{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-898c-q2cr-xwhg", "name": "axios: GHSA-898c-q2cr-xwhg", "shortDescription": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "fullDescription": {"text": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `socks-proxy-agent` is 2 major version(s) behind (8.0.5 -> 10.0.0)", "shortDescription": {"text": "npm package `socks-proxy-agent` is 2 major version(s) behind (8.0.5 -> 10.0.0)"}, "fullDescription": {"text": "`socks-proxy-agent` is pinned/resolved at 8.0.5 but the latest stable release on the npm registry is 10.0.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-654m-c8p4-x5fp", "name": "axios: GHSA-654m-c8p4-x5fp", "shortDescription": {"text": "axios: GHSA-654m-c8p4-x5fp"}, "fullDescription": {"text": "Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution \u2014 Incomplete Null-Prototype Fix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjwm-pj3p-43mv", "name": "axios: GHSA-pjwm-pj3p-43mv", "shortDescription": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "fullDescription": {"text": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p92q-9vqr-4j8v", "name": "axios: GHSA-p92q-9vqr-4j8v", "shortDescription": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "fullDescription": {"text": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j5f8-grm9-p9fc", "name": "axios: GHSA-j5f8-grm9-p9fc", "shortDescription": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "fullDescription": {"text": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hfxv-24rg-xrqf", "name": "axios: GHSA-hfxv-24rg-xrqf", "shortDescription": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "fullDescription": {"text": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-777c-7fjr-54vf", "name": "axios: GHSA-777c-7fjr-54vf", "shortDescription": {"text": "axios: GHSA-777c-7fjr-54vf"}, "fullDescription": {"text": "Allocation of Resources Without Limits or Throttling in Axios"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-35jp-ww65-95wh", "name": "axios: GHSA-35jp-ww65-95wh", "shortDescription": {"text": "axios: GHSA-35jp-ww65-95wh"}, "fullDescription": {"text": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "jwt", "name": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.", "shortDescription": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/744"}, "properties": {"repository": "iptv-org/iptv", "repoUrl": "https://github.com/iptv-org/iptv", "branch": "master"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 61158, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["GraphQL"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 61157, "scanner": "osv-scanner", "fingerprint": "a5366f8592ea792611dbd54230e9a360d84cfa4deab68e1cdb4eca522a676bc6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-898c-q2cr-xwhg", "level": "warning", "message": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "properties": {"repobilityId": 61152, "scanner": "osv-scanner", "fingerprint": "e0f789ea8b2d8f62959bbaf20e3ba5535e687b8c3be953373597bdc70b626254", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44490"], "package": "axios", "rule_id": "GHSA-898c-q2cr-xwhg", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44490|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 61131, "scanner": "repobility-threat-engine", "fingerprint": "6a4178b4403d081a2964c8458f37a393ff7f17a445e8fe72979357d1d1cbf119", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6a4178b4403d081a2964c8458f37a393ff7f17a445e8fe72979357d1d1cbf119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/commands/playlist/test.ts"}, "region": {"startLine": 200}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `socks-proxy-agent` is 2 major version(s) behind (8.0.5 -> 10.0.0)"}, "properties": {"repobilityId": 61122, "scanner": "repobility-dependency-currency", "fingerprint": "9c8a067c26a0e43d2567b5681dbb14dcd676ee7a195c8889894b80f874c9bf08", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "socks-proxy-agent", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.0", "correlation_key": "fp|9c8a067c26a0e43d2567b5681dbb14dcd676ee7a195c8889894b80f874c9bf08", "current_version": "8.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `normalize-url` is 1 major version(s) behind (8.1.0 -> 9.0.1)"}, "properties": {"repobilityId": 61121, "scanner": "repobility-dependency-currency", "fingerprint": "fb3725c4b49ad41386a9a9f2114c722d63e0af072d59ccf7eb6b2919f091cb6a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "normalize-url", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.1", "correlation_key": "fp|fb3725c4b49ad41386a9a9f2114c722d63e0af072d59ccf7eb6b2919f091cb6a", "current_version": "8.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `globals` is 3 major version(s) behind (14.0.0 -> 17.6.0)"}, "properties": {"repobilityId": 61116, "scanner": "repobility-dependency-currency", "fingerprint": "598c68d1f54ad8f540c697ed6457e280c969a02b3194a7b90ec5e84fffb1f0e1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "globals", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.6.0", "correlation_key": "fp|598c68d1f54ad8f540c697ed6457e280c969a02b3194a7b90ec5e84fffb1f0e1", "current_version": "14.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `glob` is 3 major version(s) behind (10.5.0 -> 13.0.6)"}, "properties": {"repobilityId": 61115, "scanner": "repobility-dependency-currency", "fingerprint": "12b6a29be8566249630d5ecb6a7205e473e6d00b81fdf2f942adb72e3adeeb09", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "glob", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "13.0.6", "correlation_key": "fp|12b6a29be8566249630d5ecb6a7205e473e6d00b81fdf2f942adb72e3adeeb09", "current_version": "10.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `commander` is 1 major version(s) behind (14.0.0 -> 15.0.0)"}, "properties": {"repobilityId": 61112, "scanner": "repobility-dependency-currency", "fingerprint": "10c99e9287745da4aa8b5dddd9deef06eca5fb8927d45ffb1cf2ff692feaf088", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "commander", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "15.0.0", "correlation_key": "fp|10c99e9287745da4aa8b5dddd9deef06eca5fb8927d45ffb1cf2ff692feaf088", "current_version": "14.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chalk` is 1 major version(s) behind (4.1.2 -> 5.6.2)"}, "properties": {"repobilityId": 61111, "scanner": "repobility-dependency-currency", "fingerprint": "1f2de174311f2b9fd36990e5a0c4909aa0af3fa8f10a35d17edaf3c8a687573b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chalk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.6.2", "correlation_key": "fp|1f2de174311f2b9fd36990e5a0c4909aa0af3fa8f10a35d17edaf3c8a687573b", "current_version": "4.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@octokit/types` is 2 major version(s) behind (14.1.0 -> 16.0.0)"}, "properties": {"repobilityId": 61108, "scanner": "repobility-dependency-currency", "fingerprint": "a30e7dcdde994457de8699edd2b0cfdac03089e63c600e30ffd208d5874c5143", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@octokit/types", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.0.0", "correlation_key": "fp|a30e7dcdde994457de8699edd2b0cfdac03089e63c600e30ffd208d5874c5143", "current_version": "14.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@octokit/plugin-rest-endpoint-methods` is 1 major version(s) behind (16.0.0 -> 17.0.0)"}, "properties": {"repobilityId": 61107, "scanner": "repobility-dependency-currency", "fingerprint": "c42a91ca2ad39641163b4587bbbddaa289f060d3c84219f3e7718a3eed48eeb0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@octokit/plugin-rest-endpoint-methods", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.0.0", "correlation_key": "fp|c42a91ca2ad39641163b4587bbbddaa289f060d3c84219f3e7718a3eed48eeb0", "current_version": "16.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@octokit/plugin-paginate-rest` is 1 major version(s) behind (13.1.1 -> 14.0.0)"}, "properties": {"repobilityId": 61106, "scanner": "repobility-dependency-currency", "fingerprint": "ea5810e088e891851ff7439c9a60a3f1230b69e8911aa44dbacbb158af1ba7e8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@octokit/plugin-paginate-rest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.0.0", "correlation_key": "fp|ea5810e088e891851ff7439c9a60a3f1230b69e8911aa44dbacbb158af1ba7e8", "current_version": "13.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@inquirer/prompts` is 1 major version(s) behind (7.8.0 -> 8.5.2)"}, "properties": {"repobilityId": 61104, "scanner": "repobility-dependency-currency", "fingerprint": "c89603a528510a91446d883ac3c5f6efdbc0683cea04f588736a45a9cd0f180a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@inquirer/prompts", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.5.2", "correlation_key": "fp|c89603a528510a91446d883ac3c5f6efdbc0683cea04f588736a45a9cd0f180a", "current_version": "7.8.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@eslint/js` is 1 major version(s) behind (9.32.0 -> 10.0.1)"}, "properties": {"repobilityId": 61101, "scanner": "repobility-dependency-currency", "fingerprint": "e28f372c17a993d6181a4569893cf10f61b612036244b49cdcf2960c0ee935e6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|e28f372c17a993d6181a4569893cf10f61b612036244b49cdcf2960c0ee935e6", "current_version": "9.32.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 61159, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["GraphQL"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "GHSA-654m-c8p4-x5fp", "level": "note", "message": {"text": "axios: GHSA-654m-c8p4-x5fp"}, "properties": {"repobilityId": 61150, "scanner": "osv-scanner", "fingerprint": "c341d6229d59fb77d0bea8f33fdb1f70f42177a60607a5c5688e7154da87b577", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44489"], "package": "axios", "rule_id": "GHSA-654m-c8p4-x5fp", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44489|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `jest` is minor version(s) behind (30.3.0 -> 30.4.2)"}, "properties": {"repobilityId": 61119, "scanner": "repobility-dependency-currency", "fingerprint": "f609b638d03b3c4315ba526b3e8574c52ebd8f7c327e33416e1afbc27cbba247", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "30.4.2", "correlation_key": "fp|f609b638d03b3c4315ba526b3e8574c52ebd8f7c327e33416e1afbc27cbba247", "current_version": "30.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `cross-env` is minor version(s) behind (10.0.0 -> 10.1.0)"}, "properties": {"repobilityId": 61114, "scanner": "repobility-dependency-currency", "fingerprint": "b0899a3e97a4839f869cdf9324436c3d1fb19588ef54a33618dd244414c9c5a6", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cross-env", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.1.0", "correlation_key": "fp|b0899a3e97a4839f869cdf9324436c3d1fb19588ef54a33618dd244414c9c5a6", "current_version": "10.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `console-table-printer` is minor version(s) behind (2.14.6 -> 2.16.0)"}, "properties": {"repobilityId": 61113, "scanner": "repobility-dependency-currency", "fingerprint": "b9637023579dceb332b76aec6d79852b1b6fdca9ab9dfc1c39dc06bde84b9ff9", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "console-table-printer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.16.0", "correlation_key": "fp|b9637023579dceb332b76aec6d79852b1b6fdca9ab9dfc1c39dc06bde84b9ff9", "current_version": "2.14.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `axios` is minor version(s) behind (1.15.2 -> 1.17.0)"}, "properties": {"repobilityId": 61110, "scanner": "repobility-dependency-currency", "fingerprint": "a41c97a5b01dd56eb082987d0974f42945e77e67a681e62e0a81923b09072d32", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "axios", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.17.0", "correlation_key": "fp|a41c97a5b01dd56eb082987d0974f42945e77e67a681e62e0a81923b09072d32", "current_version": "1.15.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@stylistic/eslint-plugin` is minor version(s) behind (5.2.2 -> 5.10.0)"}, "properties": {"repobilityId": 61109, "scanner": "repobility-dependency-currency", "fingerprint": "468f82bb839915854d751134bc9145d8c52af303dd79e53ea9efaf1ca5334542", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@stylistic/eslint-plugin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.10.0", "correlation_key": "fp|468f82bb839915854d751134bc9145d8c52af303dd79e53ea9efaf1ca5334542", "current_version": "5.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@freearhey/storage-js` is minor version(s) behind (0.1.0 -> 0.2.0)"}, "properties": {"repobilityId": 61103, "scanner": "repobility-dependency-currency", "fingerprint": "802f89424db047d185b503bbc5b15ef41d0ade0fcd336360665f47e8e74d8572", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@freearhey/storage-js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.2.0", "correlation_key": "fp|802f89424db047d185b503bbc5b15ef41d0ade0fcd336360665f47e8e74d8572", "current_version": "0.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@freearhey/core` is minor version(s) behind (0.14.3 -> 0.16.1)"}, "properties": {"repobilityId": 61102, "scanner": "repobility-dependency-currency", "fingerprint": "68ca8562d8602cbd93e7038ea7898e14a1b3886bb7c763f930a3f8f9586cb72b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@freearhey/core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.16.1", "correlation_key": "fp|68ca8562d8602cbd93e7038ea7898e14a1b3886bb7c763f930a3f8f9586cb72b", "current_version": "0.14.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 61130, "scanner": "repobility-threat-engine", "fingerprint": "3635d088609be049f958fb27b4f8023477c200cbc3533170322bb613c8c2fed1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3635d088609be049f958fb27b4f8023477c200cbc3533170322bb613c8c2fed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/commands/playlist/edit.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 61129, "scanner": "repobility-threat-engine", "fingerprint": "f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 61128, "scanner": "repobility-threat-engine", "fingerprint": "c2e369d6ce59d81a9422743480f9986baebbedf342333a011cf3083a86228113", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2e369d6ce59d81a9422743480f9986baebbedf342333a011cf3083a86228113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/commands/playlist/validate.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 61127, "scanner": "repobility-threat-engine", "fingerprint": "c55570a6fe0c859c29d823ff4185e612ae2078110b129a74f3fbeb15e025ba78", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c55570a6fe0c859c29d823ff4185e612ae2078110b129a74f3fbeb15e025ba78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/commands/playlist/test.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 61126, "scanner": "repobility-threat-engine", "fingerprint": "39721f8cd8a82a701cdac6c14b741f9cb4e5fe64fa5428e9a120925b5f790b5d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39721f8cd8a82a701cdac6c14b741f9cb4e5fe64fa5428e9a120925b5f790b5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/commands/playlist/edit.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `tsx` is patch version(s) behind (4.22.3 -> 4.22.4)"}, "properties": {"repobilityId": 61123, "scanner": "repobility-dependency-currency", "fingerprint": "12a6189888451c002d020d24139798c0eea7d72eb8e0b5dd249ba420e8413566", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|12a6189888451c002d020d24139798c0eea7d72eb8e0b5dd249ba420e8413566", "current_version": "4.22.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `mediainfo.js` is patch version(s) behind (0.3.6 -> 0.3.7)"}, "properties": {"repobilityId": 61120, "scanner": "repobility-dependency-currency", "fingerprint": "fa42cd70f59b954dcfa701ed5dd7807286550ec3415ec5825940331b6f18140d", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "mediainfo.js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.3.7", "correlation_key": "fp|fa42cd70f59b954dcfa701ed5dd7807286550ec3415ec5825940331b6f18140d", "current_version": "0.3.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `iptv-playlist-parser` is patch version(s) behind (0.15.1 -> 0.15.2)"}, "properties": {"repobilityId": 61118, "scanner": "repobility-dependency-currency", "fingerprint": "461c10191f2f00e9c46f64fd63ad63bdf9e4b01ce6db6ed55465c2112db9a9db", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "iptv-playlist-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.15.2", "correlation_key": "fp|461c10191f2f00e9c46f64fd63ad63bdf9e4b01ce6db6ed55465c2112db9a9db", "current_version": "0.15.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `hls-parser` is patch version(s) behind (0.16.0 -> 0.16.1)"}, "properties": {"repobilityId": 61117, "scanner": "repobility-dependency-currency", "fingerprint": "735a41561c8be12b92f79716fc88855e4333aec6ab17d972c28f94973f4a24b7", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "hls-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.16.1", "correlation_key": "fp|735a41561c8be12b92f79716fc88855e4333aec6ab17d972c28f94973f4a24b7", "current_version": "0.16.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@octokit/core` is patch version(s) behind (7.0.3 -> 7.0.6)"}, "properties": {"repobilityId": 61105, "scanner": "repobility-dependency-currency", "fingerprint": "e3147a92e9ed4ae7187c2473ecc2fb2c02fb20d77cb01c5d9f58b0f27fb3aa52", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@octokit/core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.0.6", "correlation_key": "fp|e3147a92e9ed4ae7187c2473ecc2fb2c02fb20d77cb01c5d9f58b0f27fb3aa52", "current_version": "7.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@eslint/eslintrc` is patch version(s) behind (3.3.1 -> 3.3.5)"}, "properties": {"repobilityId": 61100, "scanner": "repobility-dependency-currency", "fingerprint": "0b6db5711a177510e3727fcb2d28a1de8ca7c638afb33c51d4d5d0c1a1ec496b", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/eslintrc", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.3.5", "correlation_key": "fp|0b6db5711a177510e3727fcb2d28a1de8ca7c638afb33c51d4d5d0c1a1ec496b", "current_version": "3.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjwm-pj3p-43mv", "level": "error", "message": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "properties": {"repobilityId": 61156, "scanner": "osv-scanner", "fingerprint": "a687f86314a62c9c73eab486dfb458616263bea26dbbefe9cae8473e8efb3071", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44492"], "package": "axios", "rule_id": "GHSA-pjwm-pj3p-43mv", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2025-62718|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p92q-9vqr-4j8v", "level": "error", "message": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "properties": {"repobilityId": 61155, "scanner": "osv-scanner", "fingerprint": "db661ef3efd6ae15f09e8cb75e1d440d922b39de4793cfc737ed0754eca534ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44487"], "package": "axios", "rule_id": "GHSA-p92q-9vqr-4j8v", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44487|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j5f8-grm9-p9fc", "level": "error", "message": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "properties": {"repobilityId": 61154, "scanner": "osv-scanner", "fingerprint": "ed7033fc0c9299b56ea00c92631f81ed72ec873142f864f792ab8b0cede67c2f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44486"], "package": "axios", "rule_id": "GHSA-j5f8-grm9-p9fc", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44486|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hfxv-24rg-xrqf", "level": "error", "message": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "properties": {"repobilityId": 61153, "scanner": "osv-scanner", "fingerprint": "3a1a1d65de131fd423fbc959231b59156b65c45d65668fe2f857f475aba62a80", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44496"], "package": "axios", "rule_id": "GHSA-hfxv-24rg-xrqf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44496|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-777c-7fjr-54vf", "level": "error", "message": {"text": "axios: GHSA-777c-7fjr-54vf"}, "properties": {"repobilityId": 61151, "scanner": "osv-scanner", "fingerprint": "59a250c97b1e71652419bc7d1715d1574255c84ea0b98401688c8d00b7cdd35b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44488"], "package": "axios", "rule_id": "GHSA-777c-7fjr-54vf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44488|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-35jp-ww65-95wh", "level": "error", "message": {"text": "axios: GHSA-35jp-ww65-95wh"}, "properties": {"repobilityId": 61149, "scanner": "osv-scanner", "fingerprint": "3588119f3e3a3569888076b3b7dda23c8c3a97e0038f21a03c294eba6757dbf6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44494"], "package": "axios", "rule_id": "GHSA-35jp-ww65-95wh", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44494|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 61135, "scanner": "repobility-threat-engine", "fingerprint": "e7935f34ba0f4e57aadb2669087275c4079453e7f8f7dd656af8157bf3fd32eb", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(__dirname, '../tests/__data__/input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|scripts/utils.ts|60|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utils.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 61134, "scanner": "repobility-threat-engine", "fingerprint": "16cee36b55f3c04c20c9b962a0a7c297234b884fac666324cf1c56f5c0c57f1a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16cee36b55f3c04c20c9b962a0a7c297234b884fac666324cf1c56f5c0c57f1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utils.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 61133, "scanner": "repobility-threat-engine", "fingerprint": "a9b3fe4ad68972b0141b8e2c5f80934b414a8a0f4c93ff935284f8d09e1963da", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(_", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a9b3fe4ad68972b0141b8e2c5f80934b414a8a0f4c93ff935284f8d09e1963da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/core/proxyParser.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 61132, "scanner": "repobility-threat-engine", "fingerprint": "3c3db6127349d33ee80c5d25717e5faf4b6a4cb4ec6d2ad551aa2c59da356142", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((issue: Issue) => `#${issue.number}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3c3db6127349d33ee80c5d25717e5faf4b6a4cb4ec6d2ad551aa2c59da356142"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/commands/playlist/update.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 61125, "scanner": "repobility-threat-engine", "fingerprint": "c82b758fc3fd78348e59ad690701102ebd66d2c2730985527fcfc2686eebbb9f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "progressBar.update(loaded, { speed: rate })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c82b758fc3fd78348e59ad690701102ebd66d2c2730985527fcfc2686eebbb9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/api.ts"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 61124, "scanner": "repobility-threat-engine", "fingerprint": "a95212aa6881fc8ee462d8876def1b4141497bb19023cf3f682aa3dc3ab4f184", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(params.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a95212aa6881fc8ee462d8876def1b4141497bb19023cf3f682aa3dc3ab4f184"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/api.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 61099, "scanner": "repobility-supply-chain", "fingerprint": "916c4e40f1c280ce13921ffe7e4b6db1872eb91ea4dfafc99eb1dc8ce1a335e6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|916c4e40f1c280ce13921ffe7e4b6db1872eb91ea4dfafc99eb1dc8ce1a335e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 61098, "scanner": "repobility-supply-chain", "fingerprint": "48abb7bc5b1b01c097823f5b78cf690de1c62bab9567d80649444b499b174ae4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48abb7bc5b1b01c097823f5b78cf690de1c62bab9567d80649444b499b174ae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `tibdex/github-app-token` pinned to mutable ref `@v1.8.2`"}, "properties": {"repobilityId": 61097, "scanner": "repobility-supply-chain", "fingerprint": "5c62c910d870d8ed01034e211230e434f5ac159b6801521a5dd39cf80d836737", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c62c910d870d8ed01034e211230e434f5ac159b6801521a5dd39cf80d836737"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 61096, "scanner": "repobility-supply-chain", "fingerprint": "5b1c24c25e6f7037f1459361ad367a0428c4ef3195e0b707d8056fd8c2f34eda", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b1c24c25e6f7037f1459361ad367a0428c4ef3195e0b707d8056fd8c2f34eda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `JamesIves/github-pages-deploy-action` pinned to mutable ref `@4.1.1`"}, "properties": {"repobilityId": 61095, "scanner": "repobility-supply-chain", "fingerprint": "a5b7f1d0ef50772b8faa995d2094b62e1f8e8e0dad5a61fb04610125d17b25de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5b7f1d0ef50772b8faa995d2094b62e1f8e8e0dad5a61fb04610125d17b25de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `JamesIves/github-pages-deploy-action` pinned to mutable ref `@4.1.1`"}, "properties": {"repobilityId": 61094, "scanner": "repobility-supply-chain", "fingerprint": "258b66ba580bdbc76b8b858bb5fd33c49df766a0eaa2a13fca53af3358231d7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|258b66ba580bdbc76b8b858bb5fd33c49df766a0eaa2a13fca53af3358231d7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 61093, "scanner": "repobility-supply-chain", "fingerprint": "0a6c133f5293dc556d5a9950b6300bb76dc5b662f07e802464db1c77bf22f259", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a6c133f5293dc556d5a9950b6300bb76dc5b662f07e802464db1c77bf22f259"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 61092, "scanner": "repobility-supply-chain", "fingerprint": "2013bd54ba3b5829ae95e5abd8c40958af9974dcc6f7da15981fd91756d51062", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2013bd54ba3b5829ae95e5abd8c40958af9974dcc6f7da15981fd91756d51062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `tibdex/github-app-token` pinned to mutable ref `@v1.8.2`"}, "properties": {"repobilityId": 61091, "scanner": "repobility-supply-chain", "fingerprint": "653c541fb9defa16faba9085f6f1b9eb2851be59ece507d3c5b26a077730c60a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|653c541fb9defa16faba9085f6f1b9eb2851be59ece507d3c5b26a077730c60a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 61090, "scanner": "repobility-supply-chain", "fingerprint": "dd2cdcaea92368ae6c2becaf253678ba71708ff3f89479b56d077ae3f11787eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd2cdcaea92368ae6c2becaf253678ba71708ff3f89479b56d077ae3f11787eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 61089, "scanner": "repobility-supply-chain", "fingerprint": "3903b42f861fcbe49db80d9c0c40a2b607c91895a602d2fd52a511a3f3594d38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3903b42f861fcbe49db80d9c0c40a2b607c91895a602d2fd52a511a3f3594d38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 61088, "scanner": "repobility-supply-chain", "fingerprint": "f7222d0cfab9a605fb778dc486408c00d82bf3f5cec1ba3612b18cc8e21c5d6d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7222d0cfab9a605fb778dc486408c00d82bf3f5cec1ba3612b18cc8e21c5d6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 61148, "scanner": "gitleaks", "fingerprint": "e4ab0835c5b1dc12eade0b879bfbdfcade6f8735d12cdcc9ec5f1cf3c7c4e64f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|streams/in.m3u|82|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/in.m3u"}, "region": {"startLine": 823}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61147, "scanner": "gitleaks", "fingerprint": "76f0486e5f5ebf19470b79c9b3d88a57e90d903beaa7b25616ae18ad4b4109ef", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|streams/my.m3u|5|token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/my.m3u"}, "region": {"startLine": 52}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61146, "scanner": "gitleaks", "fingerprint": "b7577433ae9263bc95e41029790348d1455597ecc04994b679eaa67b9d9de669", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|streams/my.m3u|4|token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/my.m3u"}, "region": {"startLine": 42}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61145, "scanner": "gitleaks", "fingerprint": "f7c893699e5708e5e1ebeccd1c0b9473e0695e9ec3c45f7151ff2d5e5df9b61d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|streams/my.m3u|3|token redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["5197877766731c93b3c2eaca533cc444b7d282a7db0d9678e55d6aaaa365fc05", "f7c893699e5708e5e1ebeccd1c0b9473e0695e9ec3c45f7151ff2d5e5df9b61d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/my.m3u"}, "region": {"startLine": 31}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61144, "scanner": "gitleaks", "fingerprint": "2e45bdf7ad546df2965817e0b81d757858d7217d75c537809126fb036c7b26bf", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|streams/my.m3u|2|token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/my.m3u"}, "region": {"startLine": 27}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61143, "scanner": "gitleaks", "fingerprint": "0ead585def4e1d07399cfe0a4946fa1babb6e1ff065ef6611bb02b6bc4dc99bc", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|streams/br.m3u|41|token redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["0ead585def4e1d07399cfe0a4946fa1babb6e1ff065ef6611bb02b6bc4dc99bc", "7d4a0b1e2dfee32695f8b5d8c5b537a5bec870164954c4f1079a24e74d0b5581"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/br.m3u"}, "region": {"startLine": 411}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61142, "scanner": "gitleaks", "fingerprint": "285bf256b574aef4495cf997b35e437fd01ea6f1ee3108588415a94bf58bb44a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|streams/br.m3u|40|token redacted", "duplicate_count": 4, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["10385ddbc4019407f62a27124d94a7deb6fe6e7f045b6dcc6ecd2b421f6a8b27", "285bf256b574aef4495cf997b35e437fd01ea6f1ee3108588415a94bf58bb44a", "7174834358c5c8f10623b7768984b1d49004002ccc956cdf9850519a85dbd500", "7fd49430def2b1dbe189e2ab6e9360fabd1a95e8f2057ab6753a285c9f981151", "a620ead0e05bc671977407445b7f29450ed3eeec6a245d72c453f33e88176678"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/br.m3u"}, "region": {"startLine": 401}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61141, "scanner": "gitleaks", "fingerprint": "1275d74880d39694971ffdc1cdf716fdee3c4f48400527143bf2eb23ea1a3fdf", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|streams/br.m3u|39|token redacted", "duplicate_count": 3, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["1275d74880d39694971ffdc1cdf716fdee3c4f48400527143bf2eb23ea1a3fdf", "63e7f516ce7cc6005ef6dfb28e91c43e2a64555cdbe7b521db61691400df0150", "7879f96e7ded8b979c275ee7646a96a10e3397ce690992d9c9488fd5fd9a8e0a", "bc023a699f8410859ef01dc603bac8dfde13694724410c4805523361a179b15a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/br.m3u"}, "region": {"startLine": 393}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61140, "scanner": "gitleaks", "fingerprint": "3e84c26f97c619c93d0612f9eb54a0bdf84bba81c87ebaa414c273a2f6658fae", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|token redacted", "duplicate_count": 3, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["13af60b15de74975f23f677704864fceebb3181b1f0f589b9763d52102581d7a", "3e84c26f97c619c93d0612f9eb54a0bdf84bba81c87ebaa414c273a2f6658fae", "a23fc9cfada535abb32fccbc01eab3b4d8cfd07cb23434607cf39336ef165573", "dad5ba1a70daa1ce7bc96e17b3df5d4f71008190e7c9cb575cef964ed28b266d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/__data__/input/playlist_test/streams/ag.m3u"}, "region": {"startLine": 3}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61139, "scanner": "gitleaks", "fingerprint": "f101185b8f37f76cad4b9f49ee50ac5a741bbff600e87527bab53374f291f8d8", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|streams/th.m3u|6|token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/th.m3u"}, "region": {"startLine": 69}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61138, "scanner": "gitleaks", "fingerprint": "f6f45677bb83093a7547d29ea1b09e0b4b9ebc896fd94773d1187411163b1d28", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|streams/cy.m3u|4|token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/cy.m3u"}, "region": {"startLine": 41}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 61137, "scanner": "gitleaks", "fingerprint": "97d67274edc5a53054a9e036810dc93947f2b62749091d6d31ab1be2fc37289a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "token=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|streams/cy.m3u|1|token redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["97d67274edc5a53054a9e036810dc93947f2b62749091d6d31ab1be2fc37289a", "9c1f15cbb79f196e5136170ef1eae3ac69b8354f08bf4ddc69b5d75642eedc76"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/cy.m3u"}, "region": {"startLine": 3}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 61136, "scanner": "gitleaks", "fingerprint": "d3baf4bd70ec519a3ceedf3d3e7c7bb0946f20cf767845c57bf30eba993e5150", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|streams/lt.m3u|2|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "streams/lt.m3u"}, "region": {"startLine": 21}}}]}]}]}