{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-65pc-fj4g-8rjx", "name": "idna: GHSA-65pc-fj4g-8rjx", "shortDescription": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "fullDescription": {"text": "Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vjqx-cfc4-9h6v", "name": "mcp-server-git: GHSA-vjqx-cfc4-9h6v", "shortDescription": {"text": "mcp-server-git: GHSA-vjqx-cfc4-9h6v"}, "fullDescription": {"text": "mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j22h-9j4x-23w5", "name": "mcp-server-git: GHSA-j22h-9j4x-23w5", "shortDescription": {"text": "mcp-server-git: GHSA-j22h-9j4x-23w5"}, "fullDescription": {"text": "mcp-server-git has missing path validation when using --repository flag"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9xwc-hfwc-8w59", "name": "mcp-server-git: GHSA-9xwc-hfwc-8w59", "shortDescription": {"text": "mcp-server-git: GHSA-9xwc-hfwc-8w59"}, "fullDescription": {"text": " mcp-server-git argument injection in git_diff and git_checkout functions allows overwriting local files"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5cgr-j3jf-jw3v", "name": "mcp-server-git: GHSA-5cgr-j3jf-jw3v", "shortDescription": {"text": "mcp-server-git: GHSA-5cgr-j3jf-jw3v"}, "fullDescription": {"text": "mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locations"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xrhx-7g5j-rcj5", "name": "hono: GHSA-xrhx-7g5j-rcj5", "shortDescription": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "fullDescription": {"text": "Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f577-qrjj-4474", "name": "hono: GHSA-f577-qrjj-4474", "shortDescription": {"text": "hono: GHSA-f577-qrjj-4474"}, "fullDescription": {"text": "Hono: JWT middleware accepts any Authorization scheme, not only Bearer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3hrh-pfw6-9m5x", "name": "hono: GHSA-3hrh-pfw6-9m5x", "shortDescription": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "fullDescription": {"text": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2gcr-mfcq-wcc3", "name": "hono: GHSA-2gcr-mfcq-wcc3", "shortDescription": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "fullDescription": {"text": "Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@vitest/coverage-v8` is 2 major version(s) behind (2.1.9 -> 4.1.8)", "shortDescription": {"text": "npm package `@vitest/coverage-v8` is 2 major version(s) behind (2.1.9 -> 4.1.8)"}, "fullDescription": {"text": "`@vitest/coverage-v8` is pinned/resolved at 2.1.9 but the latest stable release on the npm registry is 4.1.8 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `call_tool` has cognitive complexity 11 (SonarSource scale). Cognitive com", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `call_tool` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 11."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-161", "name": "starlette: PYSEC-2026-161", "shortDescription": {"text": "starlette: PYSEC-2026-161"}, "fullDescription": {"text": "BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-179", "name": "pyjwt: PYSEC-2026-179", "shortDescription": {"text": "pyjwt: PYSEC-2026-179"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-178", "name": "pyjwt: PYSEC-2026-178", "shortDescription": {"text": "pyjwt: PYSEC-2026-178"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option (\"b64\": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled \u201cwork amplifier\u201d: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-177", "name": "pyjwt: PYSEC-2026-177", "shortDescription": {"text": "pyjwt: PYSEC-2026-177"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-175", "name": "pyjwt: PYSEC-2026-175", "shortDescription": {"text": "pyjwt: PYSEC-2026-175"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained \"plant a JWKS to forge tokens\" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mv93-w799-cj2w", "name": "gitpython: GHSA-mv93-w799-cj2w", "shortDescription": {"text": "gitpython: GHSA-mv93-w799-cj2w"}, "fullDescription": {"text": "GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-142", "name": "urllib3: PYSEC-2026-142", "shortDescription": {"text": "urllib3: PYSEC-2026-142"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC033", "name": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without fil", "shortDescription": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting ever"}, "fullDescription": {"text": "Sanitize keys BEFORE merge:\n  function sanitize(obj) {\n    delete obj.__proto__;\n    delete obj.constructor;\n    delete obj.prototype;\n    return obj;\n  }\nOr use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:22-alpine` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "fullDescription": {"text": "`FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express DELETE /mcp has no auth", "shortDescription": {"text": "Express DELETE /mcp has no auth"}, "fullDescription": {"text": "Express route DELETE /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_get_local_tz_with_invalid_override", "shortDescription": {"text": "Phantom test coverage: test_get_local_tz_with_invalid_override"}, "fullDescription": {"text": "Test function `test_get_local_tz_with_invalid_override` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.fail` used but never assigned in __init__", "shortDescription": {"text": "`self.fail` used but never assigned in __init__"}, "fullDescription": {"text": "Method `convert` of class `GitHashParamType` reads `self.fail`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-5xrq-8626-4rwp", "name": "vitest: GHSA-5xrq-8626-4rwp", "shortDescription": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "fullDescription": {"text": "When Vitest UI server is listening, arbitrary file can be read and executed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPM_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/792"}, "properties": {"repository": "modelcontextprotocol/servers", "repoUrl": "https://github.com/modelcontextprotocol/servers", "branch": "main"}, "results": [{"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 67296, "scanner": "osv-scanner", "fingerprint": "e053dfbefe9f4c1878261a3603705099de2c082f85829d78b87a5814a33b0f8b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|src/time/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vjqx-cfc4-9h6v", "level": "warning", "message": {"text": "mcp-server-git: GHSA-vjqx-cfc4-9h6v"}, "properties": {"repobilityId": 67290, "scanner": "osv-scanner", "fingerprint": "f2bdb2fbf2b35a55c9adb12678173fc47cdf92f3db93a00b5e55bf1efbd2690c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27735"], "package": "mcp-server-git", "rule_id": "GHSA-vjqx-cfc4-9h6v", "scanner": "osv-scanner", "correlation_key": "vuln|mcp-server-git|CVE-2026-27735|src/git/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j22h-9j4x-23w5", "level": "warning", "message": {"text": "mcp-server-git: GHSA-j22h-9j4x-23w5"}, "properties": {"repobilityId": 67289, "scanner": "osv-scanner", "fingerprint": "cc93807dfb5aba457ddd339830cf305e8ba8e7c085aee82f33db8a46c4cc3ff9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68145"], "package": "mcp-server-git", "rule_id": "GHSA-j22h-9j4x-23w5", "scanner": "osv-scanner", "correlation_key": "vuln|mcp-server-git|CVE-2025-68145|src/git/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9xwc-hfwc-8w59", "level": "warning", "message": {"text": "mcp-server-git: GHSA-9xwc-hfwc-8w59"}, "properties": {"repobilityId": 67288, "scanner": "osv-scanner", "fingerprint": "1a1a31c463269d2d3ec9e6972bb976bda8ec04d5d86a0a228be4154eda2f4313", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68144"], "package": "mcp-server-git", "rule_id": "GHSA-9xwc-hfwc-8w59", "scanner": "osv-scanner", "correlation_key": "vuln|mcp-server-git|CVE-2025-68144|src/git/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5cgr-j3jf-jw3v", "level": "warning", "message": {"text": "mcp-server-git: GHSA-5cgr-j3jf-jw3v"}, "properties": {"repobilityId": 67287, "scanner": "osv-scanner", "fingerprint": "ff3b674342226ba40eb2677859e63232c06dd9530c35dfdc07660f98c5bd0af1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68143"], "package": "mcp-server-git", "rule_id": "GHSA-5cgr-j3jf-jw3v", "scanner": "osv-scanner", "correlation_key": "vuln|mcp-server-git|CVE-2025-68143|src/git/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 67286, "scanner": "osv-scanner", "fingerprint": "ff00b688f64a2cd704384f57673fae799196ccecafe9f5d049ff4b29899a7ee3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|src/git/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 67277, "scanner": "osv-scanner", "fingerprint": "958f817478f093ac4148bfa0648a7aa9ba1489ea5e7aab006395f96ac6033081", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|src/fetch/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 67275, "scanner": "osv-scanner", "fingerprint": "b9493abcfc150bfe6cb302cb6e27e4bbb1e650942ccb7c4de386ac3ae1c5f54d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 67274, "scanner": "osv-scanner", "fingerprint": "47af66b2941511910bef679f7fdc36232d020247a0f6ed279e094f6f5cfdf3b5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xrhx-7g5j-rcj5", "level": "warning", "message": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "properties": {"repobilityId": 67273, "scanner": "osv-scanner", "fingerprint": "f8e3114b3f74e8695a460fbf4c7ae43ac53a5f8ec4039006650c458651172ab1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47674"], "package": "hono", "rule_id": "GHSA-xrhx-7g5j-rcj5", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47674|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f577-qrjj-4474", "level": "warning", "message": {"text": "hono: GHSA-f577-qrjj-4474"}, "properties": {"repobilityId": 67272, "scanner": "osv-scanner", "fingerprint": "49282a15bbfc9e6e6ea39695b12f6c9658d0e8207bad45ad113b356e942bd130", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47673"], "package": "hono", "rule_id": "GHSA-f577-qrjj-4474", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47673|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3hrh-pfw6-9m5x", "level": "warning", "message": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "properties": {"repobilityId": 67271, "scanner": "osv-scanner", "fingerprint": "361c021f739f5706f364aeccb9438f92bf87afe76b41db2d0e63dcd5fd65c6ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47675"], "package": "hono", "rule_id": "GHSA-3hrh-pfw6-9m5x", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47675|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2gcr-mfcq-wcc3", "level": "warning", "message": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "properties": {"repobilityId": 67270, "scanner": "osv-scanner", "fingerprint": "25e1fe71f60ecac7a62fc842d6f8859077b12d636fc68e35c189c726a481c5e5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47676"], "package": "hono", "rule_id": "GHSA-2gcr-mfcq-wcc3", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47676|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 67269, "scanner": "osv-scanner", "fingerprint": "a5366f8592ea792611dbd54230e9a360d84cfa4deab68e1cdb4eca522a676bc6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 67268, "scanner": "repobility-docker", "fingerprint": "6c73e14cc85cd5e089d88932ebfc6379a4fa6cbaa69c27ce86977f180b13f43a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6c73e14cc85cd5e089d88932ebfc6379a4fa6cbaa69c27ce86977f180b13f43a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 67267, "scanner": "repobility-docker", "fingerprint": "1b8980e31fd123440589e1f6b75e8153910b7027f34693f393cdb0a514a05d30", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1b8980e31fd123440589e1f6b75e8153910b7027f34693f393cdb0a514a05d30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sequentialthinking/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 67266, "scanner": "repobility-docker", "fingerprint": "d9813cad30ce75d4154075da1059b8c8a82bdfc7cc95df667e6322c87a7b965d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d9813cad30ce75d4154075da1059b8c8a82bdfc7cc95df667e6322c87a7b965d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/memory/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 67265, "scanner": "repobility-docker", "fingerprint": "7fae944850633dfb287d80d1f15d142a920dcfe16d5d0db5f52820f258c339fd", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7fae944850633dfb287d80d1f15d142a920dcfe16d5d0db5f52820f258c339fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 67263, "scanner": "repobility-docker", "fingerprint": "e555e37fb6df876e6836c7eaea3182ac569c0f6f288d907388fb7cfcf4626c61", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e555e37fb6df876e6836c7eaea3182ac569c0f6f288d907388fb7cfcf4626c61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 67262, "scanner": "repobility-docker", "fingerprint": "fa2499d72cdde89e9c88411f2074e4402cb2b85fec6ea10ff4aef2bb29b236e3", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fa2499d72cdde89e9c88411f2074e4402cb2b85fec6ea10ff4aef2bb29b236e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 67261, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 67260, "scanner": "repobility-docker", "fingerprint": "de230ab1f1055720e33651fb202bc175e33f26667b61a17d89c4fa6b42362922", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|de230ab1f1055720e33651fb202bc175e33f26667b61a17d89c4fa6b42362922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitest/coverage-v8` is 2 major version(s) behind (2.1.9 -> 4.1.8)"}, "properties": {"repobilityId": 67234, "scanner": "repobility-dependency-currency", "fingerprint": "66505ba00729678b5503fce8db6a5de975d1f55cf4e0abbe56c639d568b98917", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/coverage-v8", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|66505ba00729678b5503fce8db6a5de975d1f55cf4e0abbe56c639d568b98917", "current_version": "2.1.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/minimatch` is 1 major version(s) behind (5.1.2 -> 6.0.0)"}, "properties": {"repobilityId": 67233, "scanner": "repobility-dependency-currency", "fingerprint": "e34acc7da4865ec78e0ff3aedf1ff594c0694d2617a2275e6bca10be59e58fba", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/minimatch", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.0", "correlation_key": "fp|e34acc7da4865ec78e0ff3aedf1ff594c0694d2617a2275e6bca10be59e58fba", "current_version": "5.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/diff` is 3 major version(s) behind (5.2.3 -> 8.0.0)"}, "properties": {"repobilityId": 67232, "scanner": "repobility-dependency-currency", "fingerprint": "7e82670f99d4cb0036fed83470cf99bcbbda13faf5e39e978108692a4a849097", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/diff", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.0.0", "correlation_key": "fp|7e82670f99d4cb0036fed83470cf99bcbbda13faf5e39e978108692a4a849097", "current_version": "5.2.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `minimatch` is 1 major version(s) behind (9.0.9 -> 10.2.5)"}, "properties": {"repobilityId": 67231, "scanner": "repobility-dependency-currency", "fingerprint": "e4f3dd78e437018dab70360855ee8881e39d78738bb1f2b73afb143b71c8ac3a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "minimatch", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.2.5", "correlation_key": "fp|e4f3dd78e437018dab70360855ee8881e39d78738bb1f2b73afb143b71c8ac3a", "current_version": "9.0.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `glob` is 3 major version(s) behind (10.5.0 -> 13.0.6)"}, "properties": {"repobilityId": 67230, "scanner": "repobility-dependency-currency", "fingerprint": "d8518874376fb9fe938f795fa52207955fbb5a076700d5c0f3215f2f33014dd5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "glob", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "13.0.6", "correlation_key": "fp|d8518874376fb9fe938f795fa52207955fbb5a076700d5c0f3215f2f33014dd5", "current_version": "10.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `diff` is 1 major version(s) behind (8.0.3 -> 9.0.0)"}, "properties": {"repobilityId": 67229, "scanner": "repobility-dependency-currency", "fingerprint": "08b2a345c80471d0af1e1a74bd2d8add2e4bab6c53c4e3fd71616a518e6484f0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "diff", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.0", "correlation_key": "fp|08b2a345c80471d0af1e1a74bd2d8add2e4bab6c53c4e3fd71616a518e6484f0", "current_version": "8.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `prettier` is 1 major version(s) behind (2.8.8 -> 3.8.3)"}, "properties": {"repobilityId": 67227, "scanner": "repobility-dependency-currency", "fingerprint": "148dda9ba772a841ced5a9a2217c41671a7eb4a00caa169574bda1c9f33a6028", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|148dda9ba772a841ced5a9a2217c41671a7eb4a00caa169574bda1c9f33a6028", "current_version": "2.8.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitest/coverage-v8` is 2 major version(s) behind (2.1.9 -> 4.1.8)"}, "properties": {"repobilityId": 67226, "scanner": "repobility-dependency-currency", "fingerprint": "7d6341222d16db46822b0db12e7170b053ef2bcc90d300f4f00faae497dcb445", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/coverage-v8", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|7d6341222d16db46822b0db12e7170b053ef2bcc90d300f4f00faae497dcb445", "current_version": "2.1.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitest/coverage-v8` is 2 major version(s) behind (2.1.9 -> 4.1.8)"}, "properties": {"repobilityId": 67223, "scanner": "repobility-dependency-currency", "fingerprint": "7cb1359fda15090704180d78a922f1d97250edc882f0be5c3eb5587a016accd3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/coverage-v8", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|7cb1359fda15090704180d78a922f1d97250edc882f0be5c3eb5587a016accd3", "current_version": "2.1.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sequentialthinking/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `yargs` is 1 major version(s) behind (17.7.2 -> 18.0.0)"}, "properties": {"repobilityId": 67221, "scanner": "repobility-dependency-currency", "fingerprint": "41a647a0e073e4212905b8323c52f08f7ee8316575e3ced0db180ca8875af6f6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "yargs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.0", "correlation_key": "fp|41a647a0e073e4212905b8323c52f08f7ee8316575e3ced0db180ca8875af6f6", "current_version": "17.7.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sequentialthinking/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitest/coverage-v8` is 2 major version(s) behind (2.1.9 -> 4.1.8)"}, "properties": {"repobilityId": 67218, "scanner": "repobility-dependency-currency", "fingerprint": "7815e999180ce19e0110c28cc7b73abc6b7fd5d06535e617d85d53c8d91ceabb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/coverage-v8", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|7815e999180ce19e0110c28cc7b73abc6b7fd5d06535e617d85d53c8d91ceabb", "current_version": "2.1.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/memory/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 67264, "scanner": "repobility-docker", "fingerprint": "d520347d9b7da8b4f9d2ed83b27c09c33d47e745246a339c5e4ef7a41f3cc036", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d520347d9b7da8b4f9d2ed83b27c09c33d47e745246a339c5e4ef7a41f3cc036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `call_tool` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: case=3, except=1, if=2, match=1, nested_bonus=4."}, "properties": {"repobilityId": 67258, "scanner": "repobility-threat-engine", "fingerprint": "da3378d9520fdb3ffc032fc0b588b76b712fb27ef83c4328a0816b819e6a4eee", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "call_tool", "breakdown": {"if": 2, "case": 3, "match": 1, "except": 1, "nested_bonus": 4}, "complexity": 11, "correlation_key": "fp|da3378d9520fdb3ffc032fc0b588b76b712fb27ef83c4328a0816b819e6a4eee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/src/mcp_server_time/server.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `call_tool` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, except=1, if=5, nested_bonus=3."}, "properties": {"repobilityId": 67257, "scanner": "repobility-threat-engine", "fingerprint": "5ddb95797f3ca15fc0aad6a729b7c2bff25cf2bf19e80a6abbafd291bf5c1f4f", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "call_tool", "breakdown": {"if": 5, "else": 2, "except": 1, "nested_bonus": 3}, "complexity": 11, "correlation_key": "fp|5ddb95797f3ca15fc0aad6a729b7c2bff25cf2bf19e80a6abbafd291bf5c1f4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/src/mcp_server_fetch/server.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `shx` is minor version(s) behind (0.3.4 -> 0.4.0)"}, "properties": {"repobilityId": 67235, "scanner": "repobility-dependency-currency", "fingerprint": "bf660ebc63eaac861c310dcac26aae86c2c768fe4e00ba15ef1d424eb8075a74", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.4.0", "correlation_key": "fp|bf660ebc63eaac861c310dcac26aae86c2c768fe4e00ba15ef1d424eb8075a74", "current_version": "0.3.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `shx` is minor version(s) behind (0.3.4 -> 0.4.0)"}, "properties": {"repobilityId": 67228, "scanner": "repobility-dependency-currency", "fingerprint": "3a74a65b3cb85dd684d364f4c37e7cc1dd9a0b93acae634d2fd65bb3b82a299a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.4.0", "correlation_key": "fp|3a74a65b3cb85dd684d364f4c37e7cc1dd9a0b93acae634d2fd65bb3b82a299a", "current_version": "0.3.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `shx` is minor version(s) behind (0.3.4 -> 0.4.0)"}, "properties": {"repobilityId": 67224, "scanner": "repobility-dependency-currency", "fingerprint": "ef0f5fdb8a080ad7d0a4f2fc455efdc302b8c8eaace8d9b5039072b3b19ffed1", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.4.0", "correlation_key": "fp|ef0f5fdb8a080ad7d0a4f2fc455efdc302b8c8eaace8d9b5039072b3b19ffed1", "current_version": "0.3.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sequentialthinking/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `chalk` is minor version(s) behind (5.3.0 -> 5.6.2)"}, "properties": {"repobilityId": 67220, "scanner": "repobility-dependency-currency", "fingerprint": "479900620965e7410ec93156703676bf2c22c335f24bbb7cb3ab1e8fb4d1072d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chalk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.6.2", "correlation_key": "fp|479900620965e7410ec93156703676bf2c22c335f24bbb7cb3ab1e8fb4d1072d", "current_version": "5.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sequentialthinking/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `shx` is minor version(s) behind (0.3.4 -> 0.4.0)"}, "properties": {"repobilityId": 67219, "scanner": "repobility-dependency-currency", "fingerprint": "01d3ed45740a446b9090b5828e1b35e64ee25d7511fda9ab7480c3f621392eb2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.4.0", "correlation_key": "fp|01d3ed45740a446b9090b5828e1b35e64ee25d7511fda9ab7480c3f621392eb2", "current_version": "0.3.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/memory/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67146, "scanner": "repobility-ai-code-hygiene", "fingerprint": "429421a6e85faca9ecc4059b987faba0ed80bad24422a978c7ece6900533c8de", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/everything/vitest.config.ts", "duplicate_line": 1, "correlation_key": "fp|429421a6e85faca9ecc4059b987faba0ed80bad24422a978c7ece6900533c8de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sequentialthinking/vitest.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67145, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90e9f309c95b1373334b25d4de9aeb63bd9f54a5fc1cbe055d8adeb91fe1f837", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/everything/vitest.config.ts", "duplicate_line": 1, "correlation_key": "fp|90e9f309c95b1373334b25d4de9aeb63bd9f54a5fc1cbe055d8adeb91fe1f837"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/memory/vitest.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67144, "scanner": "repobility-ai-code-hygiene", "fingerprint": "923c5e796adad6941b1c285e15ca0d1a9dbb67301aedce588d678703f3121fed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/everything/vitest.config.ts", "duplicate_line": 1, "correlation_key": "fp|923c5e796adad6941b1c285e15ca0d1a9dbb67301aedce588d678703f3121fed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/vitest.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67143, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d3c0f70f6d8128f9ec6e83625ff39cfd8a9f86928316d6c44f695f2e6388fda", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/everything/tools/trigger-sampling-request-async.ts", "duplicate_line": 56, "correlation_key": "fp|8d3c0f70f6d8128f9ec6e83625ff39cfd8a9f86928316d6c44f695f2e6388fda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/tools/trigger-sampling-request.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67142, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fbc0f37c1b3f4ca173be3d7774cb3b56e5e0fb48c8f491f694360d4c9e876235", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/everything/tools/trigger-elicitation-request-async.ts", "duplicate_line": 108, "correlation_key": "fp|fbc0f37c1b3f4ca173be3d7774cb3b56e5e0fb48c8f491f694360d4c9e876235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/tools/trigger-sampling-request-async.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67141, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cee1a5260e342435fdfc32e2b4c68920ffdde871daa95b0cf62187ac6b6bc3ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/everything/prompts/resource.ts", "duplicate_line": 34, "correlation_key": "fp|cee1a5260e342435fdfc32e2b4c68920ffdde871daa95b0cf62187ac6b6bc3ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/tools/get-resource-reference.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 67252, "scanner": "repobility-threat-engine", "fingerprint": "721b998daf8e55cc1c8ab32949bc1bcb7d2cc3065041392d65eca258bf546e99", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|721b998daf8e55cc1c8ab32949bc1bcb7d2cc3065041392d65eca258bf546e99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/tools/simulate-research-query.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 67247, "scanner": "repobility-threat-engine", "fingerprint": "0a0d722bc7edc67bb6f5d7bcb1a00d6eea75a7aacb6074ffa2ef15ab5f17015f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a0d722bc7edc67bb6f5d7bcb1a00d6eea75a7aacb6074ffa2ef15ab5f17015f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/transports/streamableHttp.ts"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 67246, "scanner": "repobility-threat-engine", "fingerprint": "2b0ea09742c58cc8b2e48ae46f438225faf3652d10342787a2409b57fccf125a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b0ea09742c58cc8b2e48ae46f438225faf3652d10342787a2409b57fccf125a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/tools/get-roots-list.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 67245, "scanner": "repobility-threat-engine", "fingerprint": "8b7d416dbf9c86170984069f4612840dbab96c0c7ebce0cc7a6c5c6629530f92", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b7d416dbf9c86170984069f4612840dbab96c0c7ebce0cc7a6c5c6629530f92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/resources/templates.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 67244, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 67240, "scanner": "repobility-threat-engine", "fingerprint": "ea93f5492ff921e9618c4e30a2631c7b1a2bef829e99f8007e5face821b69969", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ea93f5492ff921e9618c4e30a2631c7b1a2bef829e99f8007e5face821b69969", "aggregated_count": 6}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67239, "scanner": "repobility-threat-engine", "fingerprint": "5bee9132467f5640eb5ff972695bbb1149609e2895ebd24103a8de1fb2980fb0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5bee9132467f5640eb5ff972695bbb1149609e2895ebd24103a8de1fb2980fb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/tools/simulate-research-query.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67238, "scanner": "repobility-threat-engine", "fingerprint": "943bba661bae1b64157f9de131fb2063ea042adf0e4c30fbf0fb72d607ba2f9f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|943bba661bae1b64157f9de131fb2063ea042adf0e4c30fbf0fb72d607ba2f9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/server/roots.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67237, "scanner": "repobility-threat-engine", "fingerprint": "32f9580635d0a444cb2ae6cea7aa69091e4e7a6cf3c94fb558740e89088f6299", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|32f9580635d0a444cb2ae6cea7aa69091e4e7a6cf3c94fb558740e89088f6299"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/index.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 67236, "scanner": "repobility-threat-engine", "fingerprint": "a2826717c0dc9c875f64e81476acdddb079aefac07b6c7de14e2701e3880d423", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a2826717c0dc9c875f64e81476acdddb079aefac07b6c7de14e2701e3880d423"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `cors` is patch version(s) behind (2.8.5 -> 2.8.6)"}, "properties": {"repobilityId": 67225, "scanner": "repobility-dependency-currency", "fingerprint": "961ef7e12521d6777e186f40ae8e2fecbc210aa32c5a6a5abd525710fe88c50c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cors", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.6", "correlation_key": "fp|961ef7e12521d6777e186f40ae8e2fecbc210aa32c5a6a5abd525710fe88c50c", "current_version": "2.8.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/yargs` is patch version(s) behind (17.0.33 -> 17.0.35)"}, "properties": {"repobilityId": 67222, "scanner": "repobility-dependency-currency", "fingerprint": "44330bd3dde475af6d5dbbdf36d89b35ac8bd9d95451c29d53e49933fa584ecf", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/yargs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.0.35", "correlation_key": "fp|44330bd3dde475af6d5dbbdf36d89b35ac8bd9d95451c29d53e49933fa584ecf", "current_version": "17.0.33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sequentialthinking/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 67301, "scanner": "osv-scanner", "fingerprint": "2c4b7bef1abbdc7e131bfd27a35b1c41def499d9993aa4b485cbce429b7d7142", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|src/time/uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["024c006216945140f37516620a9238ae3deebadead2e338e60491a871449da21", "2c4b7bef1abbdc7e131bfd27a35b1c41def499d9993aa4b485cbce429b7d7142"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-179", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-179"}, "properties": {"repobilityId": 67300, "scanner": "osv-scanner", "fingerprint": "00868d255f06c7524b9763409a29ce2900b0b6ef10e7fdf05c306370c4969113", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48526", "GHSA-xgmm-8j9v-c9wx"], "package": "pyjwt", "rule_id": "PYSEC-2026-179", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48526|src/time/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-178", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-178"}, "properties": {"repobilityId": 67299, "scanner": "osv-scanner", "fingerprint": "c7eedebd2897fae15646befd5f8d5b6860ddd265ad5d7cd3d53b0c3f6d649667", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48525", "GHSA-w7vc-732c-9m39"], "package": "pyjwt", "rule_id": "PYSEC-2026-178", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48525|src/time/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-177", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-177"}, "properties": {"repobilityId": 67298, "scanner": "osv-scanner", "fingerprint": "b50af9c1e4b14fb68366ebd0d0bb0e9b98fe28facd10c37fda6e4c52aded2f78", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48524", "GHSA-fhv5-28vv-h8m8"], "package": "pyjwt", "rule_id": "PYSEC-2026-177", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48524|src/time/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-175", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-175"}, "properties": {"repobilityId": 67297, "scanner": "osv-scanner", "fingerprint": "758b91612575dadbdb31f083cef1656b150d46d57d6ef43a0ba18f6a5c7aec66", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "GHSA-993g-76c3-p5m4"], "package": "pyjwt", "rule_id": "PYSEC-2026-175", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48522|src/time/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 67295, "scanner": "osv-scanner", "fingerprint": "038e937c90cdb61c3789276df150b39cd55ce11ffec9612b0153167416ca058a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|src/git/uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["038e937c90cdb61c3789276df150b39cd55ce11ffec9612b0153167416ca058a", "6e24e58254aa8d9c61d3018a2586ba6b09a4bcf6337b5d9cda0faf45b4354d35"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-179", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-179"}, "properties": {"repobilityId": 67294, "scanner": "osv-scanner", "fingerprint": "feeb92efb25c14987750eae287a5fb0e86bc44ef88fcac1c0a9aba7646b3fcae", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48526", "GHSA-xgmm-8j9v-c9wx"], "package": "pyjwt", "rule_id": "PYSEC-2026-179", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48526|src/git/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-178", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-178"}, "properties": {"repobilityId": 67293, "scanner": "osv-scanner", "fingerprint": "bc5a9f235416f25d90ba905c9c85de306300d1bf63dc6cc184ec613c1ed25a33", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48525", "GHSA-w7vc-732c-9m39"], "package": "pyjwt", "rule_id": "PYSEC-2026-178", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48525|src/git/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-177", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-177"}, "properties": {"repobilityId": 67292, "scanner": "osv-scanner", "fingerprint": "9a546975a0bb504a22c1215d741b08fcad99932fd65180d7df42834224cadb2a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48524", "GHSA-fhv5-28vv-h8m8"], "package": "pyjwt", "rule_id": "PYSEC-2026-177", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48524|src/git/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-175", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-175"}, "properties": {"repobilityId": 67291, "scanner": "osv-scanner", "fingerprint": "5635c69c44ba078a015419fafa2b1c950ecd4d87f39c0ea96dfddba568b691d5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "GHSA-993g-76c3-p5m4"], "package": "pyjwt", "rule_id": "PYSEC-2026-175", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48522|src/git/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mv93-w799-cj2w", "level": "error", "message": {"text": "gitpython: GHSA-mv93-w799-cj2w"}, "properties": {"repobilityId": 67285, "scanner": "osv-scanner", "fingerprint": "3cbe7833b915967f9b053c849a657357e9d67510b55f7320c33812e8ec7f6567", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gitpython", "rule_id": "GHSA-mv93-w799-cj2w", "scanner": "osv-scanner", "correlation_key": "vuln|gitpython|CVE-2026-42215|src/git/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-142", "level": "error", "message": {"text": "urllib3: PYSEC-2026-142"}, "properties": {"repobilityId": 67284, "scanner": "osv-scanner", "fingerprint": "a60d8fea91b5f7603d6cb47316745386fc3b137b3dbbcfb4690174b40dde9a8e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44432", "GHSA-mf9v-mfxr-j63j"], "package": "urllib3", "rule_id": "PYSEC-2026-142", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44432|src/fetch/uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mf9v-mfxr-j63j", "PYSEC-2026-142"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["a60d8fea91b5f7603d6cb47316745386fc3b137b3dbbcfb4690174b40dde9a8e", "d4e6e2c6065b0d497d4231fcbc6aa8aa99bf2deaca4ed7ec7fc8b9f441d12849"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 67283, "scanner": "osv-scanner", "fingerprint": "a1eb895a3ecddb84c64dbbef1c34e839c6c7544f0ae4d16e090a8499532c9e06", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|src/fetch/uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2767c46e255540547a7afca389766a4ee9d3cc08098463690cf7d2f219d7113c", "a1eb895a3ecddb84c64dbbef1c34e839c6c7544f0ae4d16e090a8499532c9e06"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 67282, "scanner": "osv-scanner", "fingerprint": "fb74cefdbf02fd17e9a053023e3b243ceea8f3b8a887eb9dba0a5c0997f3cf45", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|src/fetch/uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["c8e722199908a4b3200dbbd6762631bba9ebfd218424860d289470bf7e49c45f", "fb74cefdbf02fd17e9a053023e3b243ceea8f3b8a887eb9dba0a5c0997f3cf45"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-179", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-179"}, "properties": {"repobilityId": 67281, "scanner": "osv-scanner", "fingerprint": "3c1a0155941bf62cb6f1983c3cc7c90decf030ec020d579aaf9bf5ba6b4a05e9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48526", "GHSA-xgmm-8j9v-c9wx"], "package": "pyjwt", "rule_id": "PYSEC-2026-179", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48526|src/fetch/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-178", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-178"}, "properties": {"repobilityId": 67280, "scanner": "osv-scanner", "fingerprint": "ed57fe505ebaf0c73f65ba57542a69db8818c07cae99387fb72d8b265463235d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48525", "GHSA-w7vc-732c-9m39"], "package": "pyjwt", "rule_id": "PYSEC-2026-178", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48525|src/fetch/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-177", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-177"}, "properties": {"repobilityId": 67279, "scanner": "osv-scanner", "fingerprint": "055bcd572dcccdbe5e94ff9f3f58725e2f3bc008bc2bf85c3a9def2cd62cbc42", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48524", "GHSA-fhv5-28vv-h8m8"], "package": "pyjwt", "rule_id": "PYSEC-2026-177", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48524|src/fetch/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-175", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-175"}, "properties": {"repobilityId": 67278, "scanner": "osv-scanner", "fingerprint": "87bcdce080361ef3109102d76ba2068dfd50aebf3b907b05ba81750f27971101", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "GHSA-993g-76c3-p5m4"], "package": "pyjwt", "rule_id": "PYSEC-2026-175", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48522|src/fetch/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 67259, "scanner": "repobility-threat-engine", "fingerprint": "3fef6c637d7ea2e7b6e669d71ecb18a91e4817017138e5f187099366ef744a9a", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "[input.branchId] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3fef6c637d7ea2e7b6e669d71ecb18a91e4817017138e5f187099366ef744a9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sequentialthinking/lib.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 67256, "scanner": "repobility-threat-engine", "fingerprint": "bb613303508669f1402af555192f749546a60019697f34c6604b41f1c265d8be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/mcp\", async (req: Request, res: Response) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb613303508669f1402af555192f749546a60019697f34c6604b41f1c265d8be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/transports/streamableHttp.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 67255, "scanner": "repobility-threat-engine", "fingerprint": "e9f435cea58785e054d38fe850991ea95dab3225ffd22f7c44fdcc2648433c5a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/message\", async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9f435cea58785e054d38fe850991ea95dab3225ffd22f7c44fdcc2648433c5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/transports/sse.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 67254, "scanner": "repobility-threat-engine", "fingerprint": "c60bb9e386940e1980a328842d86f86df1669ff9e4f16cad04ce23242ea2d61c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cors({\n    origin: \"*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c60bb9e386940e1980a328842d86f86df1669ff9e4f16cad04ce23242ea2d61c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/transports/streamableHttp.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 67253, "scanner": "repobility-threat-engine", "fingerprint": "8faa83695c39a1fdce094bf786b13ad3286195e43c8ee20d5e6bb988054eb41b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cors({\n    origin: \"*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8faa83695c39a1fdce094bf786b13ad3286195e43c8ee20d5e6bb988054eb41b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/transports/sse.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 67251, "scanner": "repobility-threat-engine", "fingerprint": "2dfac12e0e3147c73db17787eba0037653859804d3c2064c723a1c4e473976cf", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((s, i) => `- Stage ${i + 1}: ${s}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2dfac12e0e3147c73db17787eba0037653859804d3c2064c723a1c4e473976cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/tools/simulate-research-query.ts"}, "region": {"startLine": 180}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67250, "scanner": "repobility-threat-engine", "fingerprint": "05a1f1526ec62d7e4d39145e2355952938e712400eeba68963c1cfdb86a2077d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|05a1f1526ec62d7e4d39145e2355952938e712400eeba68963c1cfdb86a2077d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/src/mcp_server_fetch/server.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67249, "scanner": "repobility-threat-engine", "fingerprint": "12f41737edcef4ab024f1ece783dc0a68e4fd9147368354bb8c032245390bd4c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (E", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|12f41737edcef4ab024f1ece783dc0a68e4fd9147368354bb8c032245390bd4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/tools/trigger-url-elicitation.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67248, "scanner": "repobility-threat-engine", "fingerprint": "f0ac7c73a01c222ca8f1c06460fab723dffcd86f7fbba6b4321c6340179f31e4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f0ac7c73a01c222ca8f1c06460fab723dffcd86f7fbba6b4321c6340179f31e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/tools/gzip-file-as-resource.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67243, "scanner": "repobility-threat-engine", "fingerprint": "4e3bc31172968f260b4742e6f375bf403a587c3090177178e602ede175ad29f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logsUpdateIntervals.delete(sessionId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4e3bc31172968f260b4742e6f375bf403a587c3090177178e602ede175ad29f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/server/logging.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67242, "scanner": "repobility-threat-engine", "fingerprint": "233b736188a8cfb4cd523e429148b1db5b1c3b118848f7ffe66826037a9e894c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "subsUpdateIntervals.delete(sessionId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|233b736188a8cfb4cd523e429148b1db5b1c3b118848f7ffe66826037a9e894c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/resources/subscriptions.ts"}, "region": {"startLine": 169}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67241, "scanner": "repobility-threat-engine", "fingerprint": "8ab9265749937e076da9ea292fa673767430e68853483fc0111d087518777b17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "registeredResources.delete(uri);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8ab9265749937e076da9ea292fa673767430e68853483fc0111d087518777b17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/resources/session.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "properties": {"repobilityId": 67217, "scanner": "repobility-supply-chain", "fingerprint": "49cdc6630585bfdf3afb9f640cbe2e154eea444368aac151477e452d0a702714", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|49cdc6630585bfdf3afb9f640cbe2e154eea444368aac151477e452d0a702714"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22.12-alpine` not pinned by digest"}, "properties": {"repobilityId": 67216, "scanner": "repobility-supply-chain", "fingerprint": "16754561a7d5fe0b294c6ff234124ba293208317fdf0d26c0185e4bc85c6bb92", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16754561a7d5fe0b294c6ff234124ba293208317fdf0d26c0185e4bc85c6bb92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/filesystem/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "properties": {"repobilityId": 67215, "scanner": "repobility-supply-chain", "fingerprint": "c7e6bf217f801e35b1f4e1d48e714543787241f00720d8a86bfe83580c11edb1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7e6bf217f801e35b1f4e1d48e714543787241f00720d8a86bfe83580c11edb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22.12-alpine` not pinned by digest"}, "properties": {"repobilityId": 67214, "scanner": "repobility-supply-chain", "fingerprint": "a23d8b036c1ee1aa2c271d21e6c87cc1d50680e1a86bbe387a04af99e30dbef2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a23d8b036c1ee1aa2c271d21e6c87cc1d50680e1a86bbe387a04af99e30dbef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "properties": {"repobilityId": 67213, "scanner": "repobility-supply-chain", "fingerprint": "57a3e56c39faabad057d1031d4316d49eb47d8c8fb85eac3010b58edded3e53e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57a3e56c39faabad057d1031d4316d49eb47d8c8fb85eac3010b58edded3e53e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sequentialthinking/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22.12-alpine` not pinned by digest"}, "properties": {"repobilityId": 67212, "scanner": "repobility-supply-chain", "fingerprint": "ad4f950fea00a56ad7e025ea7a489b0518c0a9d809744de99308180ac6b05ab0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad4f950fea00a56ad7e025ea7a489b0518c0a9d809744de99308180ac6b05ab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/sequentialthinking/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest"}, "properties": {"repobilityId": 67211, "scanner": "repobility-supply-chain", "fingerprint": "9d318b48f05a521c8b90a5b7166bc0c4ec321f1244ef1bf48fcba53fc838b432", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d318b48f05a521c8b90a5b7166bc0c4ec321f1244ef1bf48fcba53fc838b432"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/astral-sh/uv:python3.12-bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 67210, "scanner": "repobility-supply-chain", "fingerprint": "bf2b1beb62965287fea3a667c63f8a8bce34e6443929c335291a1f11558d0276", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf2b1beb62965287fea3a667c63f8a8bce34e6443929c335291a1f11558d0276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "properties": {"repobilityId": 67209, "scanner": "repobility-supply-chain", "fingerprint": "e00bccacb7bce101d9b658fbd2e3e65e3f6ad69fd213b4bd63796a7ad8c0882c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e00bccacb7bce101d9b658fbd2e3e65e3f6ad69fd213b4bd63796a7ad8c0882c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/memory/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22.12-alpine` not pinned by digest"}, "properties": {"repobilityId": 67208, "scanner": "repobility-supply-chain", "fingerprint": "6fd0937067c23de4196f0cdace0a549c4b1aaf6a7e024eb959928032e95cde5a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6fd0937067c23de4196f0cdace0a549c4b1aaf6a7e024eb959928032e95cde5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/memory/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest"}, "properties": {"repobilityId": 67207, "scanner": "repobility-supply-chain", "fingerprint": "d3e2cd0691a2b993824804d09215e886f67829e554cd303378c17d9de62427ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3e2cd0691a2b993824804d09215e886f67829e554cd303378c17d9de62427ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/astral-sh/uv:python3.12-bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 67206, "scanner": "repobility-supply-chain", "fingerprint": "4853b36b9b0386ff22cb1609e54a0b3e27f6990c19742409325bc4c238069e65", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4853b36b9b0386ff22cb1609e54a0b3e27f6990c19742409325bc4c238069e65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest"}, "properties": {"repobilityId": 67205, "scanner": "repobility-supply-chain", "fingerprint": "f13a7b1c8e21782f173544dcf16ce39978894551e5ef791bd6b1a58bcc4fba1e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f13a7b1c8e21782f173544dcf16ce39978894551e5ef791bd6b1a58bcc4fba1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/astral-sh/uv:python3.12-bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 67204, "scanner": "repobility-supply-chain", "fingerprint": "1b978132493e5c6f51ac490738b5947e53092728ce9544803378e332870b4553", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b978132493e5c6f51ac490738b5947e53092728ce9544803378e332870b4553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67203, "scanner": "repobility-supply-chain", "fingerprint": "438076a6ae8d762199031242eed69723339f82f8a59026d22fcd5650dca7f4b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|438076a6ae8d762199031242eed69723339f82f8a59026d22fcd5650dca7f4b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 67202, "scanner": "repobility-supply-chain", "fingerprint": "4f7f9f764a4b7674b9276c42d06e67b5b855246a4df5df3ed02f7f42d4860b86", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f7f9f764a4b7674b9276c42d06e67b5b855246a4df5df3ed02f7f42d4860b86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67201, "scanner": "repobility-supply-chain", "fingerprint": "7d470108976dfc968125c1929d292d0ed9fe614edfdddfc2b75c11c994028104", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d470108976dfc968125c1929d292d0ed9fe614edfdddfc2b75c11c994028104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67200, "scanner": "repobility-supply-chain", "fingerprint": "e46a9d66b30f4d9cc01526672911570dcf043005ef22f1005c8a730e1d3fb8d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e46a9d66b30f4d9cc01526672911570dcf043005ef22f1005c8a730e1d3fb8d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67199, "scanner": "repobility-supply-chain", "fingerprint": "d6f43b01a51784b1d1d502ce3f036665912cfb5a2e9f13d9fbf757993ad42808", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6f43b01a51784b1d1d502ce3f036665912cfb5a2e9f13d9fbf757993ad42808"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`"}, "properties": {"repobilityId": 67198, "scanner": "repobility-supply-chain", "fingerprint": "72ed099e672d2281b0524b8f63e116e3a87f805b224c28ce41992196c33f4562", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72ed099e672d2281b0524b8f63e116e3a87f805b224c28ce41992196c33f4562"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67197, "scanner": "repobility-supply-chain", "fingerprint": "d0fffaf13f08bf02cbc98ea360783a8b3a4d46c1058e13b35e51d5333da0d450", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0fffaf13f08bf02cbc98ea360783a8b3a4d46c1058e13b35e51d5333da0d450"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 67196, "scanner": "repobility-supply-chain", "fingerprint": "cb4d21ddc2baa99d125233916d122a0502c3929c6c4c4acf4806217dd1878256", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb4d21ddc2baa99d125233916d122a0502c3929c6c4c4acf4806217dd1878256"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67195, "scanner": "repobility-supply-chain", "fingerprint": "814771c25635c985b76ede781bfdb61e07d84ee417b27fe2f6a71424930929e4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|814771c25635c985b76ede781bfdb61e07d84ee417b27fe2f6a71424930929e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 67194, "scanner": "repobility-supply-chain", "fingerprint": "4d665bdb5e223ee82795602ad50b39e30b008fb49812a1ac09a974b5a6095c75", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d665bdb5e223ee82795602ad50b39e30b008fb49812a1ac09a974b5a6095c75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67193, "scanner": "repobility-supply-chain", "fingerprint": "0293d40b42bde459b3678d5f2ba22d44477aafbe41556a44cd50675825e8f956", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0293d40b42bde459b3678d5f2ba22d44477aafbe41556a44cd50675825e8f956"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67192, "scanner": "repobility-supply-chain", "fingerprint": "0b2a1740ca435e7fd7c691763e3d085e041a16bf27f2b76b6f3525aec2df2c5b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b2a1740ca435e7fd7c691763e3d085e041a16bf27f2b76b6f3525aec2df2c5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 67191, "scanner": "repobility-supply-chain", "fingerprint": "d124f6a3091dd68b072ef251042e80c53066e354d905982e70787a7501d35c03", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d124f6a3091dd68b072ef251042e80c53066e354d905982e70787a7501d35c03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67190, "scanner": "repobility-supply-chain", "fingerprint": "06ecf81b8c865511cab35fb86d3f58e7ac735c126999249aec301cedc94df5d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06ecf81b8c865511cab35fb86d3f58e7ac735c126999249aec301cedc94df5d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `anthropics/claude-code-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 67189, "scanner": "repobility-supply-chain", "fingerprint": "4b6ee0aae6da4a53e262db45ab5605fa522c8e1899a5f365d90ee13d83d9fa25", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b6ee0aae6da4a53e262db45ab5605fa522c8e1899a5f365d90ee13d83d9fa25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67188, "scanner": "repobility-supply-chain", "fingerprint": "227012a306a92c0897250beb505cbcbb76a5e11a7b8f4d99a17f4d50b13438c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|227012a306a92c0897250beb505cbcbb76a5e11a7b8f4d99a17f4d50b13438c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67186, "scanner": "repobility-supply-chain", "fingerprint": "5bbb149d69483211e1531db05cda2fc8b1cc8b87d8d9eff584944cb579fcd58c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5bbb149d69483211e1531db05cda2fc8b1cc8b87d8d9eff584944cb579fcd58c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typescript.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67185, "scanner": "repobility-supply-chain", "fingerprint": "ecc52bfc44999ff128a08814574c365df41479585b41a47d2ec585bd9cddfd05", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecc52bfc44999ff128a08814574c365df41479585b41a47d2ec585bd9cddfd05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typescript.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67184, "scanner": "repobility-supply-chain", "fingerprint": "e018a938ae29200e25f734e1ec8c099b7b165f99fe72a364e2906647f31d9f84", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e018a938ae29200e25f734e1ec8c099b7b165f99fe72a364e2906647f31d9f84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typescript.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67183, "scanner": "repobility-supply-chain", "fingerprint": "df975a0919f29e239c8a9047c4414fa93e0735f6a00c3a25bf5672620e08156b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df975a0919f29e239c8a9047c4414fa93e0735f6a00c3a25bf5672620e08156b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typescript.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67182, "scanner": "repobility-supply-chain", "fingerprint": "15793659cdd25abe1924a0b3b93a31bd30af612bd9275c2b2341be94c0172eda", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15793659cdd25abe1924a0b3b93a31bd30af612bd9275c2b2341be94c0172eda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typescript.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67181, "scanner": "repobility-supply-chain", "fingerprint": "4487cece1b106665821625463bfc3222043d16cc5500ce7edfd6268e18259fdd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4487cece1b106665821625463bfc3222043d16cc5500ce7edfd6268e18259fdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typescript.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 67180, "scanner": "repobility-supply-chain", "fingerprint": "2c230f4574b7bb551dda2e61f555ef3058b399ec0c43a544c258442089fce7df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c230f4574b7bb551dda2e61f555ef3058b399ec0c43a544c258442089fce7df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typescript.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 67179, "scanner": "repobility-supply-chain", "fingerprint": "cbf6b103e2b5ed373cd324f152b3cbdd38693ec813070d514bed431ee897ecb6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cbf6b103e2b5ed373cd324f152b3cbdd38693ec813070d514bed431ee897ecb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/readme-pr-check.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 67178, "scanner": "repobility-supply-chain", "fingerprint": "0a8737be5e3a066e6bd0cf0ed4cd1eefb57681e79a47b93e7aca624e1cb1203c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a8737be5e3a066e6bd0cf0ed4cd1eefb57681e79a47b93e7aca624e1cb1203c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/readme-pr-check.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /mcp has no auth"}, "properties": {"repobilityId": 67177, "scanner": "repobility-route-auth", "fingerprint": "c33314a1aad06952c8c3d60d871c6b516fda4f8651a93879271d61ebba24f9d7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c33314a1aad06952c8c3d60d871c6b516fda4f8651a93879271d61ebba24f9d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/transports/streamableHttp.ts"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /mcp has no auth"}, "properties": {"repobilityId": 67176, "scanner": "repobility-route-auth", "fingerprint": "2bdd036cfe75ef3fede3547b223658ced850f04d41c7e5cc5926d846652a985f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2bdd036cfe75ef3fede3547b223658ced850f04d41c7e5cc5926d846652a985f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/transports/streamableHttp.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /message has no auth"}, "properties": {"repobilityId": 67175, "scanner": "repobility-route-auth", "fingerprint": "a66b17de3ab7f231359895c0c806fce71823a68f968e6a843560de54e3080a7d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a66b17de3ab7f231359895c0c806fce71823a68f968e6a843560de54e3080a7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/everything/transports/sse.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_get_local_tz_with_invalid_override"}, "properties": {"repobilityId": 67174, "scanner": "repobility-ast-engine", "fingerprint": "937c5f7438f920699561d0342bff2ebae475d03ab17ca563cb8ed2397879413b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|937c5f7438f920699561d0342bff2ebae475d03ab17ca563cb8ed2397879413b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/test/time_server_test.py"}, "region": {"startLine": 472}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_convert_time_errors"}, "properties": {"repobilityId": 67173, "scanner": "repobility-ast-engine", "fingerprint": "c1ad89a0f9fc9ed9fc22e284984a095767621c69990a65c288df8b744dd2b50b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c1ad89a0f9fc9ed9fc22e284984a095767621c69990a65c288df8b744dd2b50b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/test/time_server_test.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_get_current_time_with_invalid_timezone"}, "properties": {"repobilityId": 67172, "scanner": "repobility-ast-engine", "fingerprint": "d5b5137603775198aefaa6041c86750f32176fed00fc254d8daa69257f80b909", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d5b5137603775198aefaa6041c86750f32176fed00fc254d8daa69257f80b909"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/time/test/time_server_test.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_fetch_with_proxy"}, "properties": {"repobilityId": 67171, "scanner": "repobility-ast-engine", "fingerprint": "6c3243374fee84d474e6f70526b21dbe65218f43c95aa3648fe83a683705e047", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6c3243374fee84d474e6f70526b21dbe65218f43c95aa3648fe83a683705e047"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/tests/test_server.py"}, "region": {"startLine": 306}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_fetch_500_raises_error"}, "properties": {"repobilityId": 67170, "scanner": "repobility-ast-engine", "fingerprint": "7f1a015abd5bad21545ccbf78512fb048d715ac32f83fddceb29fbe190aee566", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7f1a015abd5bad21545ccbf78512fb048d715ac32f83fddceb29fbe190aee566"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/tests/test_server.py"}, "region": {"startLine": 288}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_fetch_404_raises_error"}, "properties": {"repobilityId": 67169, "scanner": "repobility-ast-engine", "fingerprint": "7ae34cc2f6f26d443c339853b56f129b322dc04decd4a3d9ede988c8cdc74898", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ae34cc2f6f26d443c339853b56f129b322dc04decd4a3d9ede988c8cdc74898"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/tests/test_server.py"}, "region": {"startLine": 270}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_blocks_when_robots_txt_disallows_all"}, "properties": {"repobilityId": 67168, "scanner": "repobility-ast-engine", "fingerprint": "1d54ef27df6c48d7a4475c7a60a611e9e4a6029bf4aaeeda8cf98aa4f2dee88e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d54ef27df6c48d7a4475c7a60a611e9e4a6029bf4aaeeda8cf98aa4f2dee88e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/tests/test_server.py"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_allows_when_robots_txt_allows_all"}, "properties": {"repobilityId": 67167, "scanner": "repobility-ast-engine", "fingerprint": "4042fc98ded15a07447d6325a81c830739a883aa4c366a8a5f980ab4e61bd8ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4042fc98ded15a07447d6325a81c830739a883aa4c366a8a5f980ab4e61bd8ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/tests/test_server.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_blocks_when_robots_txt_403"}, "properties": {"repobilityId": 67166, "scanner": "repobility-ast-engine", "fingerprint": "510f47bd8272a3b5ff82e36954591ee404f1a5e3f48916b6486ba28849f7c29b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|510f47bd8272a3b5ff82e36954591ee404f1a5e3f48916b6486ba28849f7c29b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/tests/test_server.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_blocks_when_robots_txt_401"}, "properties": {"repobilityId": 67165, "scanner": "repobility-ast-engine", "fingerprint": "a0dcd3a7a91552000fc9e2418f7bba046263d97b42550c8b520e7af185ae5643", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a0dcd3a7a91552000fc9e2418f7bba046263d97b42550c8b520e7af185ae5643"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/tests/test_server.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_allows_when_robots_txt_404"}, "properties": {"repobilityId": 67164, "scanner": "repobility-ast-engine", "fingerprint": "b1796338fd4edff229fbccea8f3f44db4279d2dbcc71c72439e8ba9df5f77662", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b1796338fd4edff229fbccea8f3f44db4279d2dbcc71c72439e8ba9df5f77662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/fetch/tests/test_server.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_git_branch_rejects_contains_flag_injection"}, "properties": {"repobilityId": 67163, "scanner": "repobility-ast-engine", "fingerprint": "3970662b9226784fa603f089d3c08438de429c869ddd6ae2c9b2edcdffd8db16", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3970662b9226784fa603f089d3c08438de429c869ddd6ae2c9b2edcdffd8db16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 478}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_git_log_rejects_timestamp_flag_injection"}, "properties": {"repobilityId": 67162, "scanner": "repobility-ast-engine", "fingerprint": "c40ae840005286285f3887237e5ef114cf657e965854b64e98fc9381bee31a9b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c40ae840005286285f3887237e5ef114cf657e965854b64e98fc9381bee31a9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 469}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_git_create_branch_rejects_base_branch_flag_injection"}, "properties": {"repobilityId": 67161, "scanner": "repobility-ast-engine", "fingerprint": "6d667cc47308d90896459c078c9522df21819db70e4c247fd06f5679b20f4501", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d667cc47308d90896459c078c9522df21819db70e4c247fd06f5679b20f4501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 463}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_git_create_branch_rejects_flag_injection"}, "properties": {"repobilityId": 67160, "scanner": "repobility-ast-engine", "fingerprint": "987323c1be63543b20295cf68a27373bf1dae22f070ad6aecc3d8c553fde0cb8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|987323c1be63543b20295cf68a27373bf1dae22f070ad6aecc3d8c553fde0cb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 454}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_git_show_rejects_malicious_refs"}, "properties": {"repobilityId": 67159, "scanner": "repobility-ast-engine", "fingerprint": "5aec7bfc27e43cef5a0286382186414d7aa5cc85e0a2750d530756b5c3e77c86", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5aec7bfc27e43cef5a0286382186414d7aa5cc85e0a2750d530756b5c3e77c86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 441}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_git_show_rejects_flag_injection"}, "properties": {"repobilityId": 67158, "scanner": "repobility-ast-engine", "fingerprint": "67ad2eec5d4a819e00344b07d41db55b0e750a45ebe9a5221385cf7ce9cfe2d0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67ad2eec5d4a819e00344b07d41db55b0e750a45ebe9a5221385cf7ce9cfe2d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 432}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_git_checkout_rejects_malicious_refs"}, "properties": {"repobilityId": 67157, "scanner": "repobility-ast-engine", "fingerprint": "383bf3a98cf504ab9979e5cf077537bc32332d0c964a2e321454ea46eb59366c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|383bf3a98cf504ab9979e5cf077537bc32332d0c964a2e321454ea46eb59366c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 412}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_git_checkout_rejects_flag_injection"}, "properties": {"repobilityId": 67156, "scanner": "repobility-ast-engine", "fingerprint": "91853c476f0e0edbbe0a6d13b80db6385b8ea58faee74179528f56f0c71d4eda", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|91853c476f0e0edbbe0a6d13b80db6385b8ea58faee74179528f56f0c71d4eda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 330}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_git_diff_rejects_flag_injection"}, "properties": {"repobilityId": 67155, "scanner": "repobility-ast-engine", "fingerprint": "6bacd7641425344fd5edb21b52676813ef1dafd61faa4de03a21776d34fcec9b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6bacd7641425344fd5edb21b52676813ef1dafd61faa4de03a21776d34fcec9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_validate_repo_path_subdirectory"}, "properties": {"repobilityId": 67154, "scanner": "repobility-ast-engine", "fingerprint": "ccd588d49e5a3a1af6be0fa97b5ff62a082bf308184c122069efcd100291f81d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ccd588d49e5a3a1af6be0fa97b5ff62a082bf308184c122069efcd100291f81d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_validate_repo_path_exact_match"}, "properties": {"repobilityId": 67153, "scanner": "repobility-ast-engine", "fingerprint": "9221f38cbf7a13a897891215b81d9f5019fc7f9ead6afb89807454355ba56b47", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9221f38cbf7a13a897891215b81d9f5019fc7f9ead6afb89807454355ba56b47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 262}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_validate_repo_path_no_restriction"}, "properties": {"repobilityId": 67152, "scanner": "repobility-ast-engine", "fingerprint": "1550873c78a500a793fb5dc29c3191fec68f8fb95dd669168e4b60fb7719c097", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1550873c78a500a793fb5dc29c3191fec68f8fb95dd669168e4b60fb7719c097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_git_checkout_nonexistent_branch"}, "properties": {"repobilityId": 67151, "scanner": "repobility-ast-engine", "fingerprint": "dfe9cdbd887d608ec4deff11fe94a65ea6b91bffa64d0b1209e9e54d93bf3377", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dfe9cdbd887d608ec4deff11fe94a65ea6b91bffa64d0b1209e9e54d93bf3377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_repository"}, "properties": {"repobilityId": 67150, "scanner": "repobility-ast-engine", "fingerprint": "089286e34ea2e46b10526f454c222cff2d2744d099b6961de0bb3d112347a59e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|089286e34ea2e46b10526f454c222cff2d2744d099b6961de0bb3d112347a59e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/git/tests/test_server.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.fail` used but never assigned in __init__"}, "properties": {"repobilityId": 67149, "scanner": "repobility-ast-engine", "fingerprint": "ad69c52962947280f138ca2098228946184940b6d7c6d776796867822248edd5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad69c52962947280f138ca2098228946184940b6d7c6d776796867822248edd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.fail` used but never assigned in __init__"}, "properties": {"repobilityId": 67148, "scanner": "repobility-ast-engine", "fingerprint": "a65259a4ca3ef367c062471600d80c25f7646a541a65abf88bd9559086d56130", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a65259a4ca3ef367c062471600d80c25f7646a541a65abf88bd9559086d56130"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.fail` used but never assigned in __init__"}, "properties": {"repobilityId": 67147, "scanner": "repobility-ast-engine", "fingerprint": "fb67c9dcbd2e1520ef1b61ff330ecc7b1bc96e54e4f526464582fa8ba18f72bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb67c9dcbd2e1520ef1b61ff330ecc7b1bc96e54e4f526464582fa8ba18f72bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "GHSA-5xrq-8626-4rwp", "level": "error", "message": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "properties": {"repobilityId": 67276, "scanner": "osv-scanner", "fingerprint": "368ce7fd403535058d00f45426a4cac4271814ffd591ff0553a0891221ef9c8e", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47429"], "package": "vitest", "rule_id": "GHSA-5xrq-8626-4rwp", "scanner": "osv-scanner", "correlation_key": "vuln|vitest|CVE-2026-47429|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 67187, "scanner": "repobility-supply-chain", "fingerprint": "79e9bd826c8f43660cb5ee8d172397b73eaf68f23a1765efc7104deafb882596", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79e9bd826c8f43660cb5ee8d172397b73eaf68f23a1765efc7104deafb882596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/typescript.yml"}, "region": {"startLine": 102}}}]}]}]}