilityId": 85465, "scanner": "osv-scanner", "fingerprint": "a8ebfae1708877f4dd9d37cacb9e0f82aeb99b56d968b81a86d1302c6d3af0c2", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2391"], "package": "qs", "rule_id": "GHSA-w7fw-mjwx-w883", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-2391|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-75v8-2h7p-7m2m", "level": "note", "message": {"text": "formidable: GHSA-75v8-2h7p-7m2m"}, "properties": {"repobilityId": 85446, "scanner": "osv-scanner", "fingerprint": "c154d147a1d16521cc8f7ebe07fd6889842c03f230440b7b9c3df100fb77ebe1", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-46653"], "package": "formidable", "rule_id": "GHSA-75v8-2h7p-7m2m", "scanner": "osv-scanner", "correlation_key": "vuln|formidable|CVE-2025-46653|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 85440, "scanner": "osv-scanner", "fingerprint": "8c668fba000790b63076d59a9979b7c2de72c5f84d365e64fc242ae039652734", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pxg6-pf52-xh8x", "level": "note", "message": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "properties": {"repobilityId": 85439, "scanner": "osv-scanner", "fingerprint": "353decb9f04d1c421e622b52000e1e4d5e7fb4b271c2145ccbdb51a43491ec5e", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47764"], "package": "cookie", "rule_id": "GHSA-pxg6-pf52-xh8x", "scanner": "osv-scanner", "correlation_key": "vuln|cookie|CVE-2024-47764|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 85436, "scanner": "osv-scanner", "fingerprint": "3e70f19011b58b157f75487899fec2e42cb88c0a653227b585f67c95414d291b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xhjh-pmcv-23jw", "level": "note", "message": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "properties": {"repobilityId": 85429, "scanner": "osv-scanner", "fingerprint": "6be00ad157bbc9b2b225b717d3ed5af2e9526a52710e94c6b7b717df98e680ae", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42040"], "package": "axios", "rule_id": "GHSA-xhjh-pmcv-23jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42040|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vpq2-c234-7xj6", "level": "note", "message": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "properties": {"repobilityId": 85403, "scanner": "osv-scanner", "fingerprint": "573ec4a58862875e8ce61f54e2504d06b2ca4d339b9ec7540be71ab58ff09e02", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3449"], "package": "@tootallnate/once", "rule_id": "GHSA-vpq2-c234-7xj6", "scanner": "osv-scanner", "correlation_key": "vuln|tootallnate/once|CVE-2026-3449|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 85370, "scanner": "repobility-threat-engine", "fingerprint": "b65d384dc97d935b891e1d7f102f5c3ee7a98dece2eff0e016443503052e08ad", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = d", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|65|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/defer-loader-test.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `semver` is minor version(s) behind (^7.5.4 -> 7.8.2)"}, "properties": {"repobilityId": 85357, "scanner": "repobility-dependency-currency", "fingerprint": "853f13c3cc8bde166c25d3665f2b54fb43dacd4b05c0c418ee710b0c3f469887", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "semver", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.8.2", "correlation_key": "fp|853f13c3cc8bde166c25d3665f2b54fb43dacd4b05c0c418ee710b0c3f469887", "current_version": "^7.5.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `prettier` is minor version(s) behind (^3.6.2 -> 3.8.3)"}, "properties": {"repobilityId": 85353, "scanner": "repobility-dependency-currency", "fingerprint": "b2ea690645deb928407004357dceb7b0cca8cc34ea8ab4917abcfc5398b2ab0f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|b2ea690645deb928407004357dceb7b0cca8cc34ea8ab4917abcfc5398b2ab0f", "current_version": "^3.6.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `jsonfile` is minor version(s) behind (^6.1.0 -> 6.2.1)"}, "properties": {"repobilityId": 85352, "scanner": "repobility-dependency-currency", "fingerprint": "603c23e40fec90e3dd69b1cd547cc8640b6496d92317f2d456702c93e4221c81", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsonfile", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.2.1", "correlation_key": "fp|603c23e40fec90e3dd69b1cd547cc8640b6496d92317f2d456702c93e4221c81", "current_version": "^6.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `fast-glob` is minor version(s) behind (3.2.11 -> 3.3.3)"}, "properties": {"repobilityId": 85349, "scanner": "repobility-dependency-currency", "fingerprint": "a8219771fb64bf2e277f37e1986bc2873924830975fa7f2f37f51f5498ae8bcc", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fast-glob", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.3.3", "correlation_key": "fp|a8219771fb64bf2e277f37e1986bc2873924830975fa7f2f37f51f5498ae8bcc", "current_version": "3.2.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/react-test-renderer` is minor version(s) behind (^19.0.0 -> 19.1.0)"}, "properties": {"repobilityId": 85346, "scanner": "repobility-dependency-currency", "fingerprint": "3aeac408df8721a6f6eace5ab5943bded9326ef03dc0e43267bc7236d0d85ecd", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-test-renderer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.1.0", "correlation_key": "fp|3aeac408df8721a6f6eace5ab5943bded9326ef03dc0e43267bc7236d0d85ecd", "current_version": "^19.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@eslint/compat` is minor version(s) behind (^2.0.3 -> 2.1.0)"}, "properties": {"repobilityId": 85341, "scanner": "repobility-dependency-currency", "fingerprint": "ffdec04325e211efc0237be1f6ea9f5af8e76857bf6167d8200e62960b534deb", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/compat", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.1.0", "correlation_key": "fp|ffdec04325e211efc0237be1f6ea9f5af8e76857bf6167d8200e62960b534deb", "current_version": "^2.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/preset-typescript` is minor version(s) behind (^7.27.1 -> 7.29.7)"}, "properties": {"repobilityId": 85340, "scanner": "repobility-dependency-currency", "fingerprint": "28f3354054075a8aaf77cc8905ad6c350048b6f4e4a7ba4c40678fcb97f73e13", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/preset-typescript", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|28f3354054075a8aaf77cc8905ad6c350048b6f4e4a7ba4c40678fcb97f73e13", "current_version": "^7.27.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/preset-react` is minor version(s) behind (^7.27.1 -> 7.29.7)"}, "properties": {"repobilityId": 85339, "scanner": "repobility-dependency-currency", "fingerprint": "0f37c0b55e175a9daa2024d15c6b0e9ecaf05c0eb83f0ae60b05a308260c8ddc", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/preset-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|0f37c0b55e175a9daa2024d15c6b0e9ecaf05c0eb83f0ae60b05a308260c8ddc", "current_version": "^7.27.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/preset-env` is minor version(s) behind (^7.27.2 -> 7.29.7)"}, "properties": {"repobilityId": 85338, "scanner": "repobility-dependency-currency", "fingerprint": "ebe6a9789403b89a9bb4f3477bed9176018a7ddc15608a566dd9758caaf3a484", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/preset-env", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|ebe6a9789403b89a9bb4f3477bed9176018a7ddc15608a566dd9758caaf3a484", "current_version": "^7.27.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/core` is minor version(s) behind (^7.27.7 -> 7.29.7)"}, "properties": {"repobilityId": 85337, "scanner": "repobility-dependency-currency", "fingerprint": "2bb9053dbad553465162341bfbb5db39d1fd0c3eb6a2ab3768c1f049756b7960", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|2bb9053dbad553465162341bfbb5db39d1fd0c3eb6a2ab3768c1f049756b7960", "current_version": "^7.27.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85309, "scanner": "repobility-ai-code-hygiene", "fingerprint": "423c60177aed6a386bc4ec9b906fc7d1d95d88f0fc6b586ed976b19e93d44b35", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/error-boundary-test.ts", "duplicate_line": 817, "correlation_key": "fp|423c60177aed6a386bc4ec9b906fc7d1d95d88f0fc6b586ed976b19e93d44b35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/link-test.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85308, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f1db337991f3c7f7d0eb02b76c2492076521548ea42767062c2303b6cc2f75eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/headers-test.ts", "duplicate_line": 23, "correlation_key": "fp|f1db337991f3c7f7d0eb02b76c2492076521548ea42767062c2303b6cc2f75eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/http-test.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85307, "scanner": "repobility-ai-code-hygiene", "fingerprint": "31ac42f5a15aac8c02cb965d98bb0d8e35407424c17086841c55e3c54452a82e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/catch-boundary-test.ts", "duplicate_line": 33, "correlation_key": "fp|31ac42f5a15aac8c02cb965d98bb0d8e35407424c17086841c55e3c54452a82e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/http-test.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85306, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5fba8d53a2d9bce07dd03d383222589b9d8d623d027b7ae88cbc1b9e1ed7ed37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/error-boundary-test.ts", "duplicate_line": 437, "correlation_key": "fp|5fba8d53a2d9bce07dd03d383222589b9d8d623d027b7ae88cbc1b9e1ed7ed37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/http-test.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85305, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2139b871fb86e452a633ba8a36a4c679796ae7057c7109fdf544f5cd319f7688", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/rsc-vite-framework/app/routes/_index.tsx", "duplicate_line": 1, "correlation_key": "fp|2139b871fb86e452a633ba8a36a4c679796ae7057c7109fdf544f5cd319f7688"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-plugin-cloudflare-template/app/routes/_index.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85304, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef80c167d1e0f04f0f53821e75c08177eb235aa549afba9c1bbf732ae6a59305", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/rsc-vite-framework/app/root.tsx", "duplicate_line": 2, "correlation_key": "fp|ef80c167d1e0f04f0f53821e75c08177eb235aa549afba9c1bbf732ae6a59305"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-plugin-cloudflare-template/app/root.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85303, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a40d1424c93a222765e75f25d760482f69c633f8f41a515a9293a5ca714171ae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/vite-5-template/app/root.tsx", "duplicate_line": 1, "correlation_key": "fp|a40d1424c93a222765e75f25d760482f69c633f8f41a515a9293a5ca714171ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-plugin-cloudflare-template/app/root.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85302, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f202245f6817c66e5fc1768ea30d0f95bf5441484a40ff2701a600f7fd9d7ae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/rsc-vite-framework/app/routes/_index.tsx", "duplicate_line": 1, "correlation_key": "fp|7f202245f6817c66e5fc1768ea30d0f95bf5441484a40ff2701a600f7fd9d7ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-8-template/app/routes/_index.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85301, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d197e8c0cf2e57202ab84341dc5b9015c022b3816a0efab84eadd2dfaaff64e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/rsc-vite-framework/app/root.tsx", "duplicate_line": 2, "correlation_key": "fp|d197e8c0cf2e57202ab84341dc5b9015c022b3816a0efab84eadd2dfaaff64e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-8-template/app/root.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85300, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0311496dbe6aa19ce8b762bb7e86c973f2506fa9befecbc8f221f5b34bda7ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/vite-5-template/app/root.tsx", "duplicate_line": 1, "correlation_key": "fp|c0311496dbe6aa19ce8b762bb7e86c973f2506fa9befecbc8f221f5b34bda7ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-8-template/app/root.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85299, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff93d14c1a68d5ba8903ce1ea638cd69d7e68c066da7d15c20f0037425559448", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/rsc-vite-framework/app/routes/_index.tsx", "duplicate_line": 1, "correlation_key": "fp|ff93d14c1a68d5ba8903ce1ea638cd69d7e68c066da7d15c20f0037425559448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-7-beta-template/app/routes/_index.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85298, "scanner": "repobility-ai-code-hygiene", "fingerprint": "845a8f3e165d41fdf2115d867b71c47aa3d420aa674a66dd9d2996e9b3a439c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/rsc-vite-framework/app/root.tsx", "duplicate_line": 2, "correlation_key": "fp|845a8f3e165d41fdf2115d867b71c47aa3d420aa674a66dd9d2996e9b3a439c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-7-beta-template/app/root.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4fde8b9f765027a3174509fa024f36b0b628f15ce8870f11e4f02ded4620d3a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/vite-5-template/app/root.tsx", "duplicate_line": 1, "correlation_key": "fp|4fde8b9f765027a3174509fa024f36b0b628f15ce8870f11e4f02ded4620d3a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-7-beta-template/app/root.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3545fca2e05979d4e479ef49414cc056298c86bf4a4ddd8cd7f7bccdbc2f166c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/rsc-vite-framework/app/routes/_index.tsx", "duplicate_line": 1, "correlation_key": "fp|3545fca2e05979d4e479ef49414cc056298c86bf4a4ddd8cd7f7bccdbc2f166c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-6-template/app/routes/_index.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85295, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9a860ddb8c4f41bb29987fd1671a009e42c3a0abfd3946a66e0169e029b7bda", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/rsc-vite-framework/app/root.tsx", "duplicate_line": 2, "correlation_key": "fp|d9a860ddb8c4f41bb29987fd1671a009e42c3a0abfd3946a66e0169e029b7bda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-6-template/app/root.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac6baf55c35cae753edf41467c77a6a619e111e7daa742017e4787d7c5f1c451", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/vite-5-template/app/root.tsx", "duplicate_line": 1, "correlation_key": "fp|ac6baf55c35cae753edf41467c77a6a619e111e7daa742017e4787d7c5f1c451"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-6-template/app/root.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b46931e2e96cd52160fa0cef74722a875731b3fcaaf9de59e1fff79571b4e872", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/rsc-vite-framework/app/routes/_index.tsx", "duplicate_line": 1, "correlation_key": "fp|b46931e2e96cd52160fa0cef74722a875731b3fcaaf9de59e1fff79571b4e872"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-5-template/app/routes/_index.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76ea372e9248ae6379ca7e320e7c897959ca928a5bcbfc17020997c8b6ff1f0e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/helpers/rsc-vite-framework/app/root.tsx", "duplicate_line": 2, "correlation_key": "fp|76ea372e9248ae6379ca7e320e7c897959ca928a5bcbfc17020997c8b6ff1f0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/vite-5-template/app/root.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d2bdf9f690f6cc5be52f8f821fb0f541cdb64dce0d52e764e4038e390e5c9ae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/error-boundary-test.ts", "duplicate_line": 443, "correlation_key": "fp|5d2bdf9f690f6cc5be52f8f821fb0f541cdb64dce0d52e764e4038e390e5c9ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/headers-test.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "abb790a9ca8a92dea1df254b0ea6cc57b33d9a3bf17a05eaffab5d9b8e76e57a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/catch-boundary-test.ts", "duplicate_line": 33, "correlation_key": "fp|abb790a9ca8a92dea1df254b0ea6cc57b33d9a3bf17a05eaffab5d9b8e76e57a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/headers-test.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85289, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9222bf7e1a4eb8c784c930a32eee9dc64139b1cd901c302757bd1c32210cbec8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/catch-boundary-test.ts", "duplicate_line": 188, "correlation_key": "fp|9222bf7e1a4eb8c784c930a32eee9dc64139b1cd901c302757bd1c32210cbec8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/fs-routes-test.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "270a94b3553d449c76637bcf76c458ec9394e5efffdee65479f7261214aec0b6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/abort-signal-test.ts", "duplicate_line": 3, "correlation_key": "fp|270a94b3553d449c76637bcf76c458ec9394e5efffdee65479f7261214aec0b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/fetch-globals-test.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85287, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78fd5c21dd515b1c19ecc408b44e1991413b5970d2458859cf90b20fd7f82c36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/error-boundary-v2-test.ts", "duplicate_line": 25, "correlation_key": "fp|78fd5c21dd515b1c19ecc408b44e1991413b5970d2458859cf90b20fd7f82c36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/error-sanitization-test.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85286, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b8ecae56e3dd3974b160e2e3e22a1a3badfc915879240074a994d889db7e893", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/error-boundary-test.ts", "duplicate_line": 41, "correlation_key": "fp|7b8ecae56e3dd3974b160e2e3e22a1a3badfc915879240074a994d889db7e893"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/error-sanitization-test.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85285, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d13aa6efba04d2449abcb016fec3d529bea7673745a2a034a161aec9431a8f3b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/catch-boundary-test.ts", "duplicate_line": 33, "correlation_key": "fp|d13aa6efba04d2449abcb016fec3d529bea7673745a2a034a161aec9431a8f3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/error-data-request-test.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85284, "scanner": "repobility-ai-code-hygiene", "fingerprint": "312ae0427203b3c8347757dbccb38bd4775d88c618ef4c16c27cc36904adecad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/error-boundary-test.ts", "duplicate_line": 436, "correlation_key": "fp|312ae0427203b3c8347757dbccb38bd4775d88c618ef4c16c27cc36904adecad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/error-data-request-test.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85283, "scanner": "repobility-ai-code-hygiene", "fingerprint": "92452c276918da6871c2fc196111d511f626e7cdfc7ab94d8aed97e1bb68f6ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/error-boundary-test.ts", "duplicate_line": 1, "correlation_key": "fp|92452c276918da6871c2fc196111d511f626e7cdfc7ab94d8aed97e1bb68f6ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/error-boundary-v2-test.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85282, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fe915d14247a8a760da981e5da3a6454f2ecdbab8c3c384b27216755fbaf10d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/catch-boundary-test.ts", "duplicate_line": 93, "correlation_key": "fp|3fe915d14247a8a760da981e5da3a6454f2ecdbab8c3c384b27216755fbaf10d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/error-boundary-test.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85281, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dfe90849dbcb1e64f1284d6d4456ddf60cc2ac0985beb222283ef1efbcb0eba8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/action-test.ts", "duplicate_line": 100, "correlation_key": "fp|dfe90849dbcb1e64f1284d6d4456ddf60cc2ac0985beb222283ef1efbcb0eba8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/deduped-route-modules-test.ts"}, "region": {"startLine": 160}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85280, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3dbcd60b2921920c39572b49703184f0732f1495948dbe80be0052974813b074", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration/abort-signal-test.ts", "duplicate_line": 2, "correlation_key": "fp|3dbcd60b2921920c39572b49703184f0732f1495948dbe80be0052974813b074"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/custom-entry-server-test.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 85399, "scanner": "repobility-threat-engine", "fingerprint": "67dce942c2a7c3d77ef3e00474be728a4481d6aa47f4e49b54d0f299c73090ea", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.error(\"GITHUB_TOKEN environment variable is required\")", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|scripts/changes/pr.ts|9|console.error github_token environment variable is required"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/changes/pr.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 85398, "scanner": "repobility-threat-engine", "fingerprint": "2e91b21baa98f8ac6244eafb062bc78b03b960276c5f88349cc9f974b159f659", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e91b21baa98f8ac6244eafb062bc78b03b960276c5f88349cc9f974b159f659"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router-serve/cli.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 85397, "scanner": "repobility-threat-engine", "fingerprint": "ec127925ed4be0ace016ebee2ba3c450ece26e34d8787bba0d301e8483aa3c22", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec127925ed4be0ace016ebee2ba3c450ece26e34d8787bba0d301e8483aa3c22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router-dev/vite/static/rsc-refresh-utils.mjs"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 85396, "scanner": "repobility-threat-engine", "fingerprint": "11068240a49550766206149965ac5dd1ced9b8a29503bce9c2a3c760bd3fc865", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11068240a49550766206149965ac5dd1ced9b8a29503bce9c2a3c760bd3fc865"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router-dev/vite/static/refresh-utils.mjs"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 85391, "scanner": "repobility-threat-engine", "fingerprint": "0b1e93b4ecb8a2e74beb9ff42515c4595420c89ad859f2e7bff198d61f3c3772", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b1e93b4ecb8a2e74beb9ff42515c4595420c89ad859f2e7bff198d61f3c3772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router-dev/config/routes.ts"}, "region": {"startLine": 330}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 85390, "scanner": "repobility-threat-engine", "fingerprint": "b017d86c505a7ac9f66f6e90c7856f2c7c0d5ca835003414507c6cd4d3466c9c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b017d86c505a7ac9f66f6e90c7856f2c7c0d5ca835003414507c6cd4d3466c9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router-dev/cli/run.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 85389, "scanner": "repobility-threat-engine", "fingerprint": "90cbcb67c061881e89a844925f94c692d9e65745448d3ee2ed705ba9cfc1fce2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|90cbcb67c061881e89a844925f94c692d9e65745448d3ee2ed705ba9cfc1fce2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-react-router/prompt.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 85388, "scanner": "repobility-threat-engine", "fingerprint": "08fcef63e2adf4be02d2015714c1535b0e7edb9977c367f9bbcdf28d36188fa9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08fcef63e2adf4be02d2015714c1535b0e7edb9977c367f9bbcdf28d36188fa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/vite-preview-test.ts"}, "region": {"startLine": 197}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 85387, "scanner": "repobility-threat-engine", "fingerprint": "8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 85381, "scanner": "repobility-threat-engine", "fingerprint": "cd6259dea271f22c4a92cec5e1f348d2448cee14ffb575003568ca86cf3cd1df", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd6259dea271f22c4a92cec5e1f348d2448cee14ffb575003568ca86cf3cd1df", "aggregated_count": 9}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 85380, "scanner": "repobility-threat-engine", "fingerprint": "697b2c8127f03a80e74dc48b98446c0a927d42c9b58942ef77e430ddbcd410ca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|697b2c8127f03a80e74dc48b98446c0a927d42c9b58942ef77e430ddbcd410ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-react-router/prompt.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 85379, "scanner": "repobility-threat-engine", "fingerprint": "3e47f20bcab1e1607cfe66d849b3f51aa823fa621ba95c221b0f444fdf08b29d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e47f20bcab1e1607cfe66d849b3f51aa823fa621ba95c221b0f444fdf08b29d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/playwright-fixture.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 85378, "scanner": "repobility-threat-engine", "fingerprint": "1bf701cacac222bcc1498fef5e791672a5d0299a5391e6892278d44f840fa650", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1bf701cacac222bcc1498fef5e791672a5d0299a5391e6892278d44f840fa650"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/fixtures.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 85374, "scanner": "repobility-threat-engine", "fingerprint": "99679f8a19e1cf6e4d7b0df33fcfd9753550cbcead7e998d91515db6f54a6ad0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|99679f8a19e1cf6e4d7b0df33fcfd9753550cbcead7e998d91515db6f54a6ad0", "aggregated_count": 16}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 85373, "scanner": "repobility-threat-engine", "fingerprint": "6777ceeb7f4c9ab44f69500f6f027d99c95d473b282cd277ac684ecc9805d2df", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6777ceeb7f4c9ab44f69500f6f027d99c95d473b282cd277ac684ecc9805d2df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/route-config-test.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 85372, "scanner": "repobility-threat-engine", "fingerprint": "26216d43e64ae6e75c683c4977136b0db161e2a45fb22ecccb3b18d944541fde", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|26216d43e64ae6e75c683c4977136b0db161e2a45fb22ecccb3b18d944541fde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/playwright-fixture.ts"}, "region": {"startLine": 290}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 85371, "scanner": "repobility-threat-engine", "fingerprint": "da564573f023ad33f7690490b6b251d4efd21d8959269031d61dd40578acf2d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da564573f023ad33f7690490b6b251d4efd21d8959269031d61dd40578acf2d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/error-data-request-test.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "properties": {"repobilityId": 85369, "scanner": "repobility-threat-engine", "fingerprint": "a30ea3834947d7fc691d6a8bc573c67bea100ae1670936155c8084c5dcbf2aea", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 62 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a30ea3834947d7fc691d6a8bc573c67bea100ae1670936155c8084c5dcbf2aea", "aggregated_count": 62}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 85368, "scanner": "repobility-threat-engine", "fingerprint": "5f3c82c430704db26d1351eb8aa2a4b27e162012f9e543f68f1a7402929052b2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5f3c82c430704db26d1351eb8aa2a4b27e162012f9e543f68f1a7402929052b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/cloudflare-dev-proxy-template/app/entry.server.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 85367, "scanner": "repobility-threat-engine", "fingerprint": "674b3e6813c5ded0a851937babcff3e65c6bcaae291c73bd141af2028274b6b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|674b3e6813c5ded0a851937babcff3e65c6bcaae291c73bd141af2028274b6b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/cleanup.mjs"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 85366, "scanner": "repobility-threat-engine", "fingerprint": "e4fa16fe4c666586bb75e4918fcff3a44c257392822ed50392af9c4c1ad394c1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4fa16fe4c666586bb75e4918fcff3a44c257392822ed50392af9c4c1ad394c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/browser-entry-test.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 85365, "scanner": "repobility-threat-engine", "fingerprint": "67207f5a6f091578506eace9ca6ffadd0a3f381d921b44ecf0b5e41c235e25c5", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|67207f5a6f091578506eace9ca6ffadd0a3f381d921b44ecf0b5e41c235e25c5"}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `typedoc` is patch version(s) behind (^0.28.7 -> 0.28.19)"}, "properties": {"repobilityId": 85358, "scanner": "repobility-dependency-currency", "fingerprint": "8f4e9063803007218daeeccebf943ca80bd92810d48578b933a740931e6163d1", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "typedoc", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.28.19", "correlation_key": "fp|8f4e9063803007218daeeccebf943ca80bd92810d48578b933a740931e6163d1", "current_version": "^0.28.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `isbot` is patch version(s) behind (^5.1.11 -> 5.1.40)"}, "properties": {"repobilityId": 85350, "scanner": "repobility-dependency-currency", "fingerprint": "7b23d3036a80387d9f1e4aa08fcaaa9163ca8f5c28ab7a88442f6faa9b646208", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "isbot", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.1.40", "correlation_key": "fp|7b23d3036a80387d9f1e4aa08fcaaa9163ca8f5c28ab7a88442f6faa9b646208", "current_version": "^5.1.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `eslint-plugin-jest` is patch version(s) behind (^29.15.0 -> 29.15.2)"}, "properties": {"repobilityId": 85348, "scanner": "repobility-dependency-currency", "fingerprint": "29d913d3bf7ae4bf0029fe5ea92df8985c68bfca8c3ad00c7e11c4a74bb29c6f", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-jest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "29.15.2", "correlation_key": "fp|29d913d3bf7ae4bf0029fe5ea92df8985c68bfca8c3ad00c7e11c4a74bb29c6f", "current_version": "^29.15.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@mdx-js/rollup` is patch version(s) behind (^3.1.0 -> 3.1.1)"}, "properties": {"repobilityId": 85343, "scanner": "repobility-dependency-currency", "fingerprint": "369ce6cd6db666d4ddffc98f218d4ba811f88b11d880080e3a173136dd5cdd18", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@mdx-js/rollup", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.1", "correlation_key": "fp|369ce6cd6db666d4ddffc98f218d4ba811f88b11d880080e3a173136dd5cdd18", "current_version": "^3.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2wj-q39q-566r", "level": "error", "message": {"text": "vite: GHSA-v2wj-q39q-566r"}, "properties": {"repobilityId": 85499, "scanner": "osv-scanner", "fingerprint": "68a0844d20f136d615ab0960bcb9f017c7f8e1b97ee41d092d4cde292e2641fe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39364"], "package": "vite", "rule_id": "GHSA-v2wj-q39q-566r", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39364|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 85498, "scanner": "osv-scanner", "fingerprint": "e4e3f54a4dc9146916e0304c9d50318b9ef24b5c1473da2baafc759d95054cac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c27g-q93r-2cwf", "level": "error", "message": {"text": "vite: GHSA-c27g-q93r-2cwf"}, "properties": {"repobilityId": 85492, "scanner": "osv-scanner", "fingerprint": "19ed0c1284c57072e58b5aab1edaebfeae8ee310a08b4906d100355101d1e056", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-52011"], "package": "vite", "rule_id": "GHSA-c27g-q93r-2cwf", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2024-52011|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f269-vfmq-vjvj", "level": "error", "message": {"text": "undici: GHSA-f269-vfmq-vjvj"}, "properties": {"repobilityId": 85481, "scanner": "osv-scanner", "fingerprint": "943a2365e88418ce5122e30724dd08e18033bf6ef4e016cb3bc7e05e998b46bf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1528"], "package": "undici", "rule_id": "GHSA-f269-vfmq-vjvj", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1528|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vrm6-8vpv-qv8q", "level": "error", "message": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "properties": {"repobilityId": 85479, "scanner": "osv-scanner", "fingerprint": "c37ac9a11b75eab8367403efcb9dec6a75ce8df6e9fdc49ad7043ccc2438ed6d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1526"], "package": "undici", "rule_id": "GHSA-vrm6-8vpv-qv8q", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1526|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v9p9-hfj2-hcw8", "level": "error", "message": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "properties": {"repobilityId": 85478, "scanner": "osv-scanner", "fingerprint": "5fc7025df7e18a64b471bcd54c54cc98548e3ccc90563b6c7730d159bcc47e26", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2229"], "package": "undici", "rule_id": "GHSA-v9p9-hfj2-hcw8", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-2229|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vj76-c3g6-qr5v", "level": "error", "message": {"text": "tar-fs: GHSA-vj76-c3g6-qr5v"}, "properties": {"repobilityId": 85473, "scanner": "osv-scanner", "fingerprint": "a908968c3376c9dbf88e9849fc6469b496b10375689119e420833f0feea7a41e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-59343"], "package": "tar-fs", "rule_id": "GHSA-vj76-c3g6-qr5v", "scanner": "osv-scanner", "correlation_key": "vuln|tar-fs|CVE-2025-59343|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 85470, "scanner": "osv-scanner", "fingerprint": "de4935b665c57173b6330e6fb3d06a59e8b21f8a73cc30ee4bd8c133ec29eb0f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 85469, "scanner": "osv-scanner", "fingerprint": "0425e8b734fe5759a8789ed8ef46f76963f44ca5145876702e82443bdd19a5ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rv78-f8rc-xrxh", "level": "error", "message": {"text": "react-server-dom-webpack: GHSA-rv78-f8rc-xrxh"}, "properties": {"repobilityId": 85468, "scanner": "osv-scanner", "fingerprint": "d82818f3255ba598a357f000945268b15f751ec602228112627fb5eb442f77be", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23870"], "package": "react-server-dom-webpack", "rule_id": "GHSA-rv78-f8rc-xrxh", "scanner": "osv-scanner", "correlation_key": "vuln|react-server-dom-webpack|CVE-2026-23870|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-83fc-fqcc-2hmg", "level": "error", "message": {"text": "react-server-dom-webpack: GHSA-83fc-fqcc-2hmg"}, "properties": {"repobilityId": 85467, "scanner": "osv-scanner", "fingerprint": "d12c4f04042d9237917bd00fa165ceae04fa85e9d6f15fa8e4574bb47c73ceb6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23864"], "package": "react-server-dom-webpack", "rule_id": "GHSA-83fc-fqcc-2hmg", "scanner": "osv-scanner", "correlation_key": "vuln|react-server-dom-webpack|CVE-2026-23864|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-479c-33wc-g2pg", "level": "error", "message": {"text": "react-server-dom-webpack: GHSA-479c-33wc-g2pg"}, "properties": {"repobilityId": 85466, "scanner": "osv-scanner", "fingerprint": "d3c0956869fc8c216e0d86d6beb6d05dd83f7b16b3379e26dde8d9b6c7e4b121", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23869"], "package": "react-server-dom-webpack", "rule_id": "GHSA-479c-33wc-g2pg", "scanner": "osv-scanner", "correlation_key": "vuln|react-server-dom-webpack|CVE-2026-23869|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 85461, "scanner": "osv-scanner", "fingerprint": "a3dd2390244022d96de63689cdd673fb906d1165f495d6a42a0980e956db632d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37ch-88jc-xwx2", "level": "error", "message": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "properties": {"repobilityId": 85459, "scanner": "osv-scanner", "fingerprint": "5f84f52bbcd46db66c79dfd59714ac90c668d089fbb31ecd1c685bce826e6c9c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4867"], "package": "path-to-regexp", "rule_id": "GHSA-37ch-88jc-xwx2", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4867|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 85458, "scanner": "osv-scanner", "fingerprint": "c3482c8b051b710219b686b962c8edfcc83babb0e1e54a2b470ae7782dd0b574", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 85457, "scanner": "osv-scanner", "fingerprint": "2fd5e24a94dfd2116cfc5d9aeb4e4f584669c9b76d1795010331a7b69b3682a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 85456, "scanner": "osv-scanner", "fingerprint": "af7663e4c51288986bfb4927d06e33aa650fed364bb14d31804c3d4da5638193", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 85451, "scanner": "osv-scanner", "fingerprint": "853deeac541f0dc49600a5a4216f851e15bffd93ce8be267a82d13637ceb9e7d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5j98-mcp5-4vw2", "level": "error", "message": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "properties": {"repobilityId": 85447, "scanner": "osv-scanner", "fingerprint": "eb4e2489dccfcd558471ee06a12a3834967a0dcf3de2afa6a148d01c6659b4de", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64756"], "package": "glob", "rule_id": "GHSA-5j98-mcp5-4vw2", "scanner": "osv-scanner", "correlation_key": "vuln|glob|CVE-2025-64756|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 85443, "scanner": "osv-scanner", "fingerprint": "757ca37fe4ebddf5cdaa5c162265d6a31d93aef1fb513c46093294c58d5112ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 85442, "scanner": "osv-scanner", "fingerprint": "25bb35258c39d7fb16dad079b84e7a9b4b5253e8dee49c1760d88494d1e449a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-grv7-fg5c-xmjg", "level": "error", "message": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "properties": {"repobilityId": 85438, "scanner": "osv-scanner", "fingerprint": "abfdfa570af43e4c9f171497321ff580a36bf3a48736f26d797091e842851248", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-4068"], "package": "braces", "rule_id": "GHSA-grv7-fg5c-xmjg", "scanner": "osv-scanner", "correlation_key": "vuln|braces|CVE-2024-4068|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rpmf-866q-6p89", "level": "error", "message": {"text": "basic-ftp: GHSA-rpmf-866q-6p89"}, "properties": {"repobilityId": 85434, "scanner": "osv-scanner", "fingerprint": "00d54780ae1aadca9668e0b09ab830929b7233a8631253574acc8966ea91ba6c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44240"], "package": "basic-ftp", "rule_id": "GHSA-rpmf-866q-6p89", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|CVE-2026-44240|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rp42-5vxx-qpwr", "level": "error", "message": {"text": "basic-ftp: GHSA-rp42-5vxx-qpwr"}, "properties": {"repobilityId": 85433, "scanner": "osv-scanner", "fingerprint": "8c15d25540a56104043e4c51e051c88465b6075807dc6df7f189ece6d69e1c69", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41324"], "package": "basic-ftp", "rule_id": "GHSA-rp42-5vxx-qpwr", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|CVE-2026-41324|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6v7q-wjvx-w8wg", "level": "error", "message": {"text": "basic-ftp: GHSA-6v7q-wjvx-w8wg"}, "properties": {"repobilityId": 85432, "scanner": "osv-scanner", "fingerprint": "b4b18580b828a1b31a17e15abdc4bb1d8ebbe6472a753cbf11c8bf3416888589", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "basic-ftp", "rule_id": "GHSA-6v7q-wjvx-w8wg", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|GHSA-6V7Q-WJVX-W8WG|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8qp-cvcw-x6jj", "level": "error", "message": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "properties": {"repobilityId": 85426, "scanner": "osv-scanner", "fingerprint": "e05a9e20e8e6eac42a55f04c532fd02a6164709526de53afe458a59b40df2c90", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42264"], "package": "axios", "rule_id": "GHSA-q8qp-cvcw-x6jj", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42264|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pf86-5x62-jrwf", "level": "error", "message": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "properties": {"repobilityId": 85425, "scanner": "osv-scanner", "fingerprint": "80cc3a6505b01b10a7b20169a3af0abed41a5dbf0b37fd0788b1584ea84ece88", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42033"], "package": "axios", "rule_id": "GHSA-pf86-5x62-jrwf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42033|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p92q-9vqr-4j8v", "level": "error", "message": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "properties": {"repobilityId": 85424, "scanner": "osv-scanner", "fingerprint": "58a2c93366db904dce2b18529ec6438c7b6662276cc08ba366c9dbb8da75998b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44487"], "package": "axios", "rule_id": "GHSA-p92q-9vqr-4j8v", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44487|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jr5f-v2jv-69x6", "level": "error", "message": {"text": "axios: GHSA-jr5f-v2jv-69x6"}, "properties": {"repobilityId": 85422, "scanner": "osv-scanner", "fingerprint": "6129c4a95db8486cc6fc2b2582090d3af3a48aede50abdf40e38aaf1557159bd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27152"], "package": "axios", "rule_id": "GHSA-jr5f-v2jv-69x6", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2025-27152|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j5f8-grm9-p9fc", "level": "error", "message": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "properties": {"repobilityId": 85421, "scanner": "osv-scanner", "fingerprint": "76ef31d5e50af68a7b227abfb2969b95e29d545c8843b19cec014bc5f21366cb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44486"], "package": "axios", "rule_id": "GHSA-j5f8-grm9-p9fc", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44486|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hfxv-24rg-xrqf", "level": "error", "message": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "properties": {"repobilityId": 85420, "scanner": "osv-scanner", "fingerprint": "6b85258045487c1d7389ae9ef1e56cf0f588da1a6ae1c36173921999af94f33a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44496"], "package": "axios", "rule_id": "GHSA-hfxv-24rg-xrqf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44496|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8hc4-vh64-cxmj", "level": "error", "message": {"text": "axios: GHSA-8hc4-vh64-cxmj"}, "properties": {"repobilityId": 85418, "scanner": "osv-scanner", "fingerprint": "d32f5e9e09fb778012085083f181f3f22cfa815743f99224054a760f6e9c05af", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-39338"], "package": "axios", "rule_id": "GHSA-8hc4-vh64-cxmj", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2024-39338|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6chq-wfr3-2hj9", "level": "error", "message": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "properties": {"repobilityId": 85416, "scanner": "osv-scanner", "fingerprint": "a2ff534710c7748202e16ff4c644afa1a0780f71b6984c137866443fb777192d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42035"], "package": "axios", "rule_id": "GHSA-6chq-wfr3-2hj9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42035|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4hjh-wcwx-xvwj", "level": "error", "message": {"text": "axios: GHSA-4hjh-wcwx-xvwj"}, "properties": {"repobilityId": 85413, "scanner": "osv-scanner", "fingerprint": "b848eb4420f70c84abfe846c726824680d9c2cc077d65cfff22188b1b3f2c3d2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58754"], "package": "axios", "rule_id": "GHSA-4hjh-wcwx-xvwj", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2025-58754|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-43fc-jf86-j433", "level": "error", "message": {"text": "axios: GHSA-43fc-jf86-j433"}, "properties": {"repobilityId": 85411, "scanner": "osv-scanner", "fingerprint": "67eab8d8cf44a381841f25497ae4dba00460ae58a64f57d011c8ddfe5574943f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25639"], "package": "axios", "rule_id": "GHSA-43fc-jf86-j433", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-25639|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjwm-pj3p-43mv", "level": "error", "message": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "properties": {"repobilityId": 85409, "scanner": "osv-scanner", "fingerprint": "b0f13c06fcb4459b7e3bff6ca566d21e96a17387f899e7c35ee73a66e3445940", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44492"], "package": "axios", "rule_id": "GHSA-pjwm-pj3p-43mv", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2025-62718|pnpm-lock.yaml", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-3p68-rc4w-qgx5", "GHSA-pjwm-pj3p-43mv", "GHSA-pmwg-cvhr-8vh7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4c465cf2235c9a91f67655de1f6a3cdcfe016f171dc192cb23e28bba41849dff", "a93c1a48543b96add25e86d18736baffb14dcb99b4f5fce4aa23d272e3996c64", "b0f13c06fcb4459b7e3bff6ca566d21e96a17387f899e7c35ee73a66e3445940"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3g43-6gmg-66jw", "level": "error", "message": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "properties": {"repobilityId": 85408, "scanner": "osv-scanner", "fingerprint": "8e5f0874d25fffdec28985b4279fea4684b3d0ca634170ac15c603b6d73f0b9e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44495"], "package": "axios", "rule_id": "GHSA-3g43-6gmg-66jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44495|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-35jp-ww65-95wh", "level": "error", "message": {"text": "axios: GHSA-35jp-ww65-95wh"}, "properties": {"repobilityId": 85407, "scanner": "osv-scanner", "fingerprint": "519904d3f3573867e4ae00885ba2aa2c8be1c2653e958ef884dbbca2450d6316", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44494"], "package": "axios", "rule_id": "GHSA-35jp-ww65-95wh", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44494|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w94c-4vhp-22gx", "level": "error", "message": {"text": "@vitejs/plugin-rsc: GHSA-w94c-4vhp-22gx"}, "properties": {"repobilityId": 85405, "scanner": "osv-scanner", "fingerprint": "06bfbf5063cd221404cb501d0f6661ab9c8eb5f056373ec8ab652eeb04d7b6e2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "@vitejs/plugin-rsc", "rule_id": "GHSA-w94c-4vhp-22gx", "scanner": "osv-scanner", "correlation_key": "vuln|vitejs/plugin-rsc|GHSA-W94C-4VHP-22GX|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v457-wxvj-p9w9", "level": "error", "message": {"text": "@vitejs/plugin-rsc: GHSA-v457-wxvj-p9w9"}, "properties": {"repobilityId": 85404, "scanner": "osv-scanner", "fingerprint": "506dc0d89ddbff2510d7ed567f0365621657e0a3bb9268a89d4895694350c9b6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "@vitejs/plugin-rsc", "rule_id": "GHSA-v457-wxvj-p9w9", "scanner": "osv-scanner", "correlation_key": "vuln|vitejs/plugin-rsc|GHSA-V457-WXVJ-P9W9|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fv7c-fp4j-7gwp", "level": "error", "message": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "properties": {"repobilityId": 85401, "scanner": "osv-scanner", "fingerprint": "3d3773bb1af5a0c0e60d23b512f02a6252315be1cd87814fbe02b27ce5eea5ee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44728"], "package": "@babel/plugin-transform-modules-systemjs", "rule_id": "GHSA-fv7c-fp4j-7gwp", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44728|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 85400, "scanner": "repobility-threat-engine", "fingerprint": "bd451961b645b3a50352a52dbcd94f835c1932a1fc659e238475edd80eb2c376", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bd451961b645b3a50352a52dbcd94f835c1932a1fc659e238475edd80eb2c376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utils/process.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 85395, "scanner": "repobility-threat-engine", "fingerprint": "7c11aafa5b8a5b474b8d6e34e2015cf743abfbb8cc2da9989d985b48db399783", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c11aafa5b8a5b474b8d6e34e2015cf743abfbb8cc2da9989d985b48db399783"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-react-router/utils.ts"}, "region": {"startLine": 184}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 85386, "scanner": "repobility-threat-engine", "fingerprint": "9585afa1bd517a6fa435f19ffcc47055a47fd30a4120d83369532ae79d1b7349", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "writable.destroy(error as Error);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9585afa1bd517a6fa435f19ffcc47055a47fd30a4120d83369532ae79d1b7349"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router-node/stream.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 85385, "scanner": "repobility-threat-engine", "fingerprint": "f48d2bfb4e5764bd9051c78cd7ae5111486b36b5efab2a9408066fd668cb157e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "nodeResponse.headers.delete(\"Set-Cookie\");", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f48d2bfb4e5764bd9051c78cd7ae5111486b36b5efab2a9408066fd668cb157e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router-architect/server.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 85384, "scanner": "repobility-threat-engine", "fingerprint": "81b8967db60eb0f01c6032bc7d5ed819eeb193f1418d18324cea7720f4e37559", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pending.delete(request);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|81b8967db60eb0f01c6032bc7d5ed819eeb193f1418d18324cea7720f4e37559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/playwright-fixture.ts"}, "region": {"startLine": 324}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 85377, "scanner": "repobility-threat-engine", "fingerprint": "1f4c4f2e8d72798496cba360df7983595874cfbbfded3dddcd2c7a0bca4281b3", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => `    ${line}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1f4c4f2e8d72798496cba360df7983595874cfbbfded3dddcd2c7a0bca4281b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/changes/version.ts"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 85376, "scanner": "repobility-threat-engine", "fingerprint": "1bec0806736b861d106ec6eef9a8155a3b31f251011f089ae8c812681ab06a03", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n              ([path, message]) => `Path: routes.${path}\\n${message}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1bec0806736b861d106ec6eef9a8155a3b31f251011f089ae8c812681ab06a03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router-dev/config/routes.ts"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 85375, "scanner": "repobility-threat-engine", "fingerprint": "f728765d808b7394dbd987be5b5f8469773bfe9df97d2a030680ee672137bafc", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((e, i) => `${i + 1}. ${e.message}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f728765d808b7394dbd987be5b5f8469773bfe9df97d2a030680ee672137bafc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/helpers/fixtures.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85364, "scanner": "repobility-threat-engine", "fingerprint": "ec9b11a18d82f034eb9f291861d1747b96774080313573cf3369e1699975c6ee", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ec9b11a18d82f034eb9f291861d1747b96774080313573cf3369e1699975c6ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/error-boundary-v2-test.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85363, "scanner": "repobility-threat-engine", "fingerprint": "1197d132635baa12e7514fdb34b6a5ad12a56761a6515c84f6502b56c4af45d4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1197d132635baa12e7514fdb34b6a5ad12a56761a6515c84f6502b56c4af45d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/browser-entry-test.ts"}, "region": {"startLine": 234}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85362, "scanner": "repobility-threat-engine", "fingerprint": "e01f8e7acceefd5daa006c9652aef8bfc198c2fb1eca432b765ae16236550929", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e01f8e7acceefd5daa006c9652aef8bfc198c2fb1eca432b765ae16236550929"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/action-test.ts"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85334, "scanner": "repobility-supply-chain", "fingerprint": "742efdbac366db1cdd7194a4cf40b276ff9a5c6331d6ab95660a4d8afd47effc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|742efdbac366db1cdd7194a4cf40b276ff9a5c6331d6ab95660a4d8afd47effc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/preview.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85333, "scanner": "repobility-supply-chain", "fingerprint": "8b13b6ccdcc1dce756957f456d707ce50a1b0818ef315b02acb9ea7b9b689588", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b13b6ccdcc1dce756957f456d707ce50a1b0818ef315b02acb9ea7b9b689588"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/preview.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85332, "scanner": "repobility-supply-chain", "fingerprint": "924435eceafe3981dda34df01221ada351ed3dc98b45ba3de67c826bd87ace6f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|924435eceafe3981dda34df01221ada351ed3dc98b45ba3de67c826bd87ace6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/preview.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85331, "scanner": "repobility-supply-chain", "fingerprint": "a19e81c1952e75b100911ec86b912b53a3b390a1f0d0ae0d802819f080caa18b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a19e81c1952e75b100911ec86b912b53a3b390a1f0d0ae0d802819f080caa18b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85330, "scanner": "repobility-supply-chain", "fingerprint": "2d9a71ed12a2672cb0a8a89d9a661f046ae0541998b159edb5c8d973c7b9ad1a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d9a71ed12a2672cb0a8a89d9a661f046ae0541998b159edb5c8d973c7b9ad1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85329, "scanner": "repobility-supply-chain", "fingerprint": "5bb49369ca1603c6b0b492dd8d711ba99e7d1fbe4fd50bfa367f0eabdb1d187f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5bb49369ca1603c6b0b492dd8d711ba99e7d1fbe4fd50bfa367f0eabdb1d187f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85328, "scanner": "repobility-supply-chain", "fingerprint": "8f75dc0075889ea2b7fd00d45ca7f1d42097c7b85895471197c7a16b6dc89019", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f75dc0075889ea2b7fd00d45ca7f1d42097c7b85895471197c7a16b6dc89019"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shared-integration.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85327, "scanner": "repobility-supply-chain", "fingerprint": "b3ae2f8243d65d455fe3db0855959895f3b6c31582c304b09193046bba2fdd5b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b3ae2f8243d65d455fe3db0855959895f3b6c31582c304b09193046bba2fdd5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shared-integration.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85326, "scanner": "repobility-supply-chain", "fingerprint": "194af0e679b0e3c42137b5a6695dcddea102620f950d929a61cdb081b90ba8f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|194af0e679b0e3c42137b5a6695dcddea102620f950d929a61cdb081b90ba8f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shared-integration.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85325, "scanner": "repobility-supply-chain", "fingerprint": "2d817d8de29a0fd704d376ff0291f8e61b84a9399135319db59c21d3981267c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d817d8de29a0fd704d376ff0291f8e61b84a9399135319db59c21d3981267c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-comments.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85324, "scanner": "repobility-supply-chain", "fingerprint": "72bb9b93680d118e6a60e67f9e234140bfe1fb6cf7937ad29d1eb1f04ec4ac21", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72bb9b93680d118e6a60e67f9e234140bfe1fb6cf7937ad29d1eb1f04ec4ac21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-comments.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85323, "scanner": "repobility-supply-chain", "fingerprint": "1f52e98e32fbc22a859fee808e98cfa6d849f14cd8b7c95f939c026ab48619cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f52e98e32fbc22a859fee808e98cfa6d849f14cd8b7c95f939c026ab48619cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-comments.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85322, "scanner": "repobility-supply-chain", "fingerprint": "1e134a4b91d5d29eeb3553901d9c8f91ff12d35abda7b3ada3df9ed3ae5530ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e134a4b91d5d29eeb3553901d9c8f91ff12d35abda7b3ada3df9ed3ae5530ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shared-build.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85321, "scanner": "repobility-supply-chain", "fingerprint": "d0591807695569a01f3a73f3eef41107ea78a3d6b531bd942eed019ed8a355a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0591807695569a01f3a73f3eef41107ea78a3d6b531bd942eed019ed8a355a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shared-build.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85320, "scanner": "repobility-supply-chain", "fingerprint": "805f3c0859faadcfffa264be8e1351cffdf9ac12f4bd537dd60867bb1cb08240", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|805f3c0859faadcfffa264be8e1351cffdf9ac12f4bd537dd60867bb1cb08240"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shared-build.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 85319, "scanner": "repobility-supply-chain", "fingerprint": "710cf564e4c031c42608816cdedd3458b6c87d2b59e8283050f69e547b2569b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|710cf564e4c031c42608816cdedd3458b6c87d2b59e8283050f69e547b2569b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-checks.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85318, "scanner": "repobility-supply-chain", "fingerprint": "bf7d4e8c8f4c9ff4ee6e60d5da481a7033832c955873b227602efb910fce6227", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf7d4e8c8f4c9ff4ee6e60d5da481a7033832c955873b227602efb910fce6227"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-checks.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85317, "scanner": "repobility-supply-chain", "fingerprint": "b25249588895645945e348f29b99cfe80154c08c16c4e366026767258fffea1c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b25249588895645945e348f29b99cfe80154c08c16c4e366026767258fffea1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-checks.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85316, "scanner": "repobility-supply-chain", "fingerprint": "b77fa438e83885f614023ca446e258c6a5c135c75fc2e9e139d562d32d9f4fc9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b77fa438e83885f614023ca446e258c6a5c135c75fc2e9e139d562d32d9f4fc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-checks.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85315, "scanner": "repobility-supply-chain", "fingerprint": "89292b05cab40242eac50abe86e8bd8ce02c97a6ab25c4457fd4a0c0c2f7155c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89292b05cab40242eac50abe86e8bd8ce02c97a6ab25c4457fd4a0c0c2f7155c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85314, "scanner": "repobility-supply-chain", "fingerprint": "7822627096cbe2b69b01c5a5276d3a5ae2bf47021153c01aa137a34f5f13b30f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7822627096cbe2b69b01c5a5276d3a5ae2bf47021153c01aa137a34f5f13b30f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85313, "scanner": "repobility-supply-chain", "fingerprint": "f249a83338f8f5b87be2d24c80a5c2b0392846dc8ea426f6317ba79b7f6dbe70", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f249a83338f8f5b87be2d24c80a5c2b0392846dc8ea426f6317ba79b7f6dbe70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85312, "scanner": "repobility-supply-chain", "fingerprint": "ae060e5835ca9d0eb5e04845f8f049f40fbd3760c605756b38e39ba23116e1b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae060e5835ca9d0eb5e04845f8f049f40fbd3760c605756b38e39ba23116e1b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deduplicate-lock-file.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85311, "scanner": "repobility-supply-chain", "fingerprint": "07620a1286b80085ce85a3bed42e1888644da44005fe51067d20144c0f83413d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07620a1286b80085ce85a3bed42e1888644da44005fe51067d20144c0f83413d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deduplicate-lock-file.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85310, "scanner": "repobility-supply-chain", "fingerprint": "68765d2a204fcb5a453dbabbe3192e1b0c37cc3880f865e3843e9a98e83d831e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|68765d2a204fcb5a453dbabbe3192e1b0c37cc3880f865e3843e9a98e83d831e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deduplicate-lock-file.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "GHSA-fjxv-7rqg-78g4", "level": "error", "message": {"text": "form-data: GHSA-fjxv-7rqg-78g4"}, "properties": {"repobilityId": 85445, "scanner": "osv-scanner", "fingerprint": "ad1e1709200782fa3c6aaeacbf4c7bcdd76505e9d347c9d816391098f08d8693", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-7783"], "package": "form-data", "rule_id": "GHSA-fjxv-7rqg-78g4", "scanner": "osv-scanner", "correlation_key": "vuln|form-data|CVE-2025-7783|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5rq4-664w-9x2c", "level": "error", "message": {"text": "basic-ftp: GHSA-5rq4-664w-9x2c"}, "properties": {"repobilityId": 85431, "scanner": "osv-scanner", "fingerprint": "0ce27f311e9c8d7f38437158830a4b2d5475cf16c7b612e37988eff8f0386b45", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27699"], "package": "basic-ftp", "rule_id": "GHSA-5rq4-664w-9x2c", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|CVE-2026-27699|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.FORMAT_PAT` on a `pull_request` trigger"}, "properties": {"repobilityId": 85336, "scanner": "repobility-supply-chain", "fingerprint": "882484dc17d3f455e5ae79e06b77f76b437a9f7fe0ea94dd3e7f2d8a42f31d5e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|882484dc17d3f455e5ae79e06b77f76b437a9f7fe0ea94dd3e7f2d8a42f31d5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.FORMAT_PAT` on a `pull_request` trigger"}, "properties": {"repobilityId": 85335, "scanner": "repobility-supply-chain", "fingerprint": "4b1ff48142c7bae7ba5dd6d4c750f80ee657131d21d35b923bac6294e6f8ef27", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b1ff48142c7bae7ba5dd6d4c750f80ee657131d21d35b923bac6294e6f8ef27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 82}}}]}]}]}