{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gh4j-gqv2-49f6", "name": "fast-xml-parser: GHSA-gh4j-gqv2-49f6", "shortDescription": {"text": "fast-xml-parser: GHSA-gh4j-gqv2-49f6"}, "fullDescription": {"text": "fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `jest` is 1 major version(s) behind (^29.2.1 -> 30.4.2)", "shortDescription": {"text": "npm package `jest` is 1 major version(s) behind (^29.2.1 -> 30.4.2)"}, "fullDescription": {"text": "`jest` is pinned/resolved at ^29.2.1 but the latest stable release on the npm registry is 30.4.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-vpq2-c234-7xj6", "name": "@tootallnate/once: GHSA-vpq2-c234-7xj6", "shortDescription": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "fullDescription": {"text": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 1 more): Same pattern found in 1 additional files. Review i", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-5wm8-gmm8-39j9", "name": "fast-xml-builder: GHSA-5wm8-gmm8-39j9", "shortDescription": {"text": "fast-xml-builder: GHSA-5wm8-gmm8-39j9"}, "fullDescription": {"text": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x6wf-f3px-wcqx", "name": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx", "shortDescription": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated processing instruction serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j759-j44w-7fr8", "name": "@xmldom/xmldom: GHSA-j759-j44w-7fr8", "shortDescription": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated comment serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f6ww-3ggp-fr8h", "name": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h", "shortDescription": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "fullDescription": {"text": "xmldom has XML injection through unvalidated DocumentType serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2v35-w6hq-6mfw", "name": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw", "shortDescription": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "fullDescription": {"text": "xmldom: Uncontrolled recursion in XML serialization leads to DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `android/gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `android/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (45,457 bytes) committed to a repo that otherwise has 124 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1329"}, "properties": {"repository": "ginoleeswan/hero", "repoUrl": "https://github.com/ginoleeswan/hero", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 135936, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 135935, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 135930, "scanner": "osv-scanner", "fingerprint": "de906a0edbb25093a2e18157d27e7650c5d59dfb14b06382f6f170c04d020630", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 135929, "scanner": "osv-scanner", "fingerprint": "43ffcb0a2ce37f02f11229414b326bf3461eff0a2313382f704b9797828a6315", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 135928, "scanner": "osv-scanner", "fingerprint": "3e5751f1c47beefde8f6b075407b1b7186b45e90c496fc0f432b18afb75421eb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 135927, "scanner": "osv-scanner", "fingerprint": "88e6b1a808a46d1254fb003a71496f6f03cc18938cf18c56646c44245e0d824a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 135926, "scanner": "osv-scanner", "fingerprint": "110e8c35b05f03766a369ef404439b4c80745df475a104793df87be7cc339d9f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gh4j-gqv2-49f6", "level": "warning", "message": {"text": "fast-xml-parser: GHSA-gh4j-gqv2-49f6"}, "properties": {"repobilityId": 135925, "scanner": "osv-scanner", "fingerprint": "7321b4d37396ab26e4830937edaff5acdfdff0ae46d7d2bcb9d01c4637e8eff3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41650"], "package": "fast-xml-parser", "rule_id": "GHSA-gh4j-gqv2-49f6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-41650|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 135923, "scanner": "osv-scanner", "fingerprint": "5c96833c46f7678ad21518dc140979d6fcaac1d576fe54d4c5d84a9e7a3e8ace", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 135897, "scanner": "repobility-threat-engine", "fingerprint": "4a8c3ae5c6d21b311ad9f51df01abe86dea4e5056b5493a14dd125d30c7bab7e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a8c3ae5c6d21b311ad9f51df01abe86dea4e5056b5493a14dd125d30c7bab7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/biography/[id].tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 135896, "scanner": "repobility-threat-engine", "fingerprint": "04e4534728d758090296469f27bebb37c30facff810fec205987f47f0291de20", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|04e4534728d758090296469f27bebb37c30facff810fec205987f47f0291de20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(tabs)/search.tsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 135895, "scanner": "repobility-threat-engine", "fingerprint": "adf29da17aab096178db7bcaac99f44ff5988624f74942d54ec7c72a8899a225", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|adf29da17aab096178db7bcaac99f44ff5988624f74942d54ec7c72a8899a225"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(tabs)/explore.tsx"}, "region": {"startLine": 72}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 135894, "scanner": "repobility-agent-runtime", "fingerprint": "7b76d7e2c41ec443bbc48a47692b9a20110c9d938f380fbe67da628f1c7d5b70", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|7b76d7e2c41ec443bbc48a47692b9a20110c9d938f380fbe67da628f1c7d5b70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/useSearchHistory.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `jest` is 1 major version(s) behind (^29.2.1 -> 30.4.2)"}, "properties": {"repobilityId": 135893, "scanner": "repobility-dependency-currency", "fingerprint": "c28324e9026923cb70608960186346630b5beeecdcdca6130e1d04383dff9a02", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "30.4.2", "correlation_key": "fp|c28324e9026923cb70608960186346630b5beeecdcdca6130e1d04383dff9a02", "current_version": "^29.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/jest` is 1 major version(s) behind (29.5.14 -> 30.0.0)"}, "properties": {"repobilityId": 135892, "scanner": "repobility-dependency-currency", "fingerprint": "19bd5e4a319c5966d527188dab2f038e179a655b111a552afd72b45517aac2ee", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/jest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "30.0.0", "correlation_key": "fp|19bd5e4a319c5966d527188dab2f038e179a655b111a552afd72b45517aac2ee", "current_version": "29.5.14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@testing-library/react-native` is 1 major version(s) behind (^13.3.3 -> 14.0.0)"}, "properties": {"repobilityId": 135891, "scanner": "repobility-dependency-currency", "fingerprint": "81d8704ba2d8e428cc8a7c3518ea080509c56dd5927c9bf1a103282836a40e93", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@testing-library/react-native", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.0.0", "correlation_key": "fp|81d8704ba2d8e428cc8a7c3518ea080509c56dd5927c9bf1a103282836a40e93", "current_version": "^13.3.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-native-gesture-handler` is 1 major version(s) behind (~2.30.0 -> 3.0.0)"}, "properties": {"repobilityId": 135886, "scanner": "repobility-dependency-currency", "fingerprint": "1531a410eca2488a1575c44f21ac6e3aa09cfa0aa213dd7210c9fd63c3545e1d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-native-gesture-handler", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.0", "correlation_key": "fp|1531a410eca2488a1575c44f21ac6e3aa09cfa0aa213dd7210c9fd63c3545e1d", "current_version": "~2.30.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-web-browser` is 1 major version(s) behind (~55.0.14 -> 56.0.5)"}, "properties": {"repobilityId": 135885, "scanner": "repobility-dependency-currency", "fingerprint": "4c1f248be86940541cb9dd373a721dc3980a074c573b03b1502d7b6472a54cdb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-web-browser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.5", "correlation_key": "fp|4c1f248be86940541cb9dd373a721dc3980a074c573b03b1502d7b6472a54cdb", "current_version": "~55.0.14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-updates` is 1 major version(s) behind (~55.0.19 -> 56.0.18)"}, "properties": {"repobilityId": 135884, "scanner": "repobility-dependency-currency", "fingerprint": "7278782ea05a925ef0262d9e39db1d159eacd7212ece3b231cfeb0c14f0c6924", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-updates", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.18", "correlation_key": "fp|7278782ea05a925ef0262d9e39db1d159eacd7212ece3b231cfeb0c14f0c6924", "current_version": "~55.0.19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-system-ui` is 1 major version(s) behind (~55.0.14 -> 56.0.5)"}, "properties": {"repobilityId": 135883, "scanner": "repobility-dependency-currency", "fingerprint": "b4b99092e8534987baea66fc05456ca7238d9cb128fb14f1a109432e3d925a52", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-system-ui", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.5", "correlation_key": "fp|b4b99092e8534987baea66fc05456ca7238d9cb128fb14f1a109432e3d925a52", "current_version": "~55.0.14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-status-bar` is 1 major version(s) behind (~55.0.5 -> 56.0.4)"}, "properties": {"repobilityId": 135882, "scanner": "repobility-dependency-currency", "fingerprint": "bbdda222299ec766fedbe92c7ab25318643c17c8e268ac1634e683992b3d7f17", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-status-bar", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.4", "correlation_key": "fp|bbdda222299ec766fedbe92c7ab25318643c17c8e268ac1634e683992b3d7f17", "current_version": "~55.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-splash-screen` is 1 major version(s) behind (~55.0.16 -> 56.0.10)"}, "properties": {"repobilityId": 135881, "scanner": "repobility-dependency-currency", "fingerprint": "67ca8ade59dae05ee2b96c92790a973ea6b35694f320ed54c5a2d2109f1d8f46", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-splash-screen", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.10", "correlation_key": "fp|67ca8ade59dae05ee2b96c92790a973ea6b35694f320ed54c5a2d2109f1d8f46", "current_version": "~55.0.16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-router` is 1 major version(s) behind (~55.0.11 -> 56.2.9)"}, "properties": {"repobilityId": 135880, "scanner": "repobility-dependency-currency", "fingerprint": "a403b33963bd4539841755f7bc21ec8274151a9a2f3e9f1d72544c4e31bc5222", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-router", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.2.9", "correlation_key": "fp|a403b33963bd4539841755f7bc21ec8274151a9a2f3e9f1d72544c4e31bc5222", "current_version": "~55.0.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-linking` is 1 major version(s) behind (~55.0.11 -> 56.0.13)"}, "properties": {"repobilityId": 135879, "scanner": "repobility-dependency-currency", "fingerprint": "8259cbb0cc03f71521162c838a60be2361527ea0fa22cca291fce3193161e050", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-linking", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.13", "correlation_key": "fp|8259cbb0cc03f71521162c838a60be2361527ea0fa22cca291fce3193161e050", "current_version": "~55.0.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-linear-gradient` is 1 major version(s) behind (~55.0.12 -> 56.0.4)"}, "properties": {"repobilityId": 135878, "scanner": "repobility-dependency-currency", "fingerprint": "898c44ef3aa80694f2201e830c4c97fe107e3b4280d9b9ed57eedf1d3f46f3c0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-linear-gradient", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.4", "correlation_key": "fp|898c44ef3aa80694f2201e830c4c97fe107e3b4280d9b9ed57eedf1d3f46f3c0", "current_version": "~55.0.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-image-picker` is 1 major version(s) behind (~55.0.18 -> 56.0.16)"}, "properties": {"repobilityId": 135877, "scanner": "repobility-dependency-currency", "fingerprint": "0f71e2cd39390de11fa54d93832613208cd3e1248cd182d745f83e04a827766f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-image-picker", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.16", "correlation_key": "fp|0f71e2cd39390de11fa54d93832613208cd3e1248cd182d745f83e04a827766f", "current_version": "~55.0.18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-image` is 1 major version(s) behind (~55.0.8 -> 56.0.10)"}, "properties": {"repobilityId": 135876, "scanner": "repobility-dependency-currency", "fingerprint": "d348190c1b1a72d4c6c63a6625990e61395b9e79ab2a1d1907e71b9885bc69f7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-image", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.10", "correlation_key": "fp|d348190c1b1a72d4c6c63a6625990e61395b9e79ab2a1d1907e71b9885bc69f7", "current_version": "~55.0.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-haptics` is 1 major version(s) behind (~55.0.13 -> 56.0.3)"}, "properties": {"repobilityId": 135875, "scanner": "repobility-dependency-currency", "fingerprint": "d9fda18433ad265842043fdbabcb6604a92490517204bf8d44c788babd9af1e3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-haptics", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.3", "correlation_key": "fp|d9fda18433ad265842043fdbabcb6604a92490517204bf8d44c788babd9af1e3", "current_version": "~55.0.13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-font` is 1 major version(s) behind (~55.0.6 -> 56.0.5)"}, "properties": {"repobilityId": 135874, "scanner": "repobility-dependency-currency", "fingerprint": "d9546d2f9c57a0eb3ec04bb02df3e328d43e2c1a0635a7b0d338ef27ff6d622e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-font", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.5", "correlation_key": "fp|d9546d2f9c57a0eb3ec04bb02df3e328d43e2c1a0635a7b0d338ef27ff6d622e", "current_version": "~55.0.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-dev-menu` is 1 major version(s) behind (^55.0.20 -> 56.0.16)"}, "properties": {"repobilityId": 135873, "scanner": "repobility-dependency-currency", "fingerprint": "db1bf85f84e435c751eb4621bde4b1fa6a86ca9b75917b819c50030dc0fc630f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-dev-menu", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.16", "correlation_key": "fp|db1bf85f84e435c751eb4621bde4b1fa6a86ca9b75917b819c50030dc0fc630f", "current_version": "^55.0.20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-dev-client` is 1 major version(s) behind (^55.0.23 -> 56.0.19)"}, "properties": {"repobilityId": 135872, "scanner": "repobility-dependency-currency", "fingerprint": "6aea0a8ac2697d74ccc5136e007fab59fc7b58750d4df23759bc2ce8f62cd469", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-dev-client", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.19", "correlation_key": "fp|6aea0a8ac2697d74ccc5136e007fab59fc7b58750d4df23759bc2ce8f62cd469", "current_version": "^55.0.23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `expo-constants` is 1 major version(s) behind (~55.0.12 -> 56.0.17)"}, "properties": {"repobilityId": 135871, "scanner": "repobility-dependency-currency", "fingerprint": "0a1af4631ed6d660f4b76060d62d533385a8793135813f8a1243994cda34d0e1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "expo-constants", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "56.0.17", "correlation_key": "fp|0a1af4631ed6d660f4b76060d62d533385a8793135813f8a1243994cda34d0e1", "current_version": "~55.0.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@react-native-async-storage/async-storage` is 1 major version(s) behind (2.2.0 -> 3.1.1)"}, "properties": {"repobilityId": 135869, "scanner": "repobility-dependency-currency", "fingerprint": "1ce1dd242a04aa7e92ceaa9bed009562486224641c48731b91ba1bb30fa610f2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@react-native-async-storage/async-storage", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.1", "correlation_key": "fp|1ce1dd242a04aa7e92ceaa9bed009562486224641c48731b91ba1bb30fa610f2", "current_version": "2.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 135934, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 135933, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 135932, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 135931, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vpq2-c234-7xj6", "level": "note", "message": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "properties": {"repobilityId": 135918, "scanner": "osv-scanner", "fingerprint": "0ef18dda7b85626926b854aa196699c8b8d982a1d5f3be718d15521643f4f62c", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3449"], "package": "@tootallnate/once", "rule_id": "GHSA-vpq2-c234-7xj6", "scanner": "osv-scanner", "correlation_key": "vuln|tootallnate/once|CVE-2026-3449|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `react-native-safe-area-context` is minor version(s) behind (~5.6.2 -> 5.8.0)"}, "properties": {"repobilityId": 135887, "scanner": "repobility-dependency-currency", "fingerprint": "678116c2f8ab4f340e5b3ab778e9b64c74f2a2fc4e1ee294c7bdbe1ca3a2e1ea", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-native-safe-area-context", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.8.0", "correlation_key": "fp|678116c2f8ab4f340e5b3ab778e9b64c74f2a2fc4e1ee294c7bdbe1ca3a2e1ea", "current_version": "~5.6.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135858, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d3345a5d54d7e6c7cfc74d7f94876bc78d13bbdc4684d409712197b8d95ece0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "supabase/functions/get-comicvine-hero/index.ts", "duplicate_line": 1, "correlation_key": "fp|9d3345a5d54d7e6c7cfc74d7f94876bc78d13bbdc4684d409712197b8d95ece0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "supabase/functions/seed-comicvine-characters/index.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135857, "scanner": "repobility-ai-code-hygiene", "fingerprint": "693c71e72af85188c0b21af7335dac4dbb5a39b284f3529b0db8696ac76a3087", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/api.ts", "duplicate_line": 105, "correlation_key": "fp|693c71e72af85188c0b21af7335dac4dbb5a39b284f3529b0db8696ac76a3087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "supabase/functions/get-comicvine-hero/index.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135856, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ae0b74afb9f1fcec74282292294d02a85aacc37859465e547044ce3b9246406", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/api.ts", "duplicate_line": 87, "correlation_key": "fp|1ae0b74afb9f1fcec74282292294d02a85aacc37859465e547044ce3b9246406"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/types/index.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135855, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cef3ab3c5c19bbcd6a482ec72ede43b08d187a4e3de8dbd1e74224cc599cf930", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/enrich-heroes.ts", "duplicate_line": 19, "correlation_key": "fp|cef3ab3c5c19bbcd6a482ec72ede43b08d187a4e3de8dbd1e74224cc599cf930"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/api.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135854, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2221442fcd7fbff57adf8a619e4fb5fe707a21599580d9fc8bdf7faee48ae95c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ui/ChangePasswordModal.tsx", "duplicate_line": 1, "correlation_key": "fp|2221442fcd7fbff57adf8a619e4fb5fe707a21599580d9fc8bdf7faee48ae95c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ui/EditDisplayNameModal.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135853, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99c83a80ea3cb7d9b781d700a10311ae898cd13a1dd60026bdd6c1d6736b79ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/compare/[hero]/pick.tsx", "duplicate_line": 69, "correlation_key": "fp|99c83a80ea3cb7d9b781d700a10311ae898cd13a1dd60026bdd6c1d6736b79ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/compare/[hero]/pick.web.tsx"}, "region": {"startLine": 87}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135852, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1b684d8c398bb4d89118f8ceda0e82df3f06f142ef2afb591a861732344b799f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(tabs)/search.web.tsx", "duplicate_line": 49, "correlation_key": "fp|1b684d8c398bb4d89118f8ceda0e82df3f06f142ef2afb591a861732344b799f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/category/[slug].web.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135851, "scanner": "repobility-ai-code-hygiene", "fingerprint": "250d4473844f557c980776c59eb9f7d6585c1d4be488f8063cbd64c4552a33ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(tabs)/explore.tsx", "duplicate_line": 102, "correlation_key": "fp|250d4473844f557c980776c59eb9f7d6585c1d4be488f8063cbd64c4552a33ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(tabs)/search.tsx"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135850, "scanner": "repobility-ai-code-hygiene", "fingerprint": "44d7ab7da37a0a86a6e5146fbce5d209c56ecfc79a4e1dd7e32b7a85a2f96187", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/signup.tsx", "duplicate_line": 275, "correlation_key": "fp|44d7ab7da37a0a86a6e5146fbce5d209c56ecfc79a4e1dd7e32b7a85a2f96187"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/signup.web.tsx"}, "region": {"startLine": 448}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135849, "scanner": "repobility-ai-code-hygiene", "fingerprint": "756f20853f056e864098422ebfdca2fa7c649e035bfe6c5f3f65166af92ccb6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/login.tsx", "duplicate_line": 339, "correlation_key": "fp|756f20853f056e864098422ebfdca2fa7c649e035bfe6c5f3f65166af92ccb6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/signup.web.tsx"}, "region": {"startLine": 421}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135848, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a40d3337e9272c5ee310f83d83d931d01321b36854b2e13ef603dfad6d49ee9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/forgot-password.web.tsx", "duplicate_line": 119, "correlation_key": "fp|3a40d3337e9272c5ee310f83d83d931d01321b36854b2e13ef603dfad6d49ee9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/signup.web.tsx"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135847, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c89e147e75312d1ae2fd421a802bbfa49a7c9bfd990b9424fb8da408c6671cc7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/login.web.tsx", "duplicate_line": 1, "correlation_key": "fp|c89e147e75312d1ae2fd421a802bbfa49a7c9bfd990b9424fb8da408c6671cc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/signup.web.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135846, "scanner": "repobility-ai-code-hygiene", "fingerprint": "142313b4a2b5a47ddbcd44060d46b97f071ed47b0d3c23000b870d2924015833", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/forgot-password.web.tsx", "duplicate_line": 383, "correlation_key": "fp|142313b4a2b5a47ddbcd44060d46b97f071ed47b0d3c23000b870d2924015833"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/signup.tsx"}, "region": {"startLine": 343}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135845, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72184bed1f181a930bfa456e5239de8113f0e1733dc2ca8da4305bcc006fa11a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/forgot-password.tsx", "duplicate_line": 165, "correlation_key": "fp|72184bed1f181a930bfa456e5239de8113f0e1733dc2ca8da4305bcc006fa11a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/signup.tsx"}, "region": {"startLine": 220}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135844, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97f12c97d4f980a0a3585a6b81e1994f3610ecc7d34995cd0e55aa9d8eed70d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/login.tsx", "duplicate_line": 1, "correlation_key": "fp|97f12c97d4f980a0a3585a6b81e1994f3610ecc7d34995cd0e55aa9d8eed70d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/signup.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135843, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6113457b732a31e300e3a5ce965a0e3ce98686f92e38d7e77087a75e655726df", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/login.tsx", "duplicate_line": 339, "correlation_key": "fp|6113457b732a31e300e3a5ce965a0e3ce98686f92e38d7e77087a75e655726df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/login.web.tsx"}, "region": {"startLine": 414}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135842, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60f87661707b9421713662f0f735437aa59867a8a78b2b4f5de428f4b966e33d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/forgot-password.web.tsx", "duplicate_line": 119, "correlation_key": "fp|60f87661707b9421713662f0f735437aa59867a8a78b2b4f5de428f4b966e33d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/login.web.tsx"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135841, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ccfe0edab009508740e943be5c67915363dd01773195e0d4bfd3ca2736a60d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/forgot-password.web.tsx", "duplicate_line": 396, "correlation_key": "fp|5ccfe0edab009508740e943be5c67915363dd01773195e0d4bfd3ca2736a60d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/login.tsx"}, "region": {"startLine": 265}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135840, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2bd62c096b380c9d52a2d82249c499a89b7af792c73490aa14b95ff1e7b606fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/(auth)/forgot-password.tsx", "duplicate_line": 22, "correlation_key": "fp|2bd62c096b380c9d52a2d82249c499a89b7af792c73490aa14b95ff1e7b606fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/(auth)/forgot-password.web.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC100", "level": "none", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 135916, "scanner": "repobility-threat-engine", "fingerprint": "3888f3c97e91453967cfccb92eafef6441d6b43a8e3292bee1c79ed7ba8271b8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3888f3c97e91453967cfccb92eafef6441d6b43a8e3292bee1c79ed7ba8271b8"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 135911, "scanner": "repobility-threat-engine", "fingerprint": "c4d86489ad7a7b25aae7b702ba4cfe2eb34c3240c5d840717341874c78b4d393", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c4d86489ad7a7b25aae7b702ba4cfe2eb34c3240c5d840717341874c78b4d393"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/useAuth.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 135908, "scanner": "repobility-threat-engine", "fingerprint": "377e9ed5b80ffb9d61ead7cdc96c8d32214c1075bbdc490f011ecc80671f46d1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|377e9ed5b80ffb9d61ead7cdc96c8d32214c1075bbdc490f011ecc80671f46d1", "aggregated_count": 10}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 135907, "scanner": "repobility-threat-engine", "fingerprint": "582e80f37db16fd174d61f75724b52ddaf28c553b8f4ff5cfa173384bf4fbfb3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|582e80f37db16fd174d61f75724b52ddaf28c553b8f4ff5cfa173384bf4fbfb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/HeartButton.tsx"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 135906, "scanner": "repobility-threat-engine", "fingerprint": "5e8911fa8162f2a0d95cddb15f5419e2b40764a8a61a4dcbe59b166efba5ac76", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e8911fa8162f2a0d95cddb15f5419e2b40764a8a61a4dcbe59b166efba5ac76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/FirstIssueModal.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 135905, "scanner": "repobility-threat-engine", "fingerprint": "c53b698214dcb23c5510b9a28a356b53dcc6c903447741ad234baf69ae84a976", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c53b698214dcb23c5510b9a28a356b53dcc6c903447741ad234baf69ae84a976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/AbilitiesSection.tsx"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 135904, "scanner": "repobility-threat-engine", "fingerprint": "58180fb6b0d5fbf67040f3dba731b470e34c15baa87cb8fe1efee41ada23e012", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58180fb6b0d5fbf67040f3dba731b470e34c15baa87cb8fe1efee41ada23e012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/web/category/FilterControls.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 135903, "scanner": "repobility-threat-engine", "fingerprint": "df149673f085e28d75f8c2375e7a1c2b94b7a9e17a7175d3d3d21bf1104ddc7a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df149673f085e28d75f8c2375e7a1c2b94b7a9e17a7175d3d3d21bf1104ddc7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/AbilitiesSection.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 135902, "scanner": "repobility-threat-engine", "fingerprint": "f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 135901, "scanner": "repobility-threat-engine", "fingerprint": "03dd518ed8b0e8ede577820f62b64d248d259336720c3e9e477035bf65517e0c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03dd518ed8b0e8ede577820f62b64d248d259336720c3e9e477035bf65517e0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/enrich-heroes.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 135900, "scanner": "repobility-threat-engine", "fingerprint": "e856d4fd06e0954878aecd6b7976c8a4d6ab79ae839fd38055826f6d4cbac596", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e856d4fd06e0954878aecd6b7976c8a4d6ab79ae839fd38055826f6d4cbac596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/enrich-comicvine.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 135899, "scanner": "repobility-threat-engine", "fingerprint": "4bfd63a90bb14bead0ec5ea31b826f0e587b1d81aa7f8081ca8ee5cdf65fa293", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4bfd63a90bb14bead0ec5ea31b826f0e587b1d81aa7f8081ca8ee5cdf65fa293"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/compare/[hero]/pick.tsx"}, "region": {"startLine": 115}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 135898, "scanner": "repobility-threat-engine", "fingerprint": "55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5"}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@expo/ngrok` is patch version(s) behind (^4.1.0 -> 4.1.3)"}, "properties": {"repobilityId": 135890, "scanner": "repobility-dependency-currency", "fingerprint": "7643f25cc707d2b833b908449656f872329e35685dba106a97cb6b9d1e823347", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@expo/ngrok", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.3", "correlation_key": "fp|7643f25cc707d2b833b908449656f872329e35685dba106a97cb6b9d1e823347", "current_version": "^4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `react-native-web` is patch version(s) behind (~0.21.0 -> 0.21.2)"}, "properties": {"repobilityId": 135889, "scanner": "repobility-dependency-currency", "fingerprint": "0fccfffdac9573bcde712053a6caef3073f0e6c0a70397d22c7164fdd5f8342e", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-native-web", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.21.2", "correlation_key": "fp|0fccfffdac9573bcde712053a6caef3073f0e6c0a70397d22c7164fdd5f8342e", "current_version": "~0.21.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `react-native-svg` is patch version(s) behind (15.15.3 -> 15.15.5)"}, "properties": {"repobilityId": 135888, "scanner": "repobility-dependency-currency", "fingerprint": "318e07a94f1c7ec3a120111bf73527459883d6ac2e33651610370293705879c1", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-native-svg", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "15.15.5", "correlation_key": "fp|318e07a94f1c7ec3a120111bf73527459883d6ac2e33651610370293705879c1", "current_version": "15.15.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `dotenv` is patch version(s) behind (^17.4.1 -> 17.4.2)"}, "properties": {"repobilityId": 135870, "scanner": "repobility-dependency-currency", "fingerprint": "07983a348eaff645f77794d9fc58b5ca2c30ba264784150f8c9ac532b652b8ea", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dotenv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.4.2", "correlation_key": "fp|07983a348eaff645f77794d9fc58b5ca2c30ba264784150f8c9ac532b652b8ea", "current_version": "^17.4.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5wm8-gmm8-39j9", "level": "error", "message": {"text": "fast-xml-builder: GHSA-5wm8-gmm8-39j9"}, "properties": {"repobilityId": 135924, "scanner": "osv-scanner", "fingerprint": "28339aa3d80b2762f71dce55829a1c80d4a91f807412be69638134e353b1d814", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44665"], "package": "fast-xml-builder", "rule_id": "GHSA-5wm8-gmm8-39j9", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-builder|CVE-2026-44665|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x6wf-f3px-wcqx", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "properties": {"repobilityId": 135922, "scanner": "osv-scanner", "fingerprint": "d27bd28c7a94e76a0aafdaafb899a358826d5119f53eb646523a73e3137bb5c5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41675"], "package": "@xmldom/xmldom", "rule_id": "GHSA-x6wf-f3px-wcqx", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41675|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j759-j44w-7fr8", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "properties": {"repobilityId": 135921, "scanner": "osv-scanner", "fingerprint": "f4424ca776479d77af8faa5867303413c4cc0643ff8a2318037ea50ad34f98c3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41672"], "package": "@xmldom/xmldom", "rule_id": "GHSA-j759-j44w-7fr8", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41672|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f6ww-3ggp-fr8h", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "properties": {"repobilityId": 135920, "scanner": "osv-scanner", "fingerprint": "f9aa97f08982925325cb2751f8af75d23bf42d886970668a7197966743ece00e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41674"], "package": "@xmldom/xmldom", "rule_id": "GHSA-f6ww-3ggp-fr8h", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41674|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2v35-w6hq-6mfw", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "properties": {"repobilityId": 135919, "scanner": "osv-scanner", "fingerprint": "0fb57e63759d59af34b2397e08d6491b0af432eead15878b2a4c31a12f7764eb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41673"], "package": "@xmldom/xmldom", "rule_id": "GHSA-2v35-w6hq-6mfw", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41673|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 135915, "scanner": "repobility-threat-engine", "fingerprint": "9a80869632dd7482f0b39dd470fb0880d723a21ca280fa432a13692205044b70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a80869632dd7482f0b39dd470fb0880d723a21ca280fa432a13692205044b70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "supabase/functions/generate-verdict/index.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 135914, "scanner": "repobility-threat-engine", "fingerprint": "f0f46d186d5e64252224d8fdf93fd81157ee612fcc617ffdddd18da79634cdbd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f0f46d186d5e64252224d8fdf93fd81157ee612fcc617ffdddd18da79634cdbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "supabase/functions/generate-hero-stats/index.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 135913, "scanner": "repobility-threat-engine", "fingerprint": "17351d6e9254597b160193d69bfb274ace132158fd3c1de455d605be3277d778", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17351d6e9254597b160193d69bfb274ace132158fd3c1de455d605be3277d778"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "supabase/functions/delete-user/index.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 135912, "scanner": "repobility-threat-engine", "fingerprint": "54ab6e9324359864e76efb17993b87e3a838865d1fc43d9c7b79c01002c34f11", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|54ab6e9324359864e76efb17993b87e3a838865d1fc43d9c7b79c01002c34f11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/useCompareMatchup.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 135910, "scanner": "repobility-threat-engine", "fingerprint": "a87966f4645049a0d7522ea1905d73429c485490b346b191158f1246f96ec22d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a87966f4645049a0d7522ea1905d73429c485490b346b191158f1246f96ec22d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/useCategoryFilters.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 135909, "scanner": "repobility-threat-engine", "fingerprint": "b34d67b8bfa6859093b74803aa23f38b278735d398f44832e8befed873125aa5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b34d67b8bfa6859093b74803aa23f38b278735d398f44832e8befed873125aa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/MovieDetailSheet.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `android/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 135868, "scanner": "repobility-supply-chain", "fingerprint": "973d6751197bc87da8f1155b54a947166a5758ca066b4c40092148ef4e6e77f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|973d6751197bc87da8f1155b54a947166a5758ca066b4c40092148ef4e6e77f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 135867, "scanner": "repobility-supply-chain", "fingerprint": "1e20c46e43fb44679e90ca547fc75c3ce4077f7725ee2341ed4c629ff9d8d846", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e20c46e43fb44679e90ca547fc75c3ce4077f7725ee2341ed4c629ff9d8d846"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 135866, "scanner": "repobility-supply-chain", "fingerprint": "6f32702d287f7f111d0923feb3020967c4186622fcb62e163fc311ba289e7dcb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6f32702d287f7f111d0923feb3020967c4186622fcb62e163fc311ba289e7dcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 135865, "scanner": "repobility-supply-chain", "fingerprint": "ac7bc8e688f1684069cbdfbaf120c7bbd5b9882698a73195cda37b66673781b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac7bc8e688f1684069cbdfbaf120c7bbd5b9882698a73195cda37b66673781b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 135864, "scanner": "repobility-supply-chain", "fingerprint": "8e9c2e9891a278449d3016279859d1bdc9e20e759ecedea9b8c95cb2741c698d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e9c2e9891a278449d3016279859d1bdc9e20e759ecedea9b8c95cb2741c698d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 135863, "scanner": "repobility-supply-chain", "fingerprint": "8071a75671d61a887b83cb351ebef4dbee0312d71f407f36125113e563055ebf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8071a75671d61a887b83cb351ebef4dbee0312d71f407f36125113e563055ebf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 135862, "scanner": "repobility-supply-chain", "fingerprint": "634675b936a57eeb302bcae8c2381f0e781d480bfe5aa082e06e1d5bbd5da39b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|634675b936a57eeb302bcae8c2381f0e781d480bfe5aa082e06e1d5bbd5da39b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/analyze` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 135861, "scanner": "repobility-supply-chain", "fingerprint": "4f7cb1419ce511fd17364c183a95f779dfe7cb31c97d063a6a07a3188d404324", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f7cb1419ce511fd17364c183a95f779dfe7cb31c97d063a6a07a3188d404324"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/init` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 135860, "scanner": "repobility-supply-chain", "fingerprint": "aca19dfe17980ada4e12bfadcce0a8aa13120255cc627e19c94ae1a632e543fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aca19dfe17980ada4e12bfadcce0a8aa13120255cc627e19c94ae1a632e543fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 135859, "scanner": "repobility-supply-chain", "fingerprint": "152e5e282b6e4d2f301ca0ceef741cb4701547749ec347357005fa1cb27141ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|152e5e282b6e4d2f301ca0ceef741cb4701547749ec347357005fa1cb27141ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 135917, "scanner": "gitleaks", "fingerprint": "4cf25a469cd967e6c58c7c878a53f6948b24078221dc92b6cd7fdcd0f09523da", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "COMICVINE_API_KEY=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|26|comicvine_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/superpowers/plans/2026-04-04-expo55-upgrade.md"}, "region": {"startLine": 266}}}]}]}]}