{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j452-xhg8-qg39", "name": "protocol-buffers-schema: GHSA-j452-xhg8-qg39", "shortDescription": {"text": "protocol-buffers-schema: GHSA-j452-xhg8-qg39"}, "fullDescription": {"text": "Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x2rg-q646-7m2v", "name": "koa: GHSA-x2rg-q646-7m2v", "shortDescription": {"text": "koa: GHSA-x2rg-q646-7m2v"}, "fullDescription": {"text": "Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-33vc-wfww-vjfv", "name": "jsondiffpatch: GHSA-33vc-wfww-vjfv", "shortDescription": {"text": "jsondiffpatch: GHSA-33vc-wfww-vjfv"}, "fullDescription": {"text": "jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-968p-4wvh-cqc8", "name": "@babel/helpers: GHSA-968p-4wvh-cqc8", "shortDescription": {"text": "@babel/helpers: GHSA-968p-4wvh-cqc8"}, "fullDescription": {"text": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)", "shortDescription": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "fullDescription": {"text": "`uses: actions/setup-node@v4` is 2 major version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `rimraf` is 3 major version(s) behind (3.0.2 -> 6.1.3)", "shortDescription": {"text": "npm package `rimraf` is 3 major version(s) behind (3.0.2 -> 6.1.3)"}, "fullDescription": {"text": "`rimraf` is pinned/resolved at 3.0.2 but the latest stable release on the npm registry is 6.1.3 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-jgmv-j7ww-jx2x", "name": "koa: GHSA-jgmv-j7ww-jx2x", "shortDescription": {"text": "koa: GHSA-jgmv-j7ww-jx2x"}, "fullDescription": {"text": "Koa Open Redirect via Referrer Header (User-Controlled)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2wj-q39q-566r", "name": "vite: GHSA-v2wj-q39q-566r", "shortDescription": {"text": "vite: GHSA-v2wj-q39q-566r"}, "fullDescription": {"text": "Vite: `server.fs.deny` bypassed with queries"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9ff-h696-f583", "name": "vite: GHSA-p9ff-h696-f583", "shortDescription": {"text": "vite: GHSA-p9ff-h696-f583"}, "fullDescription": {"text": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7gcc-r8m5-44qm", "name": "koa: GHSA-7gcc-r8m5-44qm", "shortDescription": {"text": "koa: GHSA-7gcc-r8m5-44qm"}, "fullDescription": {"text": "Koa has Host Header Injection via ctx.hostname"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w4gp-fjgq-3q4g", "name": "happy-dom: GHSA-w4gp-fjgq-3q4g", "shortDescription": {"text": "happy-dom: GHSA-w4gp-fjgq-3q4g"}, "fullDescription": {"text": "Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6q6h-j7hj-3r64", "name": "happy-dom: GHSA-6q6h-j7hj-3r64", "shortDescription": {"text": "happy-dom: GHSA-6q6h-j7hj-3r64"}, "fullDescription": {"text": "Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fv7c-fp4j-7gwp", "name": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp", "shortDescription": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "fullDescription": {"text": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `mcr.microsoft.com/devcontainers/javascript-node:22` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `mcr.microsoft.com/devcontainers/javascript-node:22` not pinned by digest"}, "fullDescription": {"text": "`FROM mcr.microsoft.com/devcontainers/javascript-node:22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-5xrq-8626-4rwp", "name": "vitest: GHSA-5xrq-8626-4rwp", "shortDescription": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "fullDescription": {"text": "When Vitest UI server is listening, arbitrary file can be read and executed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-593f-38f6-jp5m", "name": "koa: GHSA-593f-38f6-jp5m", "shortDescription": {"text": "koa: GHSA-593f-38f6-jp5m"}, "fullDescription": {"text": "Inefficient Regular Expression Complexity in koa"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/990"}, "properties": {"repository": "gramps-project/gramps-web", "repoUrl": "https://github.com/gramps-project/gramps-web", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 93240, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 93239, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93233, "scanner": "repobility-journey-contract", "fingerprint": "ba04a55b8f5a4ffefa88de4d96088df90bfd1ebba1f78ea58c80cfde6e4d1de0", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|687|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 687}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93232, "scanner": "repobility-journey-contract", "fingerprint": "6f3206a68e0d89dba0bd39c8541ef5d10a0ae1fffed5c7709ffdfa03693066ad", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|668|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 668}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93231, "scanner": "repobility-journey-contract", "fingerprint": "6484460ad72b3a50d533ed0d556352791617ae9667061e10accb06fe22c649ef", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|655|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 655}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93230, "scanner": "repobility-journey-contract", "fingerprint": "ffb671400fa8cf227a85edfd2404d64c41915a11f5aa2714f7fac99d0f5e5665", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|622|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 622}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93229, "scanner": "repobility-journey-contract", "fingerprint": "8fce5692b1863761a985b4fb40d9434b7b1573cc0144ed8806c958469a08b08e", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|613|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 613}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93228, "scanner": "repobility-journey-contract", "fingerprint": "0a078a71d36dc330b1c9594864a0f05968be5e45e6341da5811759a3afa211d4", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|608|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 608}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93227, "scanner": "repobility-journey-contract", "fingerprint": "e77ace73a13fb90559d37481c844bd3bcaa65d10869e05f2c8e80ec95830f7f5", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|602|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 602}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93226, "scanner": "repobility-journey-contract", "fingerprint": "6ba4ab13712b8a4be02bd84a580a562024ebc7052fc2fc2267643219249a918b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|47|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93225, "scanner": "repobility-journey-contract", "fingerprint": "86f3247c35f0c71c5df4b1b8e1cc182e76810108bb732c59fabd60ec7abfae94", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|31|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93224, "scanner": "repobility-journey-contract", "fingerprint": "d8e0aca1476fdace64137e24479adf99f779392e4e1f9857c2fe618c8f72f481", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|27|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93223, "scanner": "repobility-journey-contract", "fingerprint": "498644744a93b0a17dfd92c63246fda7c052a95381de02e585c4c9e904ae7e36", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|23|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 93222, "scanner": "repobility-journey-contract", "fingerprint": "51a084626f027de49caecc595bd6229756fe2456a0d75309ae56e33385d4ea38", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/api.js|22|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 93221, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 93220, "scanner": "osv-scanner", "fingerprint": "f23c81ca1bf7793083d58c8b09cd6bf208ab392998a2d9a3bb3322561a728d6b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 93219, "scanner": "osv-scanner", "fingerprint": "1b788fa8525382946c739270c1849aaa868327cf2c4216daf211eef3de5db45b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 93215, "scanner": "osv-scanner", "fingerprint": "b9493abcfc150bfe6cb302cb6e27e4bbb1e650942ccb7c4de386ac3ae1c5f54d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 93214, "scanner": "osv-scanner", "fingerprint": "861c9140d2458e85a1dd789a1de43fb0746f37a04647da29356e9e95fb4647ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j452-xhg8-qg39", "level": "warning", "message": {"text": "protocol-buffers-schema: GHSA-j452-xhg8-qg39"}, "properties": {"repobilityId": 93212, "scanner": "osv-scanner", "fingerprint": "64c7e75787c215c3284bb0f48a463eedd9c746137b9f1ac3c31cc4b54ede3f7c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-5758"], "package": "protocol-buffers-schema", "rule_id": "GHSA-j452-xhg8-qg39", "scanner": "osv-scanner", "correlation_key": "vuln|protocol-buffers-schema|CVE-2026-5758|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 93211, "scanner": "osv-scanner", "fingerprint": "33aa829b4458c5ef73d832c9e568cf3032217bd31f4b18cc6a572d90111a50bb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 93209, "scanner": "osv-scanner", "fingerprint": "d01f2097e7b318fed09051dc9486d1856dda99f71ea520983bca2d575128e70d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 93208, "scanner": "osv-scanner", "fingerprint": "f047ccc7d9c1109aced3a5c21f0b53a27d6582174ed7660bc0f4dfe83bf08a1a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 93206, "scanner": "osv-scanner", "fingerprint": "de986ead824c9cd2225230d6fcc7a484a3f62fc4668bd948eb33bf3de3e73e26", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x2rg-q646-7m2v", "level": "warning", "message": {"text": "koa: GHSA-x2rg-q646-7m2v"}, "properties": {"repobilityId": 93205, "scanner": "osv-scanner", "fingerprint": "7418dc8f6f2331d652aa9b3af8c75a6f019af77ee4e4f85c749a754aa7124d22", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-32379"], "package": "koa", "rule_id": "GHSA-x2rg-q646-7m2v", "scanner": "osv-scanner", "correlation_key": "vuln|koa|CVE-2025-32379|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-33vc-wfww-vjfv", "level": "warning", "message": {"text": "jsondiffpatch: GHSA-33vc-wfww-vjfv"}, "properties": {"repobilityId": 93201, "scanner": "osv-scanner", "fingerprint": "80425ba4ea45a9f205d3891d987546418fbefd170494c2944f530531adb1c5c4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-9910"], "package": "jsondiffpatch", "rule_id": "GHSA-33vc-wfww-vjfv", "scanner": "osv-scanner", "correlation_key": "vuln|jsondiffpatch|CVE-2025-9910|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 93194, "scanner": "osv-scanner", "fingerprint": "424de426cd602f1c8b6679b49b7bfe47ca14575769f019abfeaa4836511a1e32", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 93192, "scanner": "osv-scanner", "fingerprint": "e8eb0ab1ffbb15b3b127c7436af364aa04d69dbc42fb22d21fcb4f304d428269", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/helpers: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 93190, "scanner": "osv-scanner", "fingerprint": "a2744c3dc4514686546d37b3766fd7426464a5ddd60df990e0fd10cd70ff8afb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/helpers", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/helpers|CVE-2025-27789|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 93189, "scanner": "repobility-docker", "fingerprint": "45502d763efdee92d14e9fdfb178797f17cf7acc4e6b81c4af9d3444f2610633", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|45502d763efdee92d14e9fdfb178797f17cf7acc4e6b81c4af9d3444f2610633"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.nginx"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 93188, "scanner": "repobility-docker", "fingerprint": "ad17548ed3151648e94694e9a1dd07e7e02310344f0315f3b788e32308882f91", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "nginx", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ad17548ed3151648e94694e9a1dd07e7e02310344f0315f3b788e32308882f91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.nginx"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 93187, "scanner": "repobility-docker", "fingerprint": "d3ddc0bf867c77aac4086346bc19d85cbbcfc16a4b0d52e7e8fbfcc69ab16011", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "dmstraub/gramps-webapi:latest-devel", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d3ddc0bf867c77aac4086346bc19d85cbbcfc16a4b0d52e7e8fbfcc69ab16011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.devel"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 93186, "scanner": "repobility-docker", "fingerprint": "bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "dmstraub/gramps-webapi:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 93185, "scanner": "repobility-docker", "fingerprint": "01c9327c17496a30f170e52ec8d43d068e0fb066b668275237ec915aaa0fabd2", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "dmstraub/gramps-webapi:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|01c9327c17496a30f170e52ec8d43d068e0fb066b668275237ec915aaa0fabd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 93183, "scanner": "repobility-docker", "fingerprint": "2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/javascript-node:22", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 93182, "scanner": "repobility-threat-engine", "fingerprint": "4c115e9de8ecca14541d12254bab0c5646fa8f6026d99eee054ff31243e9c748", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a\n                  href=\"https://yfull.com/tree/${this._leafCladeName}\"\n                  target=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|64|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/views/GrampsjsViewYDna.js"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 93181, "scanner": "repobility-threat-engine", "fingerprint": "0ef4a8b4fad73db832b6e29bc594ae30ac609f1693e8a052c77a089ac0c778c0", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a download href=\"${this._queryUrl}\" id=\"submitanchor\" target=\"_blank\"\n        >", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|81|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/views/GrampsjsViewReport.js"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 93180, "scanner": "repobility-threat-engine", "fingerprint": "ea976fa0766c3c7655e8b5c6cb38a3ba5b5fea1ba8b50d295f9eabccbbc27121", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.location.href = data.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea976fa0766c3c7655e8b5c6cb38a3ba5b5fea1ba8b50d295f9eabccbbc27121"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/oidc.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 93167, "scanner": "repobility-threat-engine", "fingerprint": "f9a93c04c2203f84713a02032f471686522650857bc1e3c9c0a7db2210a93c58", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/color.js|7|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/color.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 93158, "scanner": "repobility-agent-runtime", "fingerprint": "f99c6ab9fe073e42227b27c77c984ac9371f8d4c694e92a8aa463afa411a12d9", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|f99c6ab9fe073e42227b27c77c984ac9371f8d4c694e92a8aa463afa411a12d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 93157, "scanner": "repobility-dependency-currency", "fingerprint": "c1494b919f44409194a1a7471232262ffe657204fd82c298d95020e29fecfd3d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|c1494b919f44409194a1a7471232262ffe657204fd82c298d95020e29fecfd3d", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/image-devel.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 93156, "scanner": "repobility-dependency-currency", "fingerprint": "a026bd2737e09efce04c25022b66100e82b50db57e009d1b39f17da780714c96", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|a026bd2737e09efce04c25022b66100e82b50db57e009d1b39f17da780714c96", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/image-devel.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `softprops/action-gh-release@v1` is 2 major version(s) behind (latest v3.0.0)"}, "properties": {"repobilityId": 93155, "scanner": "repobility-dependency-currency", "fingerprint": "3779fb36af5f45915dcd2703db605685bdda4e2bac03c99d079989caa7fc9546", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "softprops/action-gh-release", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v3.0.0", "correlation_key": "fp|3779fb36af5f45915dcd2703db605685bdda4e2bac03c99d079989caa7fc9546", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 93154, "scanner": "repobility-dependency-currency", "fingerprint": "e014a88b63ccd939c17822f37fa9863cdfb93f4b8bd31b08d0c74ca88e4ed8e5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|e014a88b63ccd939c17822f37fa9863cdfb93f4b8bd31b08d0c74ca88e4ed8e5", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 93153, "scanner": "repobility-dependency-currency", "fingerprint": "214f80f379c62fc8f7af1a6ba201117708fbba60521f0a531a8295a59ea8fbec", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|214f80f379c62fc8f7af1a6ba201117708fbba60521f0a531a8295a59ea8fbec", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 93152, "scanner": "repobility-dependency-currency", "fingerprint": "5325f0f9e09cbcbe24fa239b02149f4b8f913c3e9b1ea89d18a37afc625e6a2a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|5325f0f9e09cbcbe24fa239b02149f4b8f913c3e9b1ea89d18a37afc625e6a2a", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 93151, "scanner": "repobility-dependency-currency", "fingerprint": "3766999cc63e5e1f7416cabd1370fb72c08d153c5c6db2495df9a71bd742329d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|3766999cc63e5e1f7416cabd1370fb72c08d153c5c6db2495df9a71bd742329d", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 93150, "scanner": "repobility-dependency-currency", "fingerprint": "41b942d104443d5366cf3c257fbe819f1cab9ce354d0ab902fae66a9a36b42d0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|41b942d104443d5366cf3c257fbe819f1cab9ce354d0ab902fae66a9a36b42d0", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/image-release.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 93149, "scanner": "repobility-dependency-currency", "fingerprint": "d6f7e6ee6e5a4f72144bc2d4d1bd6b5dc31544b37b23174bdd4b144833b3bdaa", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|d6f7e6ee6e5a4f72144bc2d4d1bd6b5dc31544b37b23174bdd4b144833b3bdaa", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/image-release.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `rimraf` is 3 major version(s) behind (3.0.2 -> 6.1.3)"}, "properties": {"repobilityId": 93148, "scanner": "repobility-dependency-currency", "fingerprint": "3ef66d805b0fdeb17163e22ea1e7ae3ec22dfecfa8ba6f4a9398a649fe294ecd", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "rimraf", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.1.3", "correlation_key": "fp|3ef66d805b0fdeb17163e22ea1e7ae3ec22dfecfa8ba6f4a9398a649fe294ecd", "current_version": "3.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `prettier` is 1 major version(s) behind (2.8.8 -> 3.8.3)"}, "properties": {"repobilityId": 93147, "scanner": "repobility-dependency-currency", "fingerprint": "c7a03c4c3c1259b851c2854e09ff71bbb6ba36e0d77c052dc94052f423ea7683", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|c7a03c4c3c1259b851c2854e09ff71bbb6ba36e0d77c052dc94052f423ea7683", "current_version": "2.8.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `lint-staged` is 7 major version(s) behind (10.5.4 -> 17.0.7)"}, "properties": {"repobilityId": 93146, "scanner": "repobility-dependency-currency", "fingerprint": "a19d135dbeeb00caa72135ac6f389717f4a0d857702bb48d574814e2e4c58654", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "7 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "lint-staged", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.0.7", "correlation_key": "fp|a19d135dbeeb00caa72135ac6f389717f4a0d857702bb48d574814e2e4c58654", "current_version": "10.5.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `husky` is 5 major version(s) behind (4.3.8 -> 9.1.7)"}, "properties": {"repobilityId": 93145, "scanner": "repobility-dependency-currency", "fingerprint": "514c16ad7a0308507f3807b6d098416be536e68617de426b71e8b123a5f6c8f9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "5 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "husky", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.1.7", "correlation_key": "fp|514c16ad7a0308507f3807b6d098416be536e68617de426b71e8b123a5f6c8f9", "current_version": "4.3.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `eslint-plugin-promise` is 1 major version(s) behind (6.6.0 -> 7.3.0)"}, "properties": {"repobilityId": 93144, "scanner": "repobility-dependency-currency", "fingerprint": "ce8f35b4520991fb6d82ceb7c4a7a372e32af091c854defbcd6704bd1f4581d7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-promise", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.3.0", "correlation_key": "fp|ce8f35b4520991fb6d82ceb7c4a7a372e32af091c854defbcd6704bd1f4581d7", "current_version": "6.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `eslint-plugin-n` is 2 major version(s) behind (16.6.2 -> 18.0.1)"}, "properties": {"repobilityId": 93142, "scanner": "repobility-dependency-currency", "fingerprint": "d6a6c87012a0fa4562395d3facd2291e6b5d07f21a8a7d1d5b002825cac1f76a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-n", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.1", "correlation_key": "fp|d6a6c87012a0fa4562395d3facd2291e6b5d07f21a8a7d1d5b002825cac1f76a", "current_version": "16.6.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `eslint-plugin-lit-a11y` is 1 major version(s) behind (4.1.4 -> 5.1.1)"}, "properties": {"repobilityId": 93141, "scanner": "repobility-dependency-currency", "fingerprint": "e843f1f3bdf72a3f35b681bdb98041ee9475daa8bb279494aba725fe20ca8eee", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-lit-a11y", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.1.1", "correlation_key": "fp|e843f1f3bdf72a3f35b681bdb98041ee9475daa8bb279494aba725fe20ca8eee", "current_version": "4.1.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `eslint-config-prettier` is 3 major version(s) behind (7.2.0 -> 10.1.8)"}, "properties": {"repobilityId": 93138, "scanner": "repobility-dependency-currency", "fingerprint": "54d816a01142e363c686765ef1841854d758a4946cb3e9b009435353da2dade1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-config-prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.1.8", "correlation_key": "fp|54d816a01142e363c686765ef1841854d758a4946cb3e9b009435353da2dade1", "current_version": "7.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@rollup/plugin-replace` is 1 major version(s) behind (5.0.7 -> 6.0.3)"}, "properties": {"repobilityId": 93136, "scanner": "repobility-dependency-currency", "fingerprint": "2a058f63cea7f780a364216c54f6e833eb3a47c6ff839987a5d165a669536b7c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-replace", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.3", "correlation_key": "fp|2a058f63cea7f780a364216c54f6e833eb3a47c6ff839987a5d165a669536b7c", "current_version": "5.0.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `lit` is 1 major version(s) behind (2.8.0 -> 3.3.3)"}, "properties": {"repobilityId": 93133, "scanner": "repobility-dependency-currency", "fingerprint": "6d6ad9f57b71a1dfe085ba0b3a169087e9275d19fce4ce1e7aeda44d555376dc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "lit", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.3.3", "correlation_key": "fp|6d6ad9f57b71a1dfe085ba0b3a169087e9275d19fce4ce1e7aeda44d555376dc", "current_version": "2.8.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `jwt-decode` is 1 major version(s) behind (3.1.2 -> 4.0.0)"}, "properties": {"repobilityId": 93132, "scanner": "repobility-dependency-currency", "fingerprint": "70670999c6b3b6aaa5d4c9062528b4794fa4bc56cb32c23bceb35bf2c242bd66", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jwt-decode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.0", "correlation_key": "fp|70670999c6b3b6aaa5d4c9062528b4794fa4bc56cb32c23bceb35bf2c242bd66", "current_version": "3.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `d3-selection` is 1 major version(s) behind (2.0.0 -> 3.0.0)"}, "properties": {"repobilityId": 93128, "scanner": "repobility-dependency-currency", "fingerprint": "3564f6a754868e45a2296ee01bd824e195a606f316850a925f7578d00f009403", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "d3-selection", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.0", "correlation_key": "fp|3564f6a754868e45a2296ee01bd824e195a606f316850a925f7578d00f009403", "current_version": "2.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 93238, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 93237, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 93236, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 93235, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jgmv-j7ww-jx2x", "level": "note", "message": {"text": "koa: GHSA-jgmv-j7ww-jx2x"}, "properties": {"repobilityId": 93204, "scanner": "osv-scanner", "fingerprint": "d24fc14f59740e64a34dd3d2e5255e7193e64f714034ec6d767ca9fa5eac41ec", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-8129"], "package": "koa", "rule_id": "GHSA-jgmv-j7ww-jx2x", "scanner": "osv-scanner", "correlation_key": "vuln|koa|CVE-2025-8129|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 93193, "scanner": "osv-scanner", "fingerprint": "3b771ed61f472eab02b4c9eb792b38e138cfec35c8ab51f877acaaca0e374b2d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 93184, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 93176, "scanner": "repobility-threat-engine", "fingerprint": "e81309a79a5f5c3ceac25606ea451a25b1012b0b175c38748ceaa89346577174", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|91|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/styledTextPaste.js"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 93174, "scanner": "repobility-threat-engine", "fingerprint": "251e69fba32e72714827d4998d722e00ffa226d11d8f1fe2240f3bbdf1a25b57", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|51|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsMapMarker.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `eslint-plugin-no-only-tests` is minor version(s) behind (3.3.0 -> 3.4.0)"}, "properties": {"repobilityId": 93143, "scanner": "repobility-dependency-currency", "fingerprint": "06b82295b61735203fc28fe36ef8a79ea3364338c157d83311a4660236096ae2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-no-only-tests", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.4.0", "correlation_key": "fp|06b82295b61735203fc28fe36ef8a79ea3364338c157d83311a4660236096ae2", "current_version": "3.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `eslint-plugin-lit` is minor version(s) behind (2.2.1 -> 2.3.1)"}, "properties": {"repobilityId": 93140, "scanner": "repobility-dependency-currency", "fingerprint": "974a9fdd88f05dd4f292e8ba2524c70812c4e31a851fa66bb3f81b2eee6e5e1f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-lit", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.3.1", "correlation_key": "fp|974a9fdd88f05dd4f292e8ba2524c70812c4e31a851fa66bb3f81b2eee6e5e1f", "current_version": "2.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `eslint-plugin-import` is minor version(s) behind (2.31.0 -> 2.32.0)"}, "properties": {"repobilityId": 93139, "scanner": "repobility-dependency-currency", "fingerprint": "38c90ad3650ce185ad1f238cbc21484e2a6c13e76182ef420e5dfeafc0c5adf9", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-import", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.32.0", "correlation_key": "fp|38c90ad3650ce185ad1f238cbc21484e2a6c13e76182ef420e5dfeafc0c5adf9", "current_version": "2.31.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@vitest/coverage-v8` is minor version(s) behind (4.0.18 -> 4.1.8)"}, "properties": {"repobilityId": 93137, "scanner": "repobility-dependency-currency", "fingerprint": "060df14b9a03a42775df24c836436c3cbafa5d6de2a131f2d6fd329abb74ba67", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/coverage-v8", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|060df14b9a03a42775df24c836436c3cbafa5d6de2a131f2d6fd329abb74ba67", "current_version": "4.0.18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `maplibre-gl` is minor version(s) behind (5.6.0 -> 5.24.0)"}, "properties": {"repobilityId": 93134, "scanner": "repobility-dependency-currency", "fingerprint": "be1c6c6ba56eaa5b044df970248723715f0452a8b454b40ae0ddb359fa56698d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "maplibre-gl", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.24.0", "correlation_key": "fp|be1c6c6ba56eaa5b044df970248723715f0452a8b454b40ae0ddb359fa56698d", "current_version": "5.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `jsondiffpatch` is minor version(s) behind (0.6.0 -> 0.7.6)"}, "properties": {"repobilityId": 93131, "scanner": "repobility-dependency-currency", "fingerprint": "8bcad56b85bd8327502647561590b98c76f8aefb387c43fdf06021b301105138", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsondiffpatch", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.7.6", "correlation_key": "fp|8bcad56b85bd8327502647561590b98c76f8aefb387c43fdf06021b301105138", "current_version": "0.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@material/web` is minor version(s) behind (2.2.0 -> 2.4.1)"}, "properties": {"repobilityId": 93127, "scanner": "repobility-dependency-currency", "fingerprint": "002329ba2c6ea728852b4550fcdbc8dbe193f96d6c7cb255043c5f7d3699b8e2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@material/web", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.4.1", "correlation_key": "fp|002329ba2c6ea728852b4550fcdbc8dbe193f96d6c7cb255043c5f7d3699b8e2", "current_version": "2.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@hpcc-js/wasm` is minor version(s) behind (2.22.4 -> 2.34.0)"}, "properties": {"repobilityId": 93126, "scanner": "repobility-dependency-currency", "fingerprint": "52af748275f6e2960fe23d2c0d5c2528a641d4c5ea2bae02e617d3c0334b2a2c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@hpcc-js/wasm", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.34.0", "correlation_key": "fp|52af748275f6e2960fe23d2c0d5c2528a641d4c5ea2bae02e617d3c0334b2a2c", "current_version": "2.22.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@awesome.me/webawesome` is minor version(s) behind (3.4.0 -> 3.7.0)"}, "properties": {"repobilityId": 93125, "scanner": "repobility-dependency-currency", "fingerprint": "67f19773ed25b7a585412759222a4c1ea9beb65a30ada09a3505ba56792acacd", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@awesome.me/webawesome", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.7.0", "correlation_key": "fp|67f19773ed25b7a585412759222a4c1ea9beb65a30ada09a3505ba56792acacd", "current_version": "3.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93112, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7d1b050b159ba59ef999634075f180ae5c29c319121bd780f34ddf24a231c33", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFilterType.js", "duplicate_line": 61, "correlation_key": "fp|a7d1b050b159ba59ef999634075f180ae5c29c319121bd780f34ddf24a231c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsObjectForm.js"}, "region": {"startLine": 158}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93111, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e5e7c5bc2e0eb5876a181c6d3823d30c03f1a1d524270f9650d5a4f255dbc7a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsAddresses.js", "duplicate_line": 23, "correlation_key": "fp|e5e7c5bc2e0eb5876a181c6d3823d30c03f1a1d524270f9650d5a4f255dbc7a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsName.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93110, "scanner": "repobility-ai-code-hygiene", "fingerprint": "052f85177c741c7e8ff778678df633d6b20c2de9182358ad8830dd205a766c01", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormRegister.js", "duplicate_line": 25, "correlation_key": "fp|052f85177c741c7e8ff778678df633d6b20c2de9182358ad8830dd205a766c01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsLogin.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93109, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8fd94ee720d1cb2965c3e76a99a375ec206df925dd29fadb754ee8da9cec3847", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsImport.js", "duplicate_line": 14, "correlation_key": "fp|8fd94ee720d1cb2965c3e76a99a375ec206df925dd29fadb754ee8da9cec3847"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsImportMedia.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93108, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4bf493e9df5bcaa90a6dfff8e2d7cacf37473be7382f78756e0a41276a4360e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormName.js", "duplicate_line": 23, "correlation_key": "fp|4bf493e9df5bcaa90a6dfff8e2d7cacf37473be7382f78756e0a41276a4360e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormUser.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93107, "scanner": "repobility-ai-code-hygiene", "fingerprint": "316d14396c30984b0cbddeba543257f6839be3bab7265518407b64ab5825b8e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormSurname.js", "duplicate_line": 12, "correlation_key": "fp|316d14396c30984b0cbddeba543257f6839be3bab7265518407b64ab5825b8e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormUser.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93106, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e39ccc43804fce25243bccc53931bf5dd8208397fae4f7b2ab525f8c3d7ac565", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormName.js", "duplicate_line": 23, "correlation_key": "fp|e39ccc43804fce25243bccc53931bf5dd8208397fae4f7b2ab525f8c3d7ac565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormSurname.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93105, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c26f7948d311a0a5d0a18c2adf51e3a210595d1b4cf00f7e6ed57859b87210f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormNewPartnerFamily.js", "duplicate_line": 67, "correlation_key": "fp|7c26f7948d311a0a5d0a18c2adf51e3a210595d1b4cf00f7e6ed57859b87210f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormSpouseRef.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93104, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe9e8e52a72ad6cc049ef5f05beb694e2cbe0d2bf8838fa2969d77851723cf43", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormNewSpouse.js", "duplicate_line": 12, "correlation_key": "fp|fe9e8e52a72ad6cc049ef5f05beb694e2cbe0d2bf8838fa2969d77851723cf43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormSpouseRef.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93103, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ceb56f0e218fb1e0d8d5fa881b5abf38b77d3a6d9431ff79939121545ea44d26", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormNewMatch.js", "duplicate_line": 23, "correlation_key": "fp|ceb56f0e218fb1e0d8d5fa881b5abf38b77d3a6d9431ff79939121545ea44d26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormNewYDna.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93102, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1307684404b4ddde41c59718092af57d9ea9afc672533d30e94dd086dbb7ac77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormNewPartnerFamily.js", "duplicate_line": 67, "correlation_key": "fp|1307684404b4ddde41c59718092af57d9ea9afc672533d30e94dd086dbb7ac77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormNewSpouse.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93101, "scanner": "repobility-ai-code-hygiene", "fingerprint": "04090427225b2b9686e74aae20f435fe2523d6140d63a4038df20e8136225cdf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormAddPersonToFamily.js", "duplicate_line": 38, "correlation_key": "fp|04090427225b2b9686e74aae20f435fe2523d6140d63a4038df20e8136225cdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormNewParentFamily.js"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93100, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fff9d40f9eb81acb57f7fb60059c0397e38d6647a14675767e6ab66da3ed9d06", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormEditCitationDetails.js", "duplicate_line": 52, "correlation_key": "fp|fff9d40f9eb81acb57f7fb60059c0397e38d6647a14675767e6ab66da3ed9d06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormNewCitation.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93099, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ccd36d9f4b4bdc0b489e9790b27b8d87ef0d8c103cf92e753f4d49c827e7346", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormChildRef.js", "duplicate_line": 23, "correlation_key": "fp|0ccd36d9f4b4bdc0b489e9790b27b8d87ef0d8c103cf92e753f4d49c827e7346"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormNewChild.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93098, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c3cb05f71c5ff8a41d3f12ad4b4857041aca9f701b02d30d06878208e145582", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFormAddPersonToFamily.js", "duplicate_line": 35, "correlation_key": "fp|5c3cb05f71c5ff8a41d3f12ad4b4857041aca9f701b02d30d06878208e145582"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormChildRef.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93097, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88cbee6c046915fa0135f9310c79a8479f5e4cd08353d03d0410462db227fa87", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFilterType.js", "duplicate_line": 8, "correlation_key": "fp|88cbee6c046915fa0135f9310c79a8479f5e4cd08353d03d0410462db227fa87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFilterYears.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93096, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f71ee394ffd7ef28d3c3d3cb6f46f06dbb70924cc396624b3f8b43402d400f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFilterMime.js", "duplicate_line": 7, "correlation_key": "fp|4f71ee394ffd7ef28d3c3d3cb6f46f06dbb70924cc396624b3f8b43402d400f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFilterYears.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93095, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69ebe7ac8be403496b64b0baa85b0658f6cfe58ff2ee07c25462b5e8540bdc43", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFilterMime.js", "duplicate_line": 7, "correlation_key": "fp|69ebe7ac8be403496b64b0baa85b0658f6cfe58ff2ee07c25462b5e8540bdc43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFilterType.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93094, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93db198aca410677d82aee07be2a7c1e40372f0ed5933bf34823bf4adb4cd396", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFilterMime.js", "duplicate_line": 7, "correlation_key": "fp|93db198aca410677d82aee07be2a7c1e40372f0ed5933bf34823bf4adb4cd396"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFilterText.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93093, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f935db506e002925be0df0e789015fa7f931d71c3f44e2a755d39ce0eeb5db6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFilterMime.js", "duplicate_line": 7, "correlation_key": "fp|7f935db506e002925be0df0e789015fa7f931d71c3f44e2a755d39ce0eeb5db6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFilterTags.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93092, "scanner": "repobility-ai-code-hygiene", "fingerprint": "315f938516d749393c0c93342ce700b3046767b3aa646878560dee0cad5fc61b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFilterMime.js", "duplicate_line": 7, "correlation_key": "fp|315f938516d749393c0c93342ce700b3046767b3aa646878560dee0cad5fc61b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFilterProperties.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93091, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93229c66b0a5a8ee2143d4fafe9d20d08dd937e20849c1f11e78a8eebd315d31", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFilterObjectType.js", "duplicate_line": 17, "correlation_key": "fp|93229c66b0a5a8ee2143d4fafe9d20d08dd937e20849c1f11e78a8eebd315d31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFilterProperties.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93090, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2826145dda66f8d7339eb496393bb8c2dbd5c7dc534c7741a81190b51900dc1b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFilterMime.js", "duplicate_line": 7, "correlation_key": "fp|2826145dda66f8d7339eb496393bb8c2dbd5c7dc534c7741a81190b51900dc1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFilterPrivate.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93089, "scanner": "repobility-ai-code-hygiene", "fingerprint": "552e4c4e514cd14dab2728e7671d1934b8bc27b060f150aa49793910a9660120", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsFilterMime.js", "duplicate_line": 7, "correlation_key": "fp|552e4c4e514cd14dab2728e7671d1934b8bc27b060f150aa49793910a9660120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFilterObjectType.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93088, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fde81a3f6cd1f78d0730e893130afe4bd20338ce02256ba0c9fccb889dabf975", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsCitations.js", "duplicate_line": 11, "correlation_key": "fp|fde81a3f6cd1f78d0730e893130afe4bd20338ce02256ba0c9fccb889dabf975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsEvents.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93087, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec997de31ff6b374bf770fe9b03c68e50e8a3593afc6ecc1d7f50dd19ccc4691", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsBlogPostPreview.js", "duplicate_line": 52, "correlation_key": "fp|ec997de31ff6b374bf770fe9b03c68e50e8a3593afc6ecc1d7f50dd19ccc4691"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsBlogPreview.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93086, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8df57091f96ccb47abce47ce57f5503574e64a121647868fcc0ec4d63e10916c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsAddresses.js", "duplicate_line": 26, "correlation_key": "fp|8df57091f96ccb47abce47ce57f5503574e64a121647868fcc0ec4d63e10916c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsBlogPreview.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93085, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5de7bdad8cf69d0f4d0b9238a58e6c00d2c59e6c44d7bbd642bb7d4b916bf2ac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/GrampsjsAddresses.js", "duplicate_line": 23, "correlation_key": "fp|5de7bdad8cf69d0f4d0b9238a58e6c00d2c59e6c44d7bbd642bb7d4b916bf2ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsBlogPostPreview.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93084, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e61f8c5bd2a5377fb97bf82c10d26f3aaa62c6556e6c1f86c9f1a7f4bfc99fbd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/charts/RelationshipChart.js", "duplicate_line": 267, "correlation_key": "fp|e61f8c5bd2a5377fb97bf82c10d26f3aaa62c6556e6c1f86c9f1a7f4bfc99fbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/charts/YtreeLineageChart.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93083, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a4679a5f450746698bee1d04c288ea454f542e28932595705cdb784510f18ad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/charts/RelationshipChart.js", "duplicate_line": 267, "correlation_key": "fp|3a4679a5f450746698bee1d04c288ea454f542e28932595705cdb784510f18ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/charts/TreeChart.js"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 93179, "scanner": "repobility-threat-engine", "fingerprint": "119c1f1989b3225c44efd41e7e1a260afbe320eb78120236222df3dda6329265", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|119c1f1989b3225c44efd41e7e1a260afbe320eb78120236222df3dda6329265"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/icons.js"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 93178, "scanner": "repobility-threat-engine", "fingerprint": "3cc92a99279a0194f6252687d804ed3e38af926afcc0767b6d5f61abb4262f07", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3cc92a99279a0194f6252687d804ed3e38af926afcc0767b6d5f61abb4262f07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsTextRecognition.js"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 93172, "scanner": "repobility-threat-engine", "fingerprint": "b98826a496e2c244206dacb96a98f930d8c279872e9506ee2677167c314ee386", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b98826a496e2c244206dacb96a98f930d8c279872e9506ee2677167c314ee386"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 93166, "scanner": "repobility-threat-engine", "fingerprint": "87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 93162, "scanner": "repobility-threat-engine", "fingerprint": "f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 93161, "scanner": "repobility-threat-engine", "fingerprint": "a49016d05bf9cb50986f44dce74f3c836ff60521bf78e21253131bf1463bc643", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a49016d05bf9cb50986f44dce74f3c836ff60521bf78e21253131bf1463bc643"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsUpdateAvailable.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 93160, "scanner": "repobility-threat-engine", "fingerprint": "1842c105bae169c648d7cb4680000167b1dc3af46fbdcd941b3e2a279d266261", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1842c105bae169c648d7cb4680000167b1dc3af46fbdcd941b3e2a279d266261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormEditMatch.js"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 93159, "scanner": "repobility-threat-engine", "fingerprint": "f40ac69b833816beec2f1ea6df61ba2be3f19decf2d3b70aa8937db5683a9a89", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f40ac69b833816beec2f1ea6df61ba2be3f19decf2d3b70aa8937db5683a9a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rollup.config.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `marked` is patch version(s) behind (18.0.4 -> 18.0.5)"}, "properties": {"repobilityId": 93135, "scanner": "repobility-dependency-currency", "fingerprint": "62f5307e2021bfd67abb0a70cdc5bf91f3fe469196e7f0cb7e69cd9ae79b009c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "marked", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.5", "correlation_key": "fp|62f5307e2021bfd67abb0a70cdc5bf91f3fe469196e7f0cb7e69cd9ae79b009c", "current_version": "18.0.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `dompurify` is patch version(s) behind (3.4.5 -> 3.4.8)"}, "properties": {"repobilityId": 93130, "scanner": "repobility-dependency-currency", "fingerprint": "1b98fa00582e89dc88a58c00bbf7709e686d4c5e90b225483602b3024e560c31", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dompurify", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.4.8", "correlation_key": "fp|1b98fa00582e89dc88a58c00bbf7709e686d4c5e90b225483602b3024e560c31", "current_version": "3.4.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `dayjs` is patch version(s) behind (1.11.13 -> 1.11.21)"}, "properties": {"repobilityId": 93129, "scanner": "repobility-dependency-currency", "fingerprint": "fbce527250063095fad4ff16745c4f34bea81530338950ef704f2e0458fa319d", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dayjs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.11.21", "correlation_key": "fp|fbce527250063095fad4ff16745c4f34bea81530338950ef704f2e0458fa319d", "current_version": "1.11.13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 93234, "scanner": "repobility-journey-contract", "fingerprint": "6477f20fdd27225eea1f2e4740506683a904fbdaeaf2d022d3fe4c4a27e9f6c6", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|63|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsPasswordManagerPolyfill.js"}, "region": {"startLine": 63}}}]}, {"ruleId": "GHSA-v2wj-q39q-566r", "level": "error", "message": {"text": "vite: GHSA-v2wj-q39q-566r"}, "properties": {"repobilityId": 93217, "scanner": "osv-scanner", "fingerprint": "4d1151323f71b70c621edc6f700d44f16068314444bd1fc3270100f25f19ed0d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39364"], "package": "vite", "rule_id": "GHSA-v2wj-q39q-566r", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39364|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 93216, "scanner": "osv-scanner", "fingerprint": "66562fb659e185983f496772280ec8c8e98e3fead9fa45a04949fe6f4b15bc82", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 93213, "scanner": "osv-scanner", "fingerprint": "7f2d30dd9b8a0eda6d87deac04527ff692eca0ea143a54f9b4184ad2b283ffa3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 93210, "scanner": "osv-scanner", "fingerprint": "3cd93794643bff3fd4328203c06c842a2d7c54c53b7a77b0e6bc61b44cf4e561", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 93207, "scanner": "osv-scanner", "fingerprint": "069f9bb4f0a38c36ca2992b2ffe11f999b2e5befc1dec86319fea7bbf65a679b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7gcc-r8m5-44qm", "level": "error", "message": {"text": "koa: GHSA-7gcc-r8m5-44qm"}, "properties": {"repobilityId": 93203, "scanner": "osv-scanner", "fingerprint": "9a701f3d2af7b9bee326faf0ec7e4021cfc522f293b29fd859311093fa282f9f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27959"], "package": "koa", "rule_id": "GHSA-7gcc-r8m5-44qm", "scanner": "osv-scanner", "correlation_key": "vuln|koa|CVE-2026-27959|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w4gp-fjgq-3q4g", "level": "error", "message": {"text": "happy-dom: GHSA-w4gp-fjgq-3q4g"}, "properties": {"repobilityId": 93200, "scanner": "osv-scanner", "fingerprint": "93932d6ee84d18c4004f415eabff4cc987737aef1f31ace3fba1da1fbf2e22e7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34226"], "package": "happy-dom", "rule_id": "GHSA-w4gp-fjgq-3q4g", "scanner": "osv-scanner", "correlation_key": "vuln|happy-dom|CVE-2026-34226|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6q6h-j7hj-3r64", "level": "error", "message": {"text": "happy-dom: GHSA-6q6h-j7hj-3r64"}, "properties": {"repobilityId": 93199, "scanner": "osv-scanner", "fingerprint": "47836bda1f4d8a9fe3745ffd51187175182c4ab4c8bfd94fffa517c36b12c40c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33943"], "package": "happy-dom", "rule_id": "GHSA-6q6h-j7hj-3r64", "scanner": "osv-scanner", "correlation_key": "vuln|happy-dom|CVE-2026-33943|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 93198, "scanner": "osv-scanner", "fingerprint": "12f8c13a1500c4e201cd19c15c7415ed765defb1c8c79e0887745cf5d0c7caba", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 93197, "scanner": "osv-scanner", "fingerprint": "b797beca07deb64b07234792c672e8b741104617529fbd9314dd615ac2f0d51d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 93196, "scanner": "osv-scanner", "fingerprint": "d9e8ef847898100d4370c43984678fe5fed930d5324ab88248c2d2156d522d84", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 93195, "scanner": "osv-scanner", "fingerprint": "bbadb454e2f0de5491c967e3dd8f97119c293cd0aafbefed77d3b3e72652865f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fv7c-fp4j-7gwp", "level": "error", "message": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "properties": {"repobilityId": 93191, "scanner": "osv-scanner", "fingerprint": "ad52739427efbb114a916176e346643bbd15d1155c76f28185e965208050ec44", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44728"], "package": "@babel/plugin-transform-modules-systemjs", "rule_id": "GHSA-fv7c-fp4j-7gwp", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44728|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 93177, "scanner": "repobility-threat-engine", "fingerprint": "66f7a4d1b29404073ae58cd3966b2b827ba98d26829411ea4a2b786d25c66364", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n      <svg width=\"${this.size}\" height=\"${this.size}\" viewBox=\"0 0 24 24\" fill=\"none\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66f7a4d1b29404073ae58cd3966b2b827ba98d26829411ea4a2b786d25c66364"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsMapMarker.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 93175, "scanner": "repobility-threat-engine", "fingerprint": "fd34e9b162f549f53fef16aeb1f7897a8f6e1b43b41a8acdcc91fa1b3e2433e7", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|81|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsNoteContent.js"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 93173, "scanner": "repobility-threat-engine", "fingerprint": "79641f7f568ec2b2e9b233521321df95fd9eaa7fd10d4258e3918032f9d94df0", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(query", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|106|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsFormSelectObject.js"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 93171, "scanner": "repobility-threat-engine", "fingerprint": "f1dfc8786e413412bf9b7479ce0e55a3410febebc3be6cf654d5824ac6977f1c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "super.update(changed)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f1dfc8786e413412bf9b7479ce0e55a3410febebc3be6cf654d5824ac6977f1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsConnectedGallery.js"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 93170, "scanner": "repobility-threat-engine", "fingerprint": "40c5c2eb35c3bb97ce162ed6bee7060ccbf2d1821eb29d15b502f8959343a054", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "super.update(changed)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|40c5c2eb35c3bb97ce162ed6bee7060ccbf2d1821eb29d15b502f8959343a054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsConnectedComponent.js"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 93169, "scanner": "repobility-threat-engine", "fingerprint": "9fe1b3e76aa500d39eb34bb62774a536ac6c23ea1665095938694599b72c11c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "super.update(changed)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9fe1b3e76aa500d39eb34bb62774a536ac6c23ea1665095938694599b72c11c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/GrampsjsBookmarkButton.js"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 93168, "scanner": "repobility-threat-engine", "fingerprint": "a3d324f892e4f3ed302106e5676908f66bf6dffd4ccb18fe558f8970990b1d03", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(hex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3d324f892e4f3ed302106e5676908f66bf6dffd4ccb18fe558f8970990b1d03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/color.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93165, "scanner": "repobility-threat-engine", "fingerprint": "096ddca7e1475885b321be951a4d63fbca9bedca151cbb90f0524c7837687d6f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|096ddca7e1475885b321be951a4d63fbca9bedca151cbb90f0524c7837687d6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/charts/util.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93164, "scanner": "repobility-threat-engine", "fingerprint": "8f0bcdcb32d4fef17b71979a03879ac1f9fa41239739f5aa7e3019630337ef51", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f0bcdcb32d4fef17b71979a03879ac1f9fa41239739f5aa7e3019630337ef51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/charts/YtreeLineageChart.js"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93163, "scanner": "repobility-threat-engine", "fingerprint": "3b035a6ea44a9b89e55ab85754a19cd856e646cd7b114b3abbbf5316a38172d7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b035a6ea44a9b89e55ab85754a19cd856e646cd7b114b3abbbf5316a38172d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/charts/TreeChart.js"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 93124, "scanner": "repobility-supply-chain", "fingerprint": "2748a2755f4657971088eff39acc66c16a65840c16c8da5d633fde81f1ac6fff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2748a2755f4657971088eff39acc66c16a65840c16c8da5d633fde81f1ac6fff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/image-devel.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 93123, "scanner": "repobility-supply-chain", "fingerprint": "352aea539648eee0948e94fedadc340ed5d44847c661b00b73c812abfd1c94f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|352aea539648eee0948e94fedadc340ed5d44847c661b00b73c812abfd1c94f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/image-devel.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 93122, "scanner": "repobility-supply-chain", "fingerprint": "384cc89fe9dfa885a4522d18c5b3bf8386ffce4b871eeade5592ca8d10860d1d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|384cc89fe9dfa885a4522d18c5b3bf8386ffce4b871eeade5592ca8d10860d1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 93121, "scanner": "repobility-supply-chain", "fingerprint": "05d284d05379d899cec4a253dc6cecc135bb957987c6817a21e93018c31d95b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05d284d05379d899cec4a253dc6cecc135bb957987c6817a21e93018c31d95b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 93120, "scanner": "repobility-supply-chain", "fingerprint": "9a553efb99b3f636c01a5c9d33f1d617081b75623a713e66077d5698b0c4419a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a553efb99b3f636c01a5c9d33f1d617081b75623a713e66077d5698b0c4419a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 93119, "scanner": "repobility-supply-chain", "fingerprint": "8172f8aa1bb3e77abafe752a4023877c959c9f80504d7400429785e322c36068", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8172f8aa1bb3e77abafe752a4023877c959c9f80504d7400429785e322c36068"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 93118, "scanner": "repobility-supply-chain", "fingerprint": "07a49891afe1132a5df24b79807db5b73a15d6b1f7fe2e86eec218e351454cc6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07a49891afe1132a5df24b79807db5b73a15d6b1f7fe2e86eec218e351454cc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 93117, "scanner": "repobility-supply-chain", "fingerprint": "5aad5ca1b4c58a97052d636c77da9fce0243892bc72b8b99ffb96ef9551bf4f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5aad5ca1b4c58a97052d636c77da9fce0243892bc72b8b99ffb96ef9551bf4f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/image-release.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 93116, "scanner": "repobility-supply-chain", "fingerprint": "4910fdfd9f8eced552062874a399df5c6468c4108ee735c99c4a2aeed5266857", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4910fdfd9f8eced552062874a399df5c6468c4108ee735c99c4a2aeed5266857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/image-release.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `mcr.microsoft.com/devcontainers/javascript-node:22` not pinned by digest"}, "properties": {"repobilityId": 93115, "scanner": "repobility-supply-chain", "fingerprint": "25d4bf5c4ec902d4b57a6f983398fa6d7ef5edc3506b1dcee297323fa25ac6ac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25d4bf5c4ec902d4b57a6f983398fa6d7ef5edc3506b1dcee297323fa25ac6ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `dmstraub/gramps-webapi:latest-devel` not pinned by digest"}, "properties": {"repobilityId": 93114, "scanner": "repobility-supply-chain", "fingerprint": "9eb1d0730ffc0d5b17df15436cab69f6c1ccaa3c768b8a1a7d11729998724a8c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9eb1d0730ffc0d5b17df15436cab69f6c1ccaa3c768b8a1a7d11729998724a8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.devel"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `dmstraub/gramps-webapi:latest` not pinned by digest"}, "properties": {"repobilityId": 93113, "scanner": "repobility-supply-chain", "fingerprint": "14f692ca2f50c0178f4d096d19d0e68a5fc15d5a84c4a07212553e4f6810bae6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|14f692ca2f50c0178f4d096d19d0e68a5fc15d5a84c4a07212553e4f6810bae6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5xrq-8626-4rwp", "level": "error", "message": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "properties": {"repobilityId": 93218, "scanner": "osv-scanner", "fingerprint": "368ce7fd403535058d00f45426a4cac4271814ffd591ff0553a0891221ef9c8e", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47429"], "package": "vitest", "rule_id": "GHSA-5xrq-8626-4rwp", "scanner": "osv-scanner", "correlation_key": "vuln|vitest|CVE-2026-47429|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-593f-38f6-jp5m", "level": "error", "message": {"text": "koa: GHSA-593f-38f6-jp5m"}, "properties": {"repobilityId": 93202, "scanner": "osv-scanner", "fingerprint": "c71ee0f1683e222d2662e401b807f41699172fc90512de530ec0381689c29b5b", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-25200"], "package": "koa", "rule_id": "GHSA-593f-38f6-jp5m", "scanner": "osv-scanner", "correlation_key": "vuln|koa|CVE-2025-25200|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}]}]}