{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED089", "name": "[MINED089] Js Always False If: if (false) \u2014 branch never taken. Dead code / disabled feature.", "shortDescription": {"text": "[MINED089] Js Always False If: if (false) \u2014 branch never taken. Dead code / disabled feature."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-561 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 106 more): Same pattern found in 106 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 106 more): Same pattern found in 106 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 28 more): Same pattern found in 28 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 11 more): Same pattern found in 11 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "package.json dep `@vitejs/test-dep-not-js` pulled from URL/Git", "shortDescription": {"text": "package.json dep `@vitejs/test-dep-not-js` pulled from URL/Git"}, "fullDescription": {"text": "`dependencies.@vitejs/test-dep-not-js` = `file:./dep-not-js` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/197"}, "properties": {"repository": "vitejs/vite", "repoUrl": "https://github.com/vitejs/vite", "branch": "main"}, "results": [{"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 50406, "scanner": "repobility-threat-engine", "fingerprint": "44e15ffcb397c151760400cad8be88a0e0fc7d2f0373d766b08aff7898eb3675", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|44e15ffcb397c151760400cad8be88a0e0fc7d2f0373d766b08aff7898eb3675"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/server/environment.ts"}, "region": {"startLine": 375}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50390, "scanner": "repobility-threat-engine", "fingerprint": "aed7e33a256f1bebfbc3c183b1a241dd7267ad3c4622fbd9195af60e7f91ad80", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|117|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/module-runner/evaluatedModules.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50389, "scanner": "repobility-threat-engine", "fingerprint": "d6a5fb836d803a19b69054751b5cc945f8793cbdf23906e1c233017bb3e0e1f2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|272|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/client/overlay.ts"}, "region": {"startLine": 272}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50388, "scanner": "repobility-threat-engine", "fingerprint": "b8b41fa90c50cb01b40189d12b1e0ca0788bf362ed4f4060b3d36c8bd0f395b2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|252|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/rolldown.config.ts"}, "region": {"startLine": 252}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 50366, "scanner": "repobility-threat-engine", "fingerprint": "73a720fba52829f999e00344f07f03618a71bdeaa413df3222f4f998c1fc8295", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://vite.dev/\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|44|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-preact-ts/src/app.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 50365, "scanner": "repobility-threat-engine", "fingerprint": "f6a80fb1959f31ec1d8f3d277f065ee4bc9742b2a1571e21a51e5c64159e5440", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://vite.dev/\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|63|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-lit/src/my-element.js"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 50364, "scanner": "repobility-threat-engine", "fingerprint": "c48506439421d4635ecc40c29628a958955a57247312828a4732f01070d7e400", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://vite.dev/\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|57|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-lit-ts/src/my-element.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 6001, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 6000, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5991, "scanner": "repobility-threat-engine", "fingerprint": "bde8d997f586503f977da66e82799c31a2019006fe09ceb2b2e4811a19b7470d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bde8d997f586503f977da66e82799c31a2019006fe09ceb2b2e4811a19b7470d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/test-utils.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5990, "scanner": "repobility-agent-runtime", "fingerprint": "5b0b99a121c1a1913aab13073ee219f11d109c4f7742a1952ef7a02477e09758", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5b0b99a121c1a1913aab13073ee219f11d109c4f7742a1952ef7a02477e09758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/utils.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5989, "scanner": "repobility-agent-runtime", "fingerprint": "7957fa54ba0de18bf19054d072a8da8b94a4facb22dff2fe0b66838e3f927eef", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7957fa54ba0de18bf19054d072a8da8b94a4facb22dff2fe0b66838e3f927eef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/server/index.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50345, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4aa81c7800cddaac8f24eedf1f9199ebf8288756f7cfb1e3273843238f7a2931", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/multiple-entrypoints/entrypoints/a0.js", "duplicate_line": 39, "correlation_key": "fp|4aa81c7800cddaac8f24eedf1f9199ebf8288756f7cfb1e3273843238f7a2931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/multiple-entrypoints/entrypoints/a12.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50344, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a12b997e9545af146a3959c43254581d2786c35e43af0a8fcee3f31a04ef855", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/multiple-entrypoints/entrypoints/a0.js", "duplicate_line": 38, "correlation_key": "fp|7a12b997e9545af146a3959c43254581d2786c35e43af0a8fcee3f31a04ef855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/multiple-entrypoints/entrypoints/a11.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50343, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f1b6286211d27962f33ab1540c48f30b2bc646cb2ad3b82e9ef219bd0a184799", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/multiple-entrypoints/entrypoints/a0.js", "duplicate_line": 37, "correlation_key": "fp|f1b6286211d27962f33ab1540c48f30b2bc646cb2ad3b82e9ef219bd0a184799"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/multiple-entrypoints/entrypoints/a10.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50342, "scanner": "repobility-ai-code-hygiene", "fingerprint": "49abd102d6507c7f4b4676419edc9cfc4f56ff1d1474ecd120c6fd0b38781303", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/multiple-entrypoints/entrypoints/a0.js", "duplicate_line": 28, "correlation_key": "fp|49abd102d6507c7f4b4676419edc9cfc4f56ff1d1474ecd120c6fd0b38781303"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/multiple-entrypoints/entrypoints/a1.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50341, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af524857ff673a04348b3da261e313ba91036ef9fcdd165485ac6a8f5dc91a02", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/hmr-ssr/vite.config.ts", "duplicate_line": 79, "correlation_key": "fp|af524857ff673a04348b3da261e313ba91036ef9fcdd165485ac6a8f5dc91a02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/hmr/vite.config.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50340, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b04d7a13bf4331e10de53ea128548a763d6409bd82a30d866485a9c6f3f02e04", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/fs-serve/root/vite.config-base.js", "duplicate_line": 15, "correlation_key": "fp|b04d7a13bf4331e10de53ea128548a763d6409bd82a30d866485a9c6f3f02e04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/fs-serve/root/vite.config.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50339, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be9c6d17af3d0387c9d36c50cf39d48b010c7b450b12de90418341e5cf28128a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/assets/vite.config-relative-base.js", "duplicate_line": 1, "correlation_key": "fp|be9c6d17af3d0387c9d36c50cf39d48b010c7b450b12de90418341e5cf28128a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/css/vite.config-relative-base.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50338, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ce0ecd76b744c2a6f19e7f4330aba339933c999a9c5186d41bcc91770bc22c1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/assets/vite.config-encoded-base.js", "duplicate_line": 14, "correlation_key": "fp|0ce0ecd76b744c2a6f19e7f4330aba339933c999a9c5186d41bcc91770bc22c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/assets/vite.config-url-base.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50337, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b1872cc95f747e3797a4ffe438c6efcafef79bd618be95d7aa2f228cc976fba9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 32, "correlation_key": "fp|b1872cc95f747e3797a4ffe438c6efcafef79bd618be95d7aa2f228cc976fba9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-vue/src/components/HelloWorld.vue"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50336, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d3bb831c6b710ed3d703d31f2e19ccd07ec7c98af160037e86016514b4c9e41", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-vue-ts/src/components/HelloWorld.vue", "duplicate_line": 2, "correlation_key": "fp|5d3bb831c6b710ed3d703d31f2e19ccd07ec7c98af160037e86016514b4c9e41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-vue/src/components/HelloWorld.vue"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50335, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3c84f0f3de751d8a4d14384f7d2f0e18d21ca584a7eed9702be6d9f7b785938", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 32, "correlation_key": "fp|e3c84f0f3de751d8a4d14384f7d2f0e18d21ca584a7eed9702be6d9f7b785938"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-vue-ts/src/components/HelloWorld.vue"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50334, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e1b1aef4b6ba510a0ec21efb756f2d1f2a2a8477211a7e56efbeeb60050d7ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-vanilla-ts/src/main.ts", "duplicate_line": 16, "correlation_key": "fp|7e1b1aef4b6ba510a0ec21efb756f2d1f2a2a8477211a7e56efbeeb60050d7ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-vanilla/src/main.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50333, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f3570ebde0b2f0ca2e10a51a6584f7afed0d738e680202f55ee5b616f7e7a586", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 52, "correlation_key": "fp|f3570ebde0b2f0ca2e10a51a6584f7afed0d738e680202f55ee5b616f7e7a586"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-svelte/src/App.svelte"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50332, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f1f49735d856cd283e9f16788f7f5d33dc964231263145fd25b54f0dffc2d78", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-svelte-ts/src/App.svelte", "duplicate_line": 1, "correlation_key": "fp|9f1f49735d856cd283e9f16788f7f5d33dc964231263145fd25b54f0dffc2d78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-svelte/src/App.svelte"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50331, "scanner": "repobility-ai-code-hygiene", "fingerprint": "963dd31c325fd3eb4b5540795ebc32f3900b05743cb34bb8fe20da93f2ff340b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 52, "correlation_key": "fp|963dd31c325fd3eb4b5540795ebc32f3900b05743cb34bb8fe20da93f2ff340b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-svelte-ts/src/App.svelte"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50330, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7c3b5f6df4f0d117ad4a0a10598e0c69473631537a29e09a655b05dfb081066", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-preact-ts/src/app.tsx", "duplicate_line": 30, "correlation_key": "fp|e7c3b5f6df4f0d117ad4a0a10598e0c69473631537a29e09a655b05dfb081066"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-solid/src/App.jsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50329, "scanner": "repobility-ai-code-hygiene", "fingerprint": "497ebc28bb8eecacc5c856e2067227e1a53ab8cbff38630af1615be10887b8b0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 32, "correlation_key": "fp|497ebc28bb8eecacc5c856e2067227e1a53ab8cbff38630af1615be10887b8b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-solid/src/App.jsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50328, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba2c9a09335389e8e4f584c1e5d23a998261451d7ca6a0487241a59df5c29eb7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-solid-ts/src/App.tsx", "duplicate_line": 1, "correlation_key": "fp|ba2c9a09335389e8e4f584c1e5d23a998261451d7ca6a0487241a59df5c29eb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-solid/src/App.jsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 5999, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 5998, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 5997, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 5994, "scanner": "repobility-threat-engine", "fingerprint": "395e04eaadfe7bc09b0cf3455736cf4b9e2ac5a7933e7979a838ebe75d87fbac", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = t", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|4|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps/long-file-name.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5988, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf13d726fb2625e4def940a87c4a92a7a478ab5bcdcf7f187e2eddd43b633d67", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-preact-ts/src/app.tsx", "duplicate_line": 30, "correlation_key": "fp|cf13d726fb2625e4def940a87c4a92a7a478ab5bcdcf7f187e2eddd43b633d67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-solid-ts/src/App.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5987, "scanner": "repobility-ai-code-hygiene", "fingerprint": "79a54fd40d926c66eff54c0b3b38de854560635285d2d306c2a9715447dc4e62", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 32, "correlation_key": "fp|79a54fd40d926c66eff54c0b3b38de854560635285d2d306c2a9715447dc4e62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-solid-ts/src/App.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5986, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1895d2dc68acea1359e46c9c9e51774d8aa420b12568a3c9324827acfe9e2a4f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-react-ts/src/App.tsx", "duplicate_line": 1, "correlation_key": "fp|1895d2dc68acea1359e46c9c9e51774d8aa420b12568a3c9324827acfe9e2a4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-react/src/App.jsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5985, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a52057286e37d7869d0d476f5dffe9fea4d36cfe2f97e5c7bd413163cc44ead", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-preact-ts/src/app.tsx", "duplicate_line": 30, "correlation_key": "fp|3a52057286e37d7869d0d476f5dffe9fea4d36cfe2f97e5c7bd413163cc44ead"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-qwik/src/app.jsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5984, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e110610371fb54672cb9d0df90b115fe35a81421d88d59720b2d598bdc50c0ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 32, "correlation_key": "fp|e110610371fb54672cb9d0df90b115fe35a81421d88d59720b2d598bdc50c0ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-qwik/src/app.jsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5983, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eec58806431deb0c09a5d992eef23a5249562938df37908acee759286d8d9ea3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-qwik-ts/src/app.tsx", "duplicate_line": 1, "correlation_key": "fp|eec58806431deb0c09a5d992eef23a5249562938df37908acee759286d8d9ea3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-qwik/src/app.jsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5982, "scanner": "repobility-ai-code-hygiene", "fingerprint": "66a09cf1ed148c2ab4aa2e300f1369745479ea12dfa54b474e14378480ef5569", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-preact-ts/src/app.tsx", "duplicate_line": 30, "correlation_key": "fp|66a09cf1ed148c2ab4aa2e300f1369745479ea12dfa54b474e14378480ef5569"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-qwik-ts/src/app.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5981, "scanner": "repobility-ai-code-hygiene", "fingerprint": "08e5241f9db5e1180e435183f58cb5470424a466a3353dcd0016c2cbe0211974", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 32, "correlation_key": "fp|08e5241f9db5e1180e435183f58cb5470424a466a3353dcd0016c2cbe0211974"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-qwik-ts/src/app.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5980, "scanner": "repobility-ai-code-hygiene", "fingerprint": "81f275ba78a446195f73c8187a4a796cb34f4ceea0c03e82c074340bbbcec624", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 32, "correlation_key": "fp|81f275ba78a446195f73c8187a4a796cb34f4ceea0c03e82c074340bbbcec624"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-preact/src/app.jsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5979, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b17d6623fb6b52ad8744f152e55df6f08daeb0dd4a250e02b74ebe6d27d9225e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-preact-ts/src/app.tsx", "duplicate_line": 1, "correlation_key": "fp|b17d6623fb6b52ad8744f152e55df6f08daeb0dd4a250e02b74ebe6d27d9225e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-preact/src/app.jsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5978, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e39c989122de2b97a48279d64925d21a3c70a1d4ab2f1a7dd33f48111c3ea276", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 32, "correlation_key": "fp|e39c989122de2b97a48279d64925d21a3c70a1d4ab2f1a7dd33f48111c3ea276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-preact-ts/src/app.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5977, "scanner": "repobility-ai-code-hygiene", "fingerprint": "687c5284655aeb34bf8fd4c03a9e8796b914fbd8664972657458f98635955539", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/create-vite/template-lit-ts/src/my-element.ts", "duplicate_line": 22, "correlation_key": "fp|687c5284655aeb34bf8fd4c03a9e8796b914fbd8664972657458f98635955539"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-lit/src/my-element.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED089", "level": "none", "message": {"text": "[MINED089] Js Always False If: if (false) \u2014 branch never taken. Dead code / disabled feature."}, "properties": {"repobilityId": 50408, "scanner": "repobility-threat-engine", "fingerprint": "2cf871a9d66a3f34613595c1af560bde21aff346fc7fa02143257264b00ccb72", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-always-false-if", "owasp": null, "cwe_ids": ["CWE-561"], "languages": ["javascript", "typescript", "tsx", "jsx", "python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348146+00:00", "triaged_in_corpus": 12, "observations_count": 536, "ai_coder_pattern_id": 141}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2cf871a9d66a3f34613595c1af560bde21aff346fc7fa02143257264b00ccb72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps/dep-linked-include/index.mjs"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 50405, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 50401, "scanner": "repobility-threat-engine", "fingerprint": "bc622422aece995c7e07e0c16de081f3178587059cc7d4258a61a173910ef549", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bc622422aece995c7e07e0c16de081f3178587059cc7d4258a61a173910ef549"}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 50397, "scanner": "repobility-threat-engine", "fingerprint": "4cf52743d432412e331cd27c03ede742e380046b298e2c4d7964a95535666ab8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4cf52743d432412e331cd27c03ede742e380046b298e2c4d7964a95535666ab8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/index.ts"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 50396, "scanner": "repobility-threat-engine", "fingerprint": "d4ee66d308fa05dd2c5191e0e3acb9784c5a0354dd2503be4c604150836c3569", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d4ee66d308fa05dd2c5191e0e3acb9784c5a0354dd2503be4c604150836c3569"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/http.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 50395, "scanner": "repobility-threat-engine", "fingerprint": "b25ca6c2b6e8056e9e2c805b4ff75b5230249c907e2c0475c7bb8fc214cf24b0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b25ca6c2b6e8056e9e2c805b4ff75b5230249c907e2c0475c7bb8fc214cf24b0"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 50391, "scanner": "repobility-threat-engine", "fingerprint": "59f8fe45fc5615482b4e48d4864d7b6d9fcdf063056f99acf47e7fe5acde521f", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|59f8fe45fc5615482b4e48d4864d7b6d9fcdf063056f99acf47e7fe5acde521f"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 50387, "scanner": "repobility-threat-engine", "fingerprint": "03477f3c225ccbb23c6eb223307bb8f56aa610a43b72f18b0967de2c27d05c02", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|03477f3c225ccbb23c6eb223307bb8f56aa610a43b72f18b0967de2c27d05c02"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 106 more): Same pattern found in 106 additional files. Review if needed."}, "properties": {"repobilityId": 50383, "scanner": "repobility-threat-engine", "fingerprint": "f887863ce5b59cf2bb83e964e4035dcbda826df129277db79cf5e7a42377c9bf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 106 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f887863ce5b59cf2bb83e964e4035dcbda826df129277db79cf5e7a42377c9bf", "aggregated_count": 106}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50382, "scanner": "repobility-threat-engine", "fingerprint": "75fd7844cbaea4de52bbf6d389d4daad98b0cf90218754f4f1c0501db957e0c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|75fd7844cbaea4de52bbf6d389d4daad98b0cf90218754f4f1c0501db957e0c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/rollupLicensePlugin.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50381, "scanner": "repobility-threat-engine", "fingerprint": "2a956e464b63620d13083a42b0f4884c0fe44189fb33c113769dce6491f00cc6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a956e464b63620d13083a42b0f4884c0fe44189fb33c113769dce6491f00cc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/rolldown.config.ts"}, "region": {"startLine": 272}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50380, "scanner": "repobility-threat-engine", "fingerprint": "90f84fc80c223c96b67c67b0ccc0b02fa484b1f52d3ba9a4e908f909d1e90a5f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|90f84fc80c223c96b67c67b0ccc0b02fa484b1f52d3ba9a4e908f909d1e90a5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugin-legacy/src/snippets.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50379, "scanner": "repobility-threat-engine", "fingerprint": "7abafc33e9a5c048ce7e972b4f0b3fdb43b764a21e8e5db287832cbfa2d08dd6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7abafc33e9a5c048ce7e972b4f0b3fdb43b764a21e8e5db287832cbfa2d08dd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/proxy-bypass/vite.config.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50378, "scanner": "repobility-threat-engine", "fingerprint": "79a679d948fa87c1cdd21e2926a4610073db7f9f174fb6e3fde0ca4d4ef0fc70", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79a679d948fa87c1cdd21e2926a4610073db7f9f174fb6e3fde0ca4d4ef0fc70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/tsdown.config.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 50377, "scanner": "repobility-threat-engine", "fingerprint": "7b4c5218b2d38c0a53509042ebbf677f6bfd7658469150cb60092d13bf4eaf0f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7b4c5218b2d38c0a53509042ebbf677f6bfd7658469150cb60092d13bf4eaf0f", "aggregated_count": 28}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 50376, "scanner": "repobility-threat-engine", "fingerprint": "55fb5e812ce751110edcafa31f501782399979779fcd235949fbc508c9b76dc9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55fb5e812ce751110edcafa31f501782399979779fcd235949fbc508c9b76dc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/scripts/benchCircularImport.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 50375, "scanner": "repobility-threat-engine", "fingerprint": "b8768c729e18e45f1e6a7e27bf022e7bb94f267fb6ea19526fee21fbb7d7e385", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8768c729e18e45f1e6a7e27bf022e7bb94f267fb6ea19526fee21fbb7d7e385"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugin-legacy/src/snippets.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 50374, "scanner": "repobility-threat-engine", "fingerprint": "431fa2db807748701f6a699a0c08db74e78aad085e4f08db1b36a5552c504318", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|431fa2db807748701f6a699a0c08db74e78aad085e4f08db1b36a5552c504318"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-vanilla-ts/src/main.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 50373, "scanner": "repobility-threat-engine", "fingerprint": "cea9866355a038634f49a33fe3675dd05bdfab113315ba4a5fc6f621944b5f4e", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cea9866355a038634f49a33fe3675dd05bdfab113315ba4a5fc6f621944b5f4e"}}}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 50369, "scanner": "repobility-threat-engine", "fingerprint": "a4e5727347d2f51d3ec54527bb80130dc4a9ab8ce3677d115af687b549585435", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a4e5727347d2f51d3ec54527bb80130dc4a9ab8ce3677d115af687b549585435"}}}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 50367, "scanner": "repobility-threat-engine", "fingerprint": "3cce005a1fd9b4a54d37ac5ac76fa8151cf96bcfc36f79c6a32e365bbf15aaba", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3cce005a1fd9b4a54d37ac5ac76fa8151cf96bcfc36f79c6a32e365bbf15aaba"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 50363, "scanner": "repobility-threat-engine", "fingerprint": "4c8764b5b26e37415a284cc3a005af3288cf252e855ab51befa2ed42c04aeec8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4c8764b5b26e37415a284cc3a005af3288cf252e855ab51befa2ed42c04aeec8", "aggregated_count": 13}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50362, "scanner": "repobility-threat-engine", "fingerprint": "820f351f5168b75b2c3fb8bba62615aa6bbe1ff98c101d53674b1bd0f2e8e058", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|820f351f5168b75b2c3fb8bba62615aa6bbe1ff98c101d53674b1bd0f2e8e058"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/module-runner/sourcemap/decoder.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50361, "scanner": "repobility-threat-engine", "fingerprint": "f5461cbbc57212935d982199acc5e452bb14d2bbab7ca235432df9c683ff6e1f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5461cbbc57212935d982199acc5e452bb14d2bbab7ca235432df9c683ff6e1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/module-runner/createImportMeta.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50360, "scanner": "repobility-threat-engine", "fingerprint": "58cfd9f6e1998ddedd41bd024ce04dd81ad677df027e25be9e5e22d7a62e607a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58cfd9f6e1998ddedd41bd024ce04dd81ad677df027e25be9e5e22d7a62e607a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/.vitepress/theme/index.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 50359, "scanner": "repobility-threat-engine", "fingerprint": "a74730ca76ec1f3cc7d4811f43e6f4180763b36a8cc26422ad93989f65bdc129", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a74730ca76ec1f3cc7d4811f43e6f4180763b36a8cc26422ad93989f65bdc129", "aggregated_count": 15}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 50358, "scanner": "repobility-threat-engine", "fingerprint": "b997997f43d5874afd6a6eb3d3093b3e2ec5dda9d31768338e91a773506dcd06", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b997997f43d5874afd6a6eb3d3093b3e2ec5dda9d31768338e91a773506dcd06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/module-runner/evaluatedModules.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 50357, "scanner": "repobility-threat-engine", "fingerprint": "11faf80b6c5706ca973b908215c2f36bb6bbd746c61dba3424ff8504d72e9657", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11faf80b6c5706ca973b908215c2f36bb6bbd746c61dba3424ff8504d72e9657"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/_data/blog.data.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 50356, "scanner": "repobility-threat-engine", "fingerprint": "f3c7c9fcd4381fbb6a203071996c7f60ebefe8f30e551a1be641fd0041898309", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3c7c9fcd4381fbb6a203071996c7f60ebefe8f30e551a1be641fd0041898309"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/.vitepress/theme/index.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5996, "scanner": "repobility-threat-engine", "fingerprint": "09a8cd1ea6065c02f53c1abe755440e0ab3fadb109f7d906e83780abbd7aa6a9", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|264|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/html/vite.config.js"}, "region": {"startLine": 264}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 5995, "scanner": "repobility-threat-engine", "fingerprint": "0b64731a0bb5e20f30de0a1dfe2e49fd944d3f8dfdb7ade4b5ab034f93f3f633", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0b64731a0bb5e20f30de0a1dfe2e49fd944d3f8dfdb7ade4b5ab034f93f3f633"}}}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50404, "scanner": "repobility-threat-engine", "fingerprint": "ff64df9d7470aa48ebf662359c182bc9a81a50c83aa401191c5f2a6a68fe685c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "s.update(\n                    match.index,\n                    match.index + full", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff64df9d7470aa48ebf662359c182bc9a81a50c83aa401191c5f2a6a68fe685c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/plugins/wasm.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50403, "scanner": "repobility-threat-engine", "fingerprint": "8edcb77eb5d1ba01d24c7209839a292045aa1a623f5a670195eefefd7277873f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "rendered.delete(this.environment)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8edcb77eb5d1ba01d24c7209839a292045aa1a623f5a670195eefefd7277873f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/plugins/prepareOutDir.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50402, "scanner": "repobility-threat-engine", "fingerprint": "7db1aab596e1d08094fb7d50ccc9e579445067fe36a24119af1d4d260f59b9a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "packageCache.delete(cacheKey)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7db1aab596e1d08094fb7d50ccc9e579445067fe36a24119af1d4d260f59b9a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/packages.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 50400, "scanner": "repobility-threat-engine", "fingerprint": "6b15205b6eabaa9ce9525bac83006b4e09956765c8bb053e556165ad1362a453", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n          patternKeys", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6b15205b6eabaa9ce9525bac83006b4e09956765c8bb053e556165ad1362a453"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/plugins/define.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 50399, "scanner": "repobility-threat-engine", "fingerprint": "6d11cf8aa2640add65465cb7c0f0a42f4c037416b47fbbc08e71e12d48cd707c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(assetImportMetaUrlRE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6d11cf8aa2640add65465cb7c0f0a42f4c037416b47fbbc08e71e12d48cd707c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/plugins/assetImportMetaUrl.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 50398, "scanner": "repobility-threat-engine", "fingerprint": "f593201e1efa5e5a4a58dbc7fd5e5b66d118ae61560a21bb9fe1f1e1a0e8389a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n            exportsValue", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f593201e1efa5e5a4a58dbc7fd5e5b66d118ae61560a21bb9fe1f1e1a0e8389a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/optimizer/resolve.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50394, "scanner": "repobility-threat-engine", "fingerprint": "5d63da77c14405d66d5686289916b2f5def7c9298503435b8cdcb543bfd215bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(\n      mod", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d63da77c14405d66d5686289916b2f5def7c9298503435b8cdcb543bfd215bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/module-runner/evaluatedModules.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50393, "scanner": "repobility-threat-engine", "fingerprint": "58f84726c6f367b27c5eb185c8f0158d590d9d191d62049d6df1bd9f7c1e4b66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|58f84726c6f367b27c5eb185c8f0158d590d9d191d62049d6df1bd9f7c1e4b66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/client/overlay.ts"}, "region": {"startLine": 272}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50392, "scanner": "repobility-threat-engine", "fingerprint": "62f98eb12e8f067d96b2cad9c08ff0220af28de6ca10617f0e0bf8d3e5cfba6a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(code", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62f98eb12e8f067d96b2cad9c08ff0220af28de6ca10617f0e0bf8d3e5cfba6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/rolldown.config.ts"}, "region": {"startLine": 252}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50386, "scanner": "repobility-threat-engine", "fingerprint": "b8a56238efd0f7fc87c7c4a381e49e8cc6c14d9eca1a4ca58b674ede046bb348", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b8a56238efd0f7fc87c7c4a381e49e8cc6c14d9eca1a4ca58b674ede046bb348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/module-runner/evaluatedModules.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50385, "scanner": "repobility-threat-engine", "fingerprint": "2120b57931aa933dab903e26c4cdbd3e819cdd85f02918f3c93da894cb412686", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n      t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2120b57931aa933dab903e26c4cdbd3e819cdd85f02918f3c93da894cb412686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/rollupLicensePlugin.ts"}, "region": {"startLine": 177}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50384, "scanner": "repobility-threat-engine", "fingerprint": "2afee99ee71686efab13b7c5cb305a4fdc276ac7c64181e8efd3ebebc5bf55e5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(_", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2afee99ee71686efab13b7c5cb305a4fdc276ac7c64181e8efd3ebebc5bf55e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/rolldown.config.ts"}, "region": {"startLine": 365}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 50372, "scanner": "repobility-threat-engine", "fingerprint": "23bd946d3cdf6d8da2c5b65341c08d6be11db01e09a80f6d945eaaf5fe917bf2", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `Count is ${counter}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|23bd946d3cdf6d8da2c5b65341c08d6be11db01e09a80f6d945eaaf5fe917bf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-vanilla/src/counter.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 50371, "scanner": "repobility-threat-engine", "fingerprint": "757a3355eda89756a20382072051e4c6d522dd496dd2b37ce5068cb5bd7ebdf5", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n<section id=\"center\">\n  <div class=\"hero\">\n    <img src=\"${heroImg}\" class=\"base\" wid", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|757a3355eda89756a20382072051e4c6d522dd496dd2b37ce5068cb5bd7ebdf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-vanilla-ts/src/main.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 50370, "scanner": "repobility-threat-engine", "fingerprint": "7e285bdab82cbfd8aec516153d0df30feeb4b0f3dd13af8a5b0d4ec758afeaf8", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `Count is ${counter}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7e285bdab82cbfd8aec516153d0df30feeb4b0f3dd13af8a5b0d4ec758afeaf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-vanilla-ts/src/counter.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 50368, "scanner": "repobility-threat-engine", "fingerprint": "0ef50d6c213e04b0c9f6d9795aa9a3971184375c9eebd2c78a6a9c813aebc077", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": ".innerHTML = `", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|7|sec006", "duplicate_count": 1, "duplicate_rule_ids": ["SEC006"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["0ef50d6c213e04b0c9f6d9795aa9a3971184375c9eebd2c78a6a9c813aebc077", "24ed0a6c4b68fb0f23c9354ef4c781c18e385239caf075bc70382f6008b8d324"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/create-vite/template-vanilla-ts/src/main.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `@vitejs/test-dep-not-js` pulled from URL/Git"}, "properties": {"repobilityId": 50355, "scanner": "repobility-supply-chain", "fingerprint": "3d9777f8e0380db0e8ca8aebed7a75201420d44e284ed0ee5f138c64dae67c33", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d9777f8e0380db0e8ca8aebed7a75201420d44e284ed0ee5f138c64dae67c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `@vitejs/test-dep-node-env` pulled from URL/Git"}, "properties": {"repobilityId": 50354, "scanner": "repobility-supply-chain", "fingerprint": "11a2d9d0088dc28ba705aef8b3e1f1a5a70a68e766fd56c84a925b09b711286c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11a2d9d0088dc28ba705aef8b3e1f1a5a70a68e766fd56c84a925b09b711286c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `@vitejs/test-dep-linked-include` pulled from URL/Git"}, "properties": {"repobilityId": 50353, "scanner": "repobility-supply-chain", "fingerprint": "6006d63339ee615937540d4946aefa396c6d2bac4800ba63bc2d7e8673996719", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6006d63339ee615937540d4946aefa396c6d2bac4800ba63bc2d7e8673996719"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `@vitejs/test-dep-linked` pulled from URL/Git"}, "properties": {"repobilityId": 50352, "scanner": "repobility-supply-chain", "fingerprint": "6e82015ca81389734cccd31f2f5e128b80f18058cd5acbc28cc0dab2a1254d46", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e82015ca81389734cccd31f2f5e128b80f18058cd5acbc28cc0dab2a1254d46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `@vitejs/test-dep-incompatible` pulled from URL/Git"}, "properties": {"repobilityId": 50351, "scanner": "repobility-supply-chain", "fingerprint": "1c3905a376130da9268dccec9961616b8a29a460f802f478ba4e114a68a8bd52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c3905a376130da9268dccec9961616b8a29a460f802f478ba4e114a68a8bd52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `@vitejs/test-dep-css-require` pulled from URL/Git"}, "properties": {"repobilityId": 50350, "scanner": "repobility-supply-chain", "fingerprint": "deb2c0aafeda666190a569997d2c1de47593e836526a44f83e539bf1d0e05bf6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|deb2c0aafeda666190a569997d2c1de47593e836526a44f83e539bf1d0e05bf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `@vitejs/longfilename-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` pulled from URL/Git"}, "properties": {"repobilityId": 50349, "scanner": "repobility-supply-chain", "fingerprint": "05e155a07456b5032496f3c4bbd1ded7a17034a106bba3f54499e8d870545f33", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05e155a07456b5032496f3c4bbd1ded7a17034a106bba3f54499e8d870545f33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `@vitejs/test-dep-source-map-no-sources` pulled from URL/Git"}, "properties": {"repobilityId": 50348, "scanner": "repobility-supply-chain", "fingerprint": "57a1fbbc9bde6d0ddb512148ac2eaad275dc486e2d504ad2186e8979dd7f272a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57a1fbbc9bde6d0ddb512148ac2eaad275dc486e2d504ad2186e8979dd7f272a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `@vitejs/test-dep-no-discovery` pulled from URL/Git"}, "properties": {"repobilityId": 50347, "scanner": "repobility-supply-chain", "fingerprint": "076910e628c064f60c3fe8ec891926416467f375a1563adfe5f43286b2ebc908", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|076910e628c064f60c3fe8ec891926416467f375a1563adfe5f43286b2ebc908"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/optimize-deps-no-discovery/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `aliased-module` pulled from URL/Git"}, "properties": {"repobilityId": 50346, "scanner": "repobility-supply-chain", "fingerprint": "f52d45b7c9dfda17dd1a4ea0074d7e1be67414fc50eb71805817ca88f92407bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f52d45b7c9dfda17dd1a4ea0074d7e1be67414fc50eb71805817ca88f92407bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/alias/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 5993, "scanner": "repobility-threat-engine", "fingerprint": "f0b92c425ee79f4466a036c5d35edc95651cd0c6fdde3e55a16b58ab4b6bd851", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|playground/data-uri/main.js|6|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/data-uri/main.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 5992, "scanner": "repobility-threat-engine", "fingerprint": "329b840c4fc052daeee9d3d8230edc64e258fa3a87c9f5c87170e1dcad45dbc4", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|2|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/css-codesplit/shared-css-main.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 50409, "scanner": "repobility-threat-engine", "fingerprint": "c72df71a85c77df885205e2705a4edec50c41dfb24798a4852bce0d087c9b1b8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c72df71a85c77df885205e2705a4edec50c41dfb24798a4852bce0d087c9b1b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/ssr-deps/require-absolute/index.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 50407, "scanner": "repobility-threat-engine", "fingerprint": "6797376895f9ee93421576041d52a258d6edece5f5f9c854804353f4549f9f8b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6797376895f9ee93421576041d52a258d6edece5f5f9c854804353f4549f9f8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/node/ssr/ssrStacktrace.ts"}, "region": {"startLine": 13}}}]}]}]}