{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-xcj6-pq6g-qj4x", "name": "vite: GHSA-xcj6-pq6g-qj4x", "shortDescription": {"text": "vite: GHSA-xcj6-pq6g-qj4x"}, "fullDescription": {"text": "Vite allows server.fs.deny to be bypassed with .svg or relative paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x574-m823-4x7w", "name": "vite: GHSA-x574-m823-4x7w", "shortDescription": {"text": "vite: GHSA-x574-m823-4x7w"}, "fullDescription": {"text": "Vite bypasses server.fs.deny when using ?raw??"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vg6x-rcgg-rjx6", "name": "vite: GHSA-vg6x-rcgg-rjx6", "shortDescription": {"text": "vite: GHSA-vg6x-rcgg-rjx6"}, "fullDescription": {"text": "Websites were able to send any requests to the development server and read the response in vite"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-93m4-6634-74q7", "name": "vite: GHSA-93m4-6634-74q7", "shortDescription": {"text": "vite: GHSA-93m4-6634-74q7"}, "fullDescription": {"text": "vite allows server.fs.deny bypass via backslash on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-859w-5945-r5v3", "name": "vite: GHSA-859w-5945-r5v3", "shortDescription": {"text": "vite: GHSA-859w-5945-r5v3"}, "fullDescription": {"text": "Vite's server.fs.deny bypassed with /. for files under project root"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4r4m-qw57-chr8", "name": "vite: GHSA-4r4m-qw57-chr8", "shortDescription": {"text": "vite: GHSA-4r4m-qw57-chr8"}, "fullDescription": {"text": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-356w-63v5-8wf4", "name": "vite: GHSA-356w-63v5-8wf4", "shortDescription": {"text": "vite: GHSA-356w-63v5-8wf4"}, "fullDescription": {"text": "Vite has an `server.fs.deny` bypass with an invalid `request-target`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-76p7-773f-r4q5", "name": "serialize-javascript: GHSA-76p7-773f-r4q5", "shortDescription": {"text": "serialize-javascript: GHSA-76p7-773f-r4q5"}, "fullDescription": {"text": "Cross-site Scripting (XSS) in serialize-javascript"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwcw-c2x4-8c55", "name": "nanoid: GHSA-mwcw-c2x4-8c55", "shortDescription": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "fullDescription": {"text": "Predictable results in nanoid generation when given non-integer values"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4fh9-h7wg-q85m", "name": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m", "shortDescription": {"text": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m"}, "fullDescription": {"text": "mdast-util-to-hast has unsanitized class attribute"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@rollup/plugin-terser` is 1 major version(s) behind (^0.4.0 -> 1.0.0)", "shortDescription": {"text": "npm package `@rollup/plugin-terser` is 1 major version(s) behind (^0.4.0 -> 1.0.0)"}, "fullDescription": {"text": "`@rollup/plugin-terser` is pinned/resolved at ^0.4.0 but the latest stable release on the npm registry is 1.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-jqfw-vq24-v9c3", "name": "vite: GHSA-jqfw-vq24-v9c3", "shortDescription": {"text": "vite: GHSA-jqfw-vq24-v9c3"}, "fullDescription": {"text": "Vite's `server.fs` settings were not applied to HTML files"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g4jq-h2w9-997c", "name": "vite: GHSA-g4jq-h2w9-997c", "shortDescription": {"text": "vite: GHSA-g4jq-h2w9-997c"}, "fullDescription": {"text": "Vite middleware may serve files starting with the same name with the public directory"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c27g-q93r-2cwf", "name": "vite: GHSA-c27g-q93r-2cwf", "shortDescription": {"text": "vite: GHSA-c27g-q93r-2cwf"}, "fullDescription": {"text": "launch-editor vulnerable to command injection via the crafted request on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gcx4-mw62-g8wm", "name": "rollup: GHSA-gcx4-mw62-g8wm", "shortDescription": {"text": "rollup: GHSA-gcx4-mw62-g8wm"}, "fullDescription": {"text": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3xgq-45jj-v275", "name": "cross-spawn: GHSA-3xgq-45jj-v275", "shortDescription": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in cross-spawn"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-grv7-fg5c-xmjg", "name": "braces: GHSA-grv7-fg5c-xmjg", "shortDescription": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "fullDescription": {"text": "Uncontrolled resource consumption in braces"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/deploy-pages` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/deploy-pages` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/deploy-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/750"}, "properties": {"repository": "d3/d3", "repoUrl": "https://github.com/d3/d3", "branch": "main"}, "results": [{"ruleId": "GHSA-xcj6-pq6g-qj4x", "level": "warning", "message": {"text": "vite: GHSA-xcj6-pq6g-qj4x"}, "properties": {"repobilityId": 62627, "scanner": "osv-scanner", "fingerprint": "00c7faa48aa8a704384e7f5603b864be032efa3ed9328093a345f14a932901fd", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-31486"], "package": "vite", "rule_id": "GHSA-xcj6-pq6g-qj4x", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-31486|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x574-m823-4x7w", "level": "warning", "message": {"text": "vite: GHSA-x574-m823-4x7w"}, "properties": {"repobilityId": 62626, "scanner": "osv-scanner", "fingerprint": "48512481d26af77dc071d7e01d29065c4e4927d0d5911d07ed888211d632808e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30208"], "package": "vite", "rule_id": "GHSA-x574-m823-4x7w", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-30208|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vg6x-rcgg-rjx6", "level": "warning", "message": {"text": "vite: GHSA-vg6x-rcgg-rjx6"}, "properties": {"repobilityId": 62625, "scanner": "osv-scanner", "fingerprint": "98f64093e5ea578abb2940344c76f8ed5efd1a2f8df6b8ea74e6b81824bf6081", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-24010"], "package": "vite", "rule_id": "GHSA-vg6x-rcgg-rjx6", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-24010|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-93m4-6634-74q7", "level": "warning", "message": {"text": "vite: GHSA-93m4-6634-74q7"}, "properties": {"repobilityId": 62621, "scanner": "osv-scanner", "fingerprint": "b1e7fb95f71b6efed48c5f8b5d51c64d3be1fc737c80fe1a2dc0e718f90cabe4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-62522"], "package": "vite", "rule_id": "GHSA-93m4-6634-74q7", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-62522|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-859w-5945-r5v3", "level": "warning", "message": {"text": "vite: GHSA-859w-5945-r5v3"}, "properties": {"repobilityId": 62620, "scanner": "osv-scanner", "fingerprint": "2948f34e164025c7975e5b18ac3f4d6a416676edee2159c10f10c78fcb8a0bb6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-46565"], "package": "vite", "rule_id": "GHSA-859w-5945-r5v3", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-46565|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 62619, "scanner": "osv-scanner", "fingerprint": "2e719dec0daa5ffe7cf448ba6f4736ac3c98f52c00a20de4eca70fc0b0666860", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4r4m-qw57-chr8", "level": "warning", "message": {"text": "vite: GHSA-4r4m-qw57-chr8"}, "properties": {"repobilityId": 62618, "scanner": "osv-scanner", "fingerprint": "c5d80de951892a04d21b657edcf8a5fae4dd12e2c84891ada11fd8823945a5a2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-31125"], "package": "vite", "rule_id": "GHSA-4r4m-qw57-chr8", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-31125|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-356w-63v5-8wf4", "level": "warning", "message": {"text": "vite: GHSA-356w-63v5-8wf4"}, "properties": {"repobilityId": 62617, "scanner": "osv-scanner", "fingerprint": "806bc61ecc85cec3cce4d20bc635f8d157ca431b4dd619ff23c63903d5802a72", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-32395"], "package": "vite", "rule_id": "GHSA-356w-63v5-8wf4", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-32395|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 62616, "scanner": "osv-scanner", "fingerprint": "1c59ef4afe92099f003e3ffa513ad410d787a2b56fa73570cd1239ea05bfa2d4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-76p7-773f-r4q5", "level": "warning", "message": {"text": "serialize-javascript: GHSA-76p7-773f-r4q5"}, "properties": {"repobilityId": 62615, "scanner": "osv-scanner", "fingerprint": "654b8274e8396c27b09579959931df8c9fbccb0ce111d6aa8dfd8a7197bb1806", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-11831"], "package": "serialize-javascript", "rule_id": "GHSA-76p7-773f-r4q5", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2024-11831|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 62611, "scanner": "osv-scanner", "fingerprint": "88e6b1a808a46d1254fb003a71496f6f03cc18938cf18c56646c44245e0d824a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 62609, "scanner": "osv-scanner", "fingerprint": "462b6f9a41343b35a2309e55c043ca31f20f04b7f9e15cb869e7180ff7fc1d96", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwcw-c2x4-8c55", "level": "warning", "message": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "properties": {"repobilityId": 62608, "scanner": "osv-scanner", "fingerprint": "b46495bb996b07b4016922b4f008333e26310d8940f96a6ae884b6e8bfb6a123", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-55565"], "package": "nanoid", "rule_id": "GHSA-mwcw-c2x4-8c55", "scanner": "osv-scanner", "correlation_key": "vuln|nanoid|CVE-2024-55565|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4fh9-h7wg-q85m", "level": "warning", "message": {"text": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m"}, "properties": {"repobilityId": 62604, "scanner": "osv-scanner", "fingerprint": "aca06a0673473bfc037bd25642190b3c7b6e2c296a659d6b832323c791c60f46", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66400"], "package": "mdast-util-to-hast", "rule_id": "GHSA-4fh9-h7wg-q85m", "scanner": "osv-scanner", "correlation_key": "vuln|mdast-util-to-hast|CVE-2025-66400|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 62603, "scanner": "osv-scanner", "fingerprint": "a6fb91e8f613cd9af90c71675d02191330b4012dbca773f6ae2506c416145b90", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 62600, "scanner": "osv-scanner", "fingerprint": "54c08a518d22f2dcff43496ac5e2baf059a246eae9afe32e408e694d3ea3cbe3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 62595, "scanner": "osv-scanner", "fingerprint": "d4b419a31e0e9347bcfafa58b7ad490de2bf201d666b0f13dc4b2518b663d57c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 62594, "scanner": "osv-scanner", "fingerprint": "128d26ea5f5b40a60e9c47ea7ffd50a69def1874a9520acb5439503c3ca8a9e7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-terser` is 1 major version(s) behind (^0.4.0 -> 1.0.0)"}, "properties": {"repobilityId": 62591, "scanner": "repobility-dependency-currency", "fingerprint": "5a68e635c088ff68795fb314e6b6a2d731ed4ca3dd2097cf1f5492052f670306", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-terser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.0.0", "correlation_key": "fp|5a68e635c088ff68795fb314e6b6a2d731ed4ca3dd2097cf1f5492052f670306", "current_version": "^0.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-node-resolve` is 1 major version(s) behind (^15.2.3 -> 16.0.3)"}, "properties": {"repobilityId": 62590, "scanner": "repobility-dependency-currency", "fingerprint": "d9aa6bbb26ad2ce299267e8cd0a69f8762bc209c579f83587730a3031fcef192", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-node-resolve", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.0.3", "correlation_key": "fp|d9aa6bbb26ad2ce299267e8cd0a69f8762bc209c579f83587730a3031fcef192", "current_version": "^15.2.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@observablehq/runtime` is 1 major version(s) behind (^5.7.3 -> 6.0.0)"}, "properties": {"repobilityId": 62589, "scanner": "repobility-dependency-currency", "fingerprint": "9e22af6f13d2fcfbadb9710f4e895181b78d369462cc6ac5e565c55478f43318", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@observablehq/runtime", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.0", "correlation_key": "fp|9e22af6f13d2fcfbadb9710f4e895181b78d369462cc6ac5e565c55478f43318", "current_version": "^5.7.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jqfw-vq24-v9c3", "level": "note", "message": {"text": "vite: GHSA-jqfw-vq24-v9c3"}, "properties": {"repobilityId": 62624, "scanner": "osv-scanner", "fingerprint": "d4eae70ec621579dcc808869ff5e08cd5a0428b3c2b780031fb134dd266ff171", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58752"], "package": "vite", "rule_id": "GHSA-jqfw-vq24-v9c3", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-58752|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g4jq-h2w9-997c", "level": "note", "message": {"text": "vite: GHSA-g4jq-h2w9-997c"}, "properties": {"repobilityId": 62623, "scanner": "osv-scanner", "fingerprint": "1ad812b2318a7ffcf787ce8dfc2652f06e7142177df8dbed1fb1ba1ff1d2005f", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58751"], "package": "vite", "rule_id": "GHSA-g4jq-h2w9-997c", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-58751|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 62599, "scanner": "osv-scanner", "fingerprint": "03944092c5442fa60437db4400a4f39b63afd07f2762be40a6626a21c859ad4b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 62596, "scanner": "osv-scanner", "fingerprint": "1854d9dd5eb370302d7119641e8b8517081a2f7d14cd0cb0730993d4c09eb4d6", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `vitepress` is minor version(s) behind (^1.4.0 -> 1.6.4)"}, "properties": {"repobilityId": 62592, "scanner": "repobility-dependency-currency", "fingerprint": "eb66c6a5a311b1cd2e83e287d1b029cb3dc1924b866c6dce45090bde6e8860cb", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "vitepress", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.6.4", "correlation_key": "fp|eb66c6a5a311b1cd2e83e287d1b029cb3dc1924b866c6dce45090bde6e8860cb", "current_version": "^1.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@observablehq/plot` is patch version(s) behind (^0.6.7 -> 0.6.17)"}, "properties": {"repobilityId": 62588, "scanner": "repobility-dependency-currency", "fingerprint": "4ea5d0dfc9ab3bba2a5a984742218ab98f85a47468614d0e874d875231e94391", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@observablehq/plot", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.6.17", "correlation_key": "fp|4ea5d0dfc9ab3bba2a5a984742218ab98f85a47468614d0e874d875231e94391", "current_version": "^0.6.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `d3-format` is patch version(s) behind (^3.1.0 -> 3.1.2)"}, "properties": {"repobilityId": 62587, "scanner": "repobility-dependency-currency", "fingerprint": "f18e18c56f428f7645c26c024fd6bf7c16c587af0d322a9a9163941c72e363ed", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "d3-format", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.2", "correlation_key": "fp|f18e18c56f428f7645c26c024fd6bf7c16c587af0d322a9a9163941c72e363ed", "current_version": "^3.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c27g-q93r-2cwf", "level": "error", "message": {"text": "vite: GHSA-c27g-q93r-2cwf"}, "properties": {"repobilityId": 62622, "scanner": "osv-scanner", "fingerprint": "e04130918ae32b71c31b28bb09781d933cf111c186bcc3798ac32a4cae874a0c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-52011"], "package": "vite", "rule_id": "GHSA-c27g-q93r-2cwf", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2024-52011|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 62614, "scanner": "osv-scanner", "fingerprint": "1ef775a47df378c856c07b625124fda8dffefc3e2824185640a1944e77134c56", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 62613, "scanner": "osv-scanner", "fingerprint": "73f564d6a3431a4b0c52ce5f7f721287d73dc9c95a1b664e1059f3ee63a81309", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gcx4-mw62-g8wm", "level": "error", "message": {"text": "rollup: GHSA-gcx4-mw62-g8wm"}, "properties": {"repobilityId": 62612, "scanner": "osv-scanner", "fingerprint": "bc648eb2b305e88faced732632f4a42066a56117b7bb6035ce920edc25fa0bda", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47068"], "package": "rollup", "rule_id": "GHSA-gcx4-mw62-g8wm", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2024-47068|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 62610, "scanner": "osv-scanner", "fingerprint": "ecad408982c8a867788b1b169f9773cfa4c952dae95c6913e1d2a58e3f6235b4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 62607, "scanner": "osv-scanner", "fingerprint": "155d5f86682d4cca28cde02dfe1b84c1837cf98c6feba6adf8f141619cbe7278", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 62606, "scanner": "osv-scanner", "fingerprint": "09e3156d77e314926a52fbc6f5aec96b0f979198ea66c485cce13e20587eb10d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 62605, "scanner": "osv-scanner", "fingerprint": "221b16994c1c62dd68d3c52e72deae94054e851fa81062e507d061a803f51227", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 62602, "scanner": "osv-scanner", "fingerprint": "d0b9234ec2966d5cd1ae83b092076fc6f5a32dfd776078904598a2fa7f33a0c2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 62601, "scanner": "osv-scanner", "fingerprint": "c35df0a8f45b3093e14eb6817663ff04a68616414e8781d73a25447d74f0932f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3xgq-45jj-v275", "level": "error", "message": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "properties": {"repobilityId": 62598, "scanner": "osv-scanner", "fingerprint": "9cc1de1071c2e2f2fdc8c844fe693a4651cd7dd56d5ed46ed510d674489c61ea", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-21538"], "package": "cross-spawn", "rule_id": "GHSA-3xgq-45jj-v275", "scanner": "osv-scanner", "correlation_key": "vuln|cross-spawn|CVE-2024-21538|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-grv7-fg5c-xmjg", "level": "error", "message": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "properties": {"repobilityId": 62597, "scanner": "osv-scanner", "fingerprint": "de698ba9d47cdaec1afb55cc773057536cee3b0c6ab5ca361872935bfe85dc87", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-4068"], "package": "braces", "rule_id": "GHSA-grv7-fg5c-xmjg", "scanner": "osv-scanner", "correlation_key": "vuln|braces|CVE-2024-4068|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 62593, "scanner": "repobility-threat-engine", "fingerprint": "914f02b945d6862e5933416bd4e07e17cc345ca2302aa4e2513c728f36044a14", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|914f02b945d6862e5933416bd4e07e17cc345ca2302aa4e2513c728f36044a14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/.vitepress/theme/stargazers.data.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/deploy-pages` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 62586, "scanner": "repobility-supply-chain", "fingerprint": "b2db3afffd0def0566a8d30d987c1314c7a5af0dff5379a7148b374e7f14eeb5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2db3afffd0def0566a8d30d987c1314c7a5af0dff5379a7148b374e7f14eeb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-pages-artifact` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 62585, "scanner": "repobility-supply-chain", "fingerprint": "37500c812fa1df18c84262c79bd40b2298c617d328cbb7c35edd41135fbb50f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37500c812fa1df18c84262c79bd40b2298c617d328cbb7c35edd41135fbb50f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/configure-pages` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 62584, "scanner": "repobility-supply-chain", "fingerprint": "1a07faf2cbca61fd1cea77151a5fc8919c300b12699128bcc9f837f81deee86a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a07faf2cbca61fd1cea77151a5fc8919c300b12699128bcc9f837f81deee86a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 62583, "scanner": "repobility-supply-chain", "fingerprint": "88fb328879d54264eb3a531a31d92ee4f33ea00626b37f8cbd9f0a92f2d0f63b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88fb328879d54264eb3a531a31d92ee4f33ea00626b37f8cbd9f0a92f2d0f63b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 62582, "scanner": "repobility-supply-chain", "fingerprint": "6e36efca8f13bbd8c3c2156cdb2d505e29b10f5394a3975cd5ac1d7987e8fb7d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e36efca8f13bbd8c3c2156cdb2d505e29b10f5394a3975cd5ac1d7987e8fb7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 62581, "scanner": "repobility-supply-chain", "fingerprint": "77790af3cc6fe5203d55f46c8ed183ac39481f7adb6755de8ccad6a104b5e2f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77790af3cc6fe5203d55f46c8ed183ac39481f7adb6755de8ccad6a104b5e2f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 62580, "scanner": "repobility-supply-chain", "fingerprint": "f1877dc0419accf350ca1bfb4bb5e947be875ba5de089ee97e8d923c68fa936e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1877dc0419accf350ca1bfb4bb5e947be875ba5de089ee97e8d923c68fa936e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 62579, "scanner": "repobility-supply-chain", "fingerprint": "0a13a47ea8a382c7dabed26e39f13698f6aa9774004e9f65c5bd8a78253c37b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a13a47ea8a382c7dabed26e39f13698f6aa9774004e9f65c5bd8a78253c37b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 13}}}]}]}]}