{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)", "shortDescription": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "fullDescription": {"text": "`uses: actions/setup-node@v4` is 2 major version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `dpdm` is minor version(s) behind (4.0.1 -> 4.2.0)", "shortDescription": {"text": "npm package `dpdm` is minor version(s) behind (4.0.1 -> 4.2.0)"}, "fullDescription": {"text": "`dpdm` is pinned/resolved at 4.0.1 but the latest stable release on the npm registry is 4.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1091"}, "properties": {"repository": "dmonad/lib0", "repoUrl": "https://github.com/dmonad/lib0", "branch": "main"}, "results": [{"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 106861, "scanner": "osv-scanner", "fingerprint": "424de426cd602f1c8b6679b49b7bfe47ca14575769f019abfeaa4836511a1e32", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 106860, "scanner": "repobility-threat-engine", "fingerprint": "285e39fdd60369b6d3f9a6840e630a6eb460e5ce873ac5e1172146ea4ab09cd4", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) { }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|285e39fdd60369b6d3f9a6840e630a6eb460e5ce873ac5e1172146ea4ab09cd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/storage.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106848, "scanner": "repobility-dependency-currency", "fingerprint": "2023daedb54fe9bf9a3e15847f04aeb4edfaca3101ce92d5dc44c079d8518345", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|2023daedb54fe9bf9a3e15847f04aeb4edfaca3101ce92d5dc44c079d8518345", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106847, "scanner": "repobility-dependency-currency", "fingerprint": "6c13faca83142885f687154dadaa169f9ed1c8ae6672ec9fb054d5ea20137b6e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|6c13faca83142885f687154dadaa169f9ed1c8ae6672ec9fb054d5ea20137b6e", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106845, "scanner": "repobility-dependency-currency", "fingerprint": "8ba4a5536d0deb2e51503ce001ed7a1ba3958f400db5436ddb19e0ff1672166f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|8ba4a5536d0deb2e51503ce001ed7a1ba3958f400db5436ddb19e0ff1672166f", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106844, "scanner": "repobility-dependency-currency", "fingerprint": "272869458d10ae53a494c7336ef698b14bd9e5241315cb4925604da14fd48da3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|272869458d10ae53a494c7336ef698b14bd9e5241315cb4925604da14fd48da3", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 106859, "scanner": "repobility-threat-engine", "fingerprint": "726dafaf669ce6b7aae33e78a3fc14dbc7b833f108e37860b4da8b5938d3818b", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML ==", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|src/logging.js|218|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/logging.js"}, "region": {"startLine": 218}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `dpdm` is minor version(s) behind (4.0.1 -> 4.2.0)"}, "properties": {"repobilityId": 106843, "scanner": "repobility-dependency-currency", "fingerprint": "beb27a9db2e2a677e305155376a9fa9365d90234ecd50dc9de67aaea7567b33b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dpdm", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.0", "correlation_key": "fp|beb27a9db2e2a677e305155376a9fa9365d90234ecd50dc9de67aaea7567b33b", "current_version": "4.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 106855, "scanner": "repobility-threat-engine", "fingerprint": "12b13d459be47215f9e94a2b72ecd3f833e6ba7b1bbe17d20a53497e6c2acce7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12b13d459be47215f9e94a2b72ecd3f833e6ba7b1bbe17d20a53497e6c2acce7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/logging.node.js"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 106854, "scanner": "repobility-threat-engine", "fingerprint": "2c9646b0cda4577091d05f0f60a7ae9d62e56067c728d771a956cc28b176ac63", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c9646b0cda4577091d05f0f60a7ae9d62e56067c728d771a956cc28b176ac63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/logging.js"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 106853, "scanner": "repobility-threat-engine", "fingerprint": "d61d480c1ae70a903f844daaaab6ec3d62f7ddb260c07f9ca73f8dbbea1749c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d61d480c1ae70a903f844daaaab6ec3d62f7ddb260c07f9ca73f8dbbea1749c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/broadcastchannel.js"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 106852, "scanner": "repobility-threat-engine", "fingerprint": "719f16a1467677730b367baa2144dabfe702dd229dc13e6f3e8747ec0afa970d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|719f16a1467677730b367baa2144dabfe702dd229dc13e6f3e8747ec0afa970d"}}}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `denoland/setup-deno@v2` is patch version(s) behind (latest v2.0.4)"}, "properties": {"repobilityId": 106846, "scanner": "repobility-dependency-currency", "fingerprint": "77ac5144222dd995851405620be9d4d87f1f24b537dfb14892d512ad47f0ca2f", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "denoland/setup-deno", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v2.0.4", "correlation_key": "fp|77ac5144222dd995851405620be9d4d87f1f24b537dfb14892d512ad47f0ca2f", "current_version": "v2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 106858, "scanner": "repobility-threat-engine", "fingerprint": "d54a687f079b31bbc123e875bd6788c2c5511d90ef2b8afc693008ac3ab0f41e", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d54a687f079b31bbc123e875bd6788c2c5511d90ef2b8afc693008ac3ab0f41e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dom.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 106857, "scanner": "repobility-threat-engine", "fingerprint": "527b31b78afe9db1654ecbb83a1ca4873a63ecf32adbec435866a78bdc8dc895", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(debugRegexVar", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|527b31b78afe9db1654ecbb83a1ca4873a63ecf32adbec435866a78bdc8dc895"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/logging.common.js"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 106856, "scanner": "repobility-threat-engine", "fingerprint": "362ce3139a01e70d414074a16db85b8f4985391284551f62c3fed2ffad875774", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(regexp", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|362ce3139a01e70d414074a16db85b8f4985391284551f62c3fed2ffad875774"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/diff/patience.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 106851, "scanner": "repobility-threat-engine", "fingerprint": "7e27dd3ce3b492e9462d8e5ffdc83fc1018ae559b99e7277cda4f41ab58b8ec9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "a.update(tres.a)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7e27dd3ce3b492e9462d8e5ffdc83fc1018ae559b99e7277cda4f41ab58b8ec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/delta/binding.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 106850, "scanner": "repobility-threat-engine", "fingerprint": "4f4204d5fc6afb4769beb972d09e777842b1272d326db6c943e431af2e00c9af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cache._map.delete(q.start.key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4f4204d5fc6afb4769beb972d09e777842b1272d326db6c943e431af2e00c9af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cache.js"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 106849, "scanner": "repobility-threat-engine", "fingerprint": "5b4e1ad59fd1f1af2c08a72e8a0ee0e0d15e5fbb4a8f04273c04ef1cfff76499", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "channels.delete(room)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5b4e1ad59fd1f1af2c08a72e8a0ee0e0d15e5fbb4a8f04273c04ef1cfff76499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/broadcastchannel.js"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106842, "scanner": "repobility-supply-chain", "fingerprint": "22e50884af2abbe1d6bda4d84782c8cdd160fc5ba5fc734ae5fa7d84fa3dca35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22e50884af2abbe1d6bda4d84782c8cdd160fc5ba5fc734ae5fa7d84fa3dca35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106841, "scanner": "repobility-supply-chain", "fingerprint": "dc778367e9ac06a7f07c6fb6437e45da9e5ed35ae8f096733f29955a0dbbc579", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc778367e9ac06a7f07c6fb6437e45da9e5ed35ae8f096733f29955a0dbbc579"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106840, "scanner": "repobility-supply-chain", "fingerprint": "21e7b3ac12a0b9fa63087baf83dbcfdb1533a61709ca9c811169884bc04ca4ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21e7b3ac12a0b9fa63087baf83dbcfdb1533a61709ca9c811169884bc04ca4ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106839, "scanner": "repobility-supply-chain", "fingerprint": "1ae7e83919cb49bc1c2729a4ad901886586f9a23d5a8384bca666f98e910b7ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ae7e83919cb49bc1c2729a4ad901886586f9a23d5a8384bca666f98e910b7ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106838, "scanner": "repobility-supply-chain", "fingerprint": "21f28da80955931adb8cf737f10ae50e76cec22c9f3fe63a8c260f8b8d266041", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21f28da80955931adb8cf737f10ae50e76cec22c9f3fe63a8c260f8b8d266041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106837, "scanner": "repobility-supply-chain", "fingerprint": "26ee8c9befb084224560f0c739d8bb0092ce658045747b6659fde939f18655d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26ee8c9befb084224560f0c739d8bb0092ce658045747b6659fde939f18655d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `denoland/setup-deno` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 106836, "scanner": "repobility-supply-chain", "fingerprint": "90b3c18ad4d701518074bbb1afcd9053922e8badb7b685df1ca339cdae6317f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90b3c18ad4d701518074bbb1afcd9053922e8badb7b685df1ca339cdae6317f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106835, "scanner": "repobility-supply-chain", "fingerprint": "c34a7c6e9ea57ed2b0822fac8555b2bac2df7111c9acda0d6a25bf61ba5bf7d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c34a7c6e9ea57ed2b0822fac8555b2bac2df7111c9acda0d6a25bf61ba5bf7d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106834, "scanner": "repobility-supply-chain", "fingerprint": "1cf5206da4c929623ba9f1f1fc2f839808e43161715abb36abaf0acd2dfc0e6f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1cf5206da4c929623ba9f1f1fc2f839808e43161715abb36abaf0acd2dfc0e6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106833, "scanner": "repobility-supply-chain", "fingerprint": "7963e47bbc69865727275ee52d3f651b4869565a69a9210150cb21a52ff7e729", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7963e47bbc69865727275ee52d3f651b4869565a69a9210150cb21a52ff7e729"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106832, "scanner": "repobility-supply-chain", "fingerprint": "6471efce6ae2e39b8aa8aacfa02f9e64e208a73a6c4a04cd713319ed5fe4fd6c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6471efce6ae2e39b8aa8aacfa02f9e64e208a73a6c4a04cd713319ed5fe4fd6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106831, "scanner": "repobility-supply-chain", "fingerprint": "d3168e086acbc81af60008f7b9f1ff3a4bf40ed1d9e7d808f373e17730e6e705", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3168e086acbc81af60008f7b9f1ff3a4bf40ed1d9e7d808f373e17730e6e705"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 11}}}]}]}]}