{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 16.7% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 16.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 16.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9jgg-88mc-972h", "name": "webpack-dev-server: GHSA-9jgg-88mc-972h", "shortDescription": {"text": "webpack-dev-server: GHSA-9jgg-88mc-972h"}, "fullDescription": {"text": "webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-79cf-xcqc-c78w", "name": "webpack-dev-server: GHSA-79cf-xcqc-c78w", "shortDescription": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "fullDescription": {"text": "webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4v9v-hfq4-rm2v", "name": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v", "shortDescription": {"text": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v"}, "fullDescription": {"text": "webpack-dev-server users' source code may be stolen when they access a malicious web site"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-93m4-6634-74q7", "name": "vite: GHSA-93m4-6634-74q7", "shortDescription": {"text": "vite: GHSA-93m4-6634-74q7"}, "fullDescription": {"text": "vite allows server.fs.deny bypass via backslash on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v3rj-xjv7-4jmq", "name": "smol-toml: GHSA-v3rj-xjv7-4jmq", "shortDescription": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "fullDescription": {"text": "smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6rw7-vpxm-498p", "name": "qs: GHSA-6rw7-vpxm-498p", "shortDescription": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "fullDescription": {"text": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-27v5-c462-wpq7", "name": "path-to-regexp: GHSA-27v5-c462-wpq7", "shortDescription": {"text": "path-to-regexp: GHSA-27v5-c462-wpq7"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-65ch-62r8-g69g", "name": "node-forge: GHSA-65ch-62r8-g69g", "shortDescription": {"text": "node-forge: GHSA-65ch-62r8-g69g"}, "fullDescription": {"text": "node-forge is vulnerable to ASN.1 OID Integer Truncation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4fh9-h7wg-q85m", "name": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m", "shortDescription": {"text": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m"}, "fullDescription": {"text": "mdast-util-to-hast has unsanitized class attribute"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38c4-r59v-3vqw", "name": "markdown-it: GHSA-38c4-r59v-3vqw", "shortDescription": {"text": "markdown-it: GHSA-38c4-r59v-3vqw"}, "fullDescription": {"text": "markdown-it is has a Regular Expression Denial of Service (ReDoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash-es: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC037", "name": "[SEC037] Uncontrolled Recursion \u2014 stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a", "shortDescription": {"text": "[SEC037] Uncontrolled Recursion \u2014 stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a depth limit, or recursive function over user-controlled structure. Attacker sends `{\"a\":{\"a\":{\"a\":...10000 levels...}}}"}, "fullDescription": {"text": "Use `defusedxml.ElementTree` instead of `xml.etree.ElementTree` \u2014 it rejects deeply-nested + billion-laughs payloads.\nFor JSON: set a depth limit explicitly:\n  import json\n  data = json.loads(s)  # then validate structure depth manually\nFor YAML: always use `yaml.safe_load`. For recursive code over user input, add an explicit depth counter and bail at depth > 100."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `eslint-plugin-unicorn` is 2 major version(s) behind (^62.0.0 -> 64.0.0)", "shortDescription": {"text": "npm package `eslint-plugin-unicorn` is 2 major version(s) behind (^62.0.0 -> 64.0.0)"}, "fullDescription": {"text": "`eslint-plugin-unicorn` is pinned/resolved at ^62.0.0 but the latest stable release on the npm registry is 64.0.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-8fgc-7cc6-rx7x", "name": "webpack: GHSA-8fgc-7cc6-rx7x", "shortDescription": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "fullDescription": {"text": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38r7-794h-5758", "name": "webpack: GHSA-38r7-794h-5758", "shortDescription": {"text": "webpack: GHSA-38r7-794h-5758"}, "fullDescription": {"text": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects \u2192 SSRF + cache persistence"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w7fw-mjwx-w883", "name": "qs: GHSA-w7fw-mjwx-w883", "shortDescription": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "fullDescription": {"text": "qs's arrayLimit bypass in comma parsing allows denial of service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 9 more): Same pattern found in 9 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 33 more): Same pattern found in 33 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 6 more): Same pattern found in 6 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 29 more): Same pattern found in 29 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-qpx9-hpmf-5gmw", "name": "underscore: GHSA-qpx9-hpmf-5gmw", "shortDescription": {"text": "underscore: GHSA-qpx9-hpmf-5gmw"}, "fullDescription": {"text": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vj76-c3g6-qr5v", "name": "tar-fs: GHSA-vj76-c3g6-qr5v", "shortDescription": {"text": "tar-fs: GHSA-vj76-c3g6-qr5v"}, "fullDescription": {"text": "tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-36hm-qxxp-pg3m", "name": "preact: GHSA-36hm-qxxp-pg3m", "shortDescription": {"text": "preact: GHSA-36hm-qxxp-pg3m"}, "fullDescription": {"text": "Preact has JSON VNode Injection issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j3q9-mxjg-w52f", "name": "path-to-regexp: GHSA-j3q9-mxjg-w52f", "shortDescription": {"text": "path-to-regexp: GHSA-j3q9-mxjg-w52f"}, "fullDescription": {"text": "path-to-regexp vulnerable to Denial of Service via sequential optional groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37ch-88jc-xwx2", "name": "path-to-regexp: GHSA-37ch-88jc-xwx2", "shortDescription": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q67f-28xg-22rw", "name": "node-forge: GHSA-q67f-28xg-22rw", "shortDescription": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "fullDescription": {"text": "Forge has signature forgery in Ed25519 due to missing S > L check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ppp5-5v6c-4jwp", "name": "node-forge: GHSA-ppp5-5v6c-4jwp", "shortDescription": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "fullDescription": {"text": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field  "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5m6q-g25r-mvwx", "name": "node-forge: GHSA-5m6q-g25r-mvwx", "shortDescription": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "fullDescription": {"text": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5gfm-wpxj-wjgq", "name": "node-forge: GHSA-5gfm-wpxj-wjgq", "shortDescription": {"text": "node-forge: GHSA-5gfm-wpxj-wjgq"}, "fullDescription": {"text": "node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-554w-wpv2-vw27", "name": "node-forge: GHSA-554w-wpv2-vw27", "shortDescription": {"text": "node-forge: GHSA-554w-wpv2-vw27"}, "fullDescription": {"text": "node-forge has ASN.1 Unbounded Recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2328-f5f3-gj25", "name": "node-forge: GHSA-2328-f5f3-gj25", "shortDescription": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "fullDescription": {"text": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash-es: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5j98-mcp5-4vw2", "name": "glob: GHSA-5j98-mcp5-4vw2", "shortDescription": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "fullDescription": {"text": "glob CLI: Command injection via -c/--cmd executes matches with shell:true"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-737v-mqg7-c878", "name": "defu: GHSA-737v-mqg7-c878", "shortDescription": {"text": "defu: GHSA-737v-mqg7-c878"}, "fullDescription": {"text": "defu: Prototype pollution via `__proto__` key in defaults argument"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x6wf-f3px-wcqx", "name": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx", "shortDescription": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated processing instruction serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wh4c-j3r5-mjhp", "name": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp", "shortDescription": {"text": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp"}, "fullDescription": {"text": "xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j759-j44w-7fr8", "name": "@xmldom/xmldom: GHSA-j759-j44w-7fr8", "shortDescription": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated comment serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f6ww-3ggp-fr8h", "name": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h", "shortDescription": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "fullDescription": {"text": "xmldom has XML injection through unvalidated DocumentType serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2v35-w6hq-6mfw", "name": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw", "shortDescription": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "fullDescription": {"text": "xmldom: Uncontrolled recursion in XML serialization leads to DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fv7c-fp4j-7gwp", "name": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp", "shortDescription": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "fullDescription": {"text": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC002", "name": "Compose service uses host networking", "shortDescription": {"text": "Compose service uses host networking"}, "fullDescription": {"text": "Sharing host namespaces reduces isolation and can expose host processes, networking, or IPC resources."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage runs as root", "shortDescription": {"text": "Docker final stage runs as root"}, "fullDescription": {"text": "The final runtime stage explicitly uses root. A compromised app process would have root inside the container."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `cypress/browsers:node-20.16.0-chrome-127.0.6533.88-1-ff-128.0.3-edge-127.0.2651.74-1`", "shortDescription": {"text": "Workflow container/services image `cypress/browsers:node-20.16.0-chrome-127.0.6533.88-1-ff-128.0.3-edge-127.0.2651.74-1` unpinned"}, "fullDescription": {"text": "`container/services image: cypress/browsers:node-20.16.0-chrome-127.0.6533.88-1-ff-128.0.3-edge-127.0.2651.74-1` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/github-script` pinned to mutable ref `@v7`", "shortDescription": {"text": "Action `actions/github-script` pinned to mutable ref `@v7`"}, "fullDescription": {"text": "`uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /dev/api/sizes has no auth", "shortDescription": {"text": "Express POST /dev/api/sizes has no auth"}, "fullDescription": {"text": "Express route POST /dev/api/sizes declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "GHSA-5xrq-8626-4rwp", "name": "vitest: GHSA-5xrq-8626-4rwp", "shortDescription": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "fullDescription": {"text": "When Vitest UI server is listening, arbitrary file can be read and executed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED005", "name": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection.", "shortDescription": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/787"}, "properties": {"repository": "mermaid-js/mermaid", "repoUrl": "https://github.com/mermaid-js/mermaid", "branch": "develop"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 66622, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 66621, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 16.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 66616, "scanner": "repobility-access-control", "fingerprint": "25879888583e47d8538ec26da9b0f7c60b1cb29b20c380f0b77b7e05144fdf50", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 6, "correlation_key": "fp|25879888583e47d8538ec26da9b0f7c60b1cb29b20c380f0b77b7e05144fdf50", "auth_visible_percent": 16.7}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 66615, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 66614, "scanner": "osv-scanner", "fingerprint": "50bb42596af5c9f077010621340b47a31a4c2078f9d0e01ee2b787647b74301a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 66613, "scanner": "osv-scanner", "fingerprint": "d698c0969dae25e950d4f8b65b021df28bdeb91476dcc255cdcc9ca9ba3ee73e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9jgg-88mc-972h", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-9jgg-88mc-972h"}, "properties": {"repobilityId": 66612, "scanner": "osv-scanner", "fingerprint": "2058e0841f8e55a21d21b12194f8d27e99c57090ef4921cf0366699e34ed92e8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30360"], "package": "webpack-dev-server", "rule_id": "GHSA-9jgg-88mc-972h", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2025-30360|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-79cf-xcqc-c78w", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "properties": {"repobilityId": 66611, "scanner": "osv-scanner", "fingerprint": "bf17a1b8032e08e83dd69d78b623ced845743d9cdd4b2f534bd150c450160d90", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6402"], "package": "webpack-dev-server", "rule_id": "GHSA-79cf-xcqc-c78w", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2026-6402|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4v9v-hfq4-rm2v", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v"}, "properties": {"repobilityId": 66610, "scanner": "osv-scanner", "fingerprint": "bad564efe556f5e9874abc9f9973628c4b13601dd518627d1dbca7909481552d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30359"], "package": "webpack-dev-server", "rule_id": "GHSA-4v9v-hfq4-rm2v", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2025-30359|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-93m4-6634-74q7", "level": "warning", "message": {"text": "vite: GHSA-93m4-6634-74q7"}, "properties": {"repobilityId": 66606, "scanner": "osv-scanner", "fingerprint": "754b1d6626e72d8691f7883f12f3362d54578372edf4ba20a02fcff80a0e4f2a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-62522"], "package": "vite", "rule_id": "GHSA-93m4-6634-74q7", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-62522|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 66605, "scanner": "osv-scanner", "fingerprint": "a2c12e2b28152cf8b2318c26eb42f38e3894a8280e15146de8ce046c997d7d89", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 66604, "scanner": "osv-scanner", "fingerprint": "fdef028f4a816ff49a3feddc8fea57767b8bd7a5285d824fe826196183701971", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v3rj-xjv7-4jmq", "level": "warning", "message": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "properties": {"repobilityId": 66600, "scanner": "osv-scanner", "fingerprint": "cd040272d36f524e718de07acee7ce54502019f7f8a2101c74f4a12389702c8c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "smol-toml", "rule_id": "GHSA-v3rj-xjv7-4jmq", "scanner": "osv-scanner", "correlation_key": "vuln|smol-toml|GHSA-V3RJ-XJV7-4JMQ|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 66599, "scanner": "osv-scanner", "fingerprint": "e5adc7b8147d0f39d78debfb9b91e31cc337ef1e8ecd400a17dea5cbe1b23197", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 66596, "scanner": "osv-scanner", "fingerprint": "0727364e57c088dabd2840fd21980edb99b147969b7db2965e7188703dcea5f1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rw7-vpxm-498p", "level": "warning", "message": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "properties": {"repobilityId": 66595, "scanner": "osv-scanner", "fingerprint": "6d22fb6d155cd92273923764c4a42ac64c943a3e96e9afc41e845a7b5d2f24b9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-15284"], "package": "qs", "rule_id": "GHSA-6rw7-vpxm-498p", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2025-15284|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 66593, "scanner": "osv-scanner", "fingerprint": "0b1dff5c952a767b7990e67b0d60cc580116a9b63b14cf0d44b920a59028efbf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 66591, "scanner": "osv-scanner", "fingerprint": "d9d26d972991fffb51a1613b08ac1e8e722be1c10191fb43cced54b770250e8d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-27v5-c462-wpq7", "level": "warning", "message": {"text": "path-to-regexp: GHSA-27v5-c462-wpq7"}, "properties": {"repobilityId": 66589, "scanner": "osv-scanner", "fingerprint": "5cf58924872fce28303cdda7647e6a181c0b46d2ba36332c6b52fa7cbbbf3169", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4923"], "package": "path-to-regexp", "rule_id": "GHSA-27v5-c462-wpq7", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4923|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65ch-62r8-g69g", "level": "warning", "message": {"text": "node-forge: GHSA-65ch-62r8-g69g"}, "properties": {"repobilityId": 66585, "scanner": "osv-scanner", "fingerprint": "7ae3cf73266e9f04815d7265db86772c37f224fb8fd8cfab836e3620a2ca8501", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66030"], "package": "node-forge", "rule_id": "GHSA-65ch-62r8-g69g", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-66030|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4fh9-h7wg-q85m", "level": "warning", "message": {"text": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m"}, "properties": {"repobilityId": 66577, "scanner": "osv-scanner", "fingerprint": "039e2b36672f18dbf9d417665e7f3212fd1a283e5ef0c85f75995c2c417b7e4e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66400"], "package": "mdast-util-to-hast", "rule_id": "GHSA-4fh9-h7wg-q85m", "scanner": "osv-scanner", "correlation_key": "vuln|mdast-util-to-hast|CVE-2025-66400|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38c4-r59v-3vqw", "level": "warning", "message": {"text": "markdown-it: GHSA-38c4-r59v-3vqw"}, "properties": {"repobilityId": 66576, "scanner": "osv-scanner", "fingerprint": "4469383d894c69f2a72c8a45646cb30356ad3ed678bfa299a189ebfaf3838073", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2327"], "package": "markdown-it", "rule_id": "GHSA-38c4-r59v-3vqw", "scanner": "osv-scanner", "correlation_key": "vuln|markdown-it|CVE-2026-2327|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 66574, "scanner": "osv-scanner", "fingerprint": "b90ae8d551f6d818b64e90dd68be738ed46fcc6fa2db637b203517b71986c2ba", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash-es", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-2950|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 66573, "scanner": "osv-scanner", "fingerprint": "75f1cf8ff29d8d132d579513aad4027dbb5a93646863d8e7bc0c89343d3402ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 66571, "scanner": "osv-scanner", "fingerprint": "529a8e201067f66e4bcd0d6408bc6eece689220a5a65ec65438a230ab5b7cf66", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 66570, "scanner": "osv-scanner", "fingerprint": "e1f1eee28e3c43746c892494085b271496e4ce012a6f7a57876b5d7ed32ae261", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 66568, "scanner": "osv-scanner", "fingerprint": "6f390e2ea2dc5e15147a7d495e55d42a4ae00467d7b3f2ca1cebb7aa445a73b9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 66563, "scanner": "osv-scanner", "fingerprint": "41f281ca33e7758f3ed49d251cab103d4cb0c6de82ba0c8149194ad02717accb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 66561, "scanner": "osv-scanner", "fingerprint": "df9432682f1efa01d242974fb7d6c679d3a112195415b0ccdedda1d7decb9db5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 66560, "scanner": "osv-scanner", "fingerprint": "6ed3e11856b985dfd38b234bdeafe6eb9fdd6ace1789aa46a716324dba77d441", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 66559, "scanner": "osv-scanner", "fingerprint": "0b4075edd70eccc9e81ce84656b8a0c1040ecc83769ba1ed4fe7ce3796321c93", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 66547, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 66529, "scanner": "repobility-threat-engine", "fingerprint": "90ac425ac7598521cf3e6d39384dbb789761c58dad556a5c7b2f66f37752c686", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|179|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/er/erDb.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 66528, "scanner": "repobility-threat-engine", "fingerprint": "adb27c16aba82636a79ec7e88416f9122a91eed3d1b92f316877495f5820f2f4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|85|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/class/classTypes.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 66527, "scanner": "repobility-threat-engine", "fingerprint": "0334fe8e1a1b55174428e39845dcb0e227a64162ea31b7d0d7ac8d4f62e06aa4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|44|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/block/blockDB.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC037", "level": "warning", "message": {"text": "[SEC037] Uncontrolled Recursion \u2014 stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a depth limit, or recursive function over user-controlled structure. Attacker sends `{\"a\":{\"a\":{\"a\":...10000 levels...}}}` to blow the stack. Real CVEs: CVE-2019-16935 (Python xmlrpc), CVE-2020-25659 (PyYAML before 5.4). CWE-674/1325."}, "properties": {"repobilityId": 66520, "scanner": "repobility-threat-engine", "fingerprint": "ede26c8e996d53565e226e643210373ef0eb4b49b18538485c9da698862bbeee", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(yamlBody", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC037", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ede26c8e996d53565e226e643210373ef0eb4b49b18538485c9da698862bbeee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagram-api/frontmatter.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 66519, "scanner": "repobility-threat-engine", "fingerprint": "3842230e558081780c650a614c1007abe56417ad5c893cbb0fd01b46c24f0c66", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|129|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/kanban/kanbanDb.ts"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 66518, "scanner": "repobility-threat-engine", "fingerprint": "4c0ebf6a3d3dfd87771a1bea27a6b4f04a685265bc5cbc977896d9ec8f7c10f1", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|43|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagram-api/frontmatter.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 66496, "scanner": "repobility-threat-engine", "fingerprint": "e4f5e43ce9c3e25319b0685361981ec6e597765e5ec03e3960ef948bd3dc0b4b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Debug = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e4f5e43ce9c3e25319b0685361981ec6e597765e5ec03e3960ef948bd3dc0b4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/dev-explorer/console-panel.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 66483, "scanner": "repobility-agent-runtime", "fingerprint": "84dfabcb1a25901a840316a132670eb6870dad951b43710b6348177aa62291f1", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|84dfabcb1a25901a840316a132670eb6870dad951b43710b6348177aa62291f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/dev-explorer/diagram-viewer.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `eslint-plugin-unicorn` is 2 major version(s) behind (^62.0.0 -> 64.0.0)"}, "properties": {"repobilityId": 66482, "scanner": "repobility-dependency-currency", "fingerprint": "cbf401b16efd0102f984daedb43f3b78b2f29a3ec09a1989250d9de8b4fea136", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-unicorn", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "64.0.0", "correlation_key": "fp|cbf401b16efd0102f984daedb43f3b78b2f29a3ec09a1989250d9de8b4fea136", "current_version": "^62.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `eslint-plugin-cypress` is 1 major version(s) behind (^5.3.0 -> 6.4.1)"}, "properties": {"repobilityId": 66478, "scanner": "repobility-dependency-currency", "fingerprint": "6f8b445f140f5d62d717a7e620cfee942fc302808708bbfd522b8e6344dcf115", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-cypress", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.4.1", "correlation_key": "fp|6f8b445f140f5d62d717a7e620cfee942fc302808708bbfd522b8e6344dcf115", "current_version": "^5.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `cypress` is 1 major version(s) behind (^14.5.4 -> 15.16.0)"}, "properties": {"repobilityId": 66475, "scanner": "repobility-dependency-currency", "fingerprint": "8f03c4bf250c1160160bed9bd67c9e4b6d9adb9d38cf45b11fb976cb2bbbf07e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cypress", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "15.16.0", "correlation_key": "fp|8f03c4bf250c1160160bed9bd67c9e4b6d9adb9d38cf45b11fb976cb2bbbf07e", "current_version": "^14.5.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `cspell` is 1 major version(s) behind (^9.3.2 -> 10.0.1)"}, "properties": {"repobilityId": 66474, "scanner": "repobility-dependency-currency", "fingerprint": "4003481c887aa02ebef1ecacba687f024def61ca1a1c067633147035fac3f668", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cspell", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|4003481c887aa02ebef1ecacba687f024def61ca1a1c067633147035fac3f668", "current_version": "^9.3.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `cross-env` is 3 major version(s) behind (^7.0.3 -> 10.1.0)"}, "properties": {"repobilityId": 66473, "scanner": "repobility-dependency-currency", "fingerprint": "b161de4b5a8afb4544d22400c564d7da63d16e1860d2f2006dfb81c7fb54e541", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cross-env", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.1.0", "correlation_key": "fp|b161de4b5a8afb4544d22400c564d7da63d16e1860d2f2006dfb81c7fb54e541", "current_version": "^7.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `cpy-cli` is 2 major version(s) behind (^5.0.0 -> 7.0.0)"}, "properties": {"repobilityId": 66472, "scanner": "repobility-dependency-currency", "fingerprint": "38161b11d5f58eaed831666e2bd3db2cf65f4303ec7e6dce3986d08992dbed13", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cpy-cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.0.0", "correlation_key": "fp|38161b11d5f58eaed831666e2bd3db2cf65f4303ec7e6dce3986d08992dbed13", "current_version": "^5.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `concurrently` is 1 major version(s) behind (^9.2.1 -> 10.0.3)"}, "properties": {"repobilityId": 66471, "scanner": "repobility-dependency-currency", "fingerprint": "35c04d23e4ae1ed2c86c171286b4c33b37329a21038e1a84c486b785c79a693f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "concurrently", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.3", "correlation_key": "fp|35c04d23e4ae1ed2c86c171286b4c33b37329a21038e1a84c486b785c79a693f", "current_version": "^9.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chokidar` is 2 major version(s) behind (3.6.0 -> 5.0.0)"}, "properties": {"repobilityId": 66470, "scanner": "repobility-dependency-currency", "fingerprint": "7d1044bc828cea28c32572d3f423f1770673ce7c45b703a70cf63bd65843b878", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chokidar", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.0", "correlation_key": "fp|7d1044bc828cea28c32572d3f423f1770673ce7c45b703a70cf63bd65843b878", "current_version": "3.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitest/ui` is 1 major version(s) behind (^3.2.4 -> 4.1.8)"}, "properties": {"repobilityId": 66468, "scanner": "repobility-dependency-currency", "fingerprint": "b44535a0419316b544c0a735358ecb56d8a7d1b7eb1f4f6a86f99ced3f2069c2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/ui", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|b44535a0419316b544c0a735358ecb56d8a7d1b7eb1f4f6a86f99ced3f2069c2", "current_version": "^3.2.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitest/spy` is 1 major version(s) behind (^3.2.4 -> 4.1.8)"}, "properties": {"repobilityId": 66467, "scanner": "repobility-dependency-currency", "fingerprint": "39bef2e1a97b0afc06bc8bfd59ab53a90600341b5904bbc55004b18f0604f2ef", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/spy", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|39bef2e1a97b0afc06bc8bfd59ab53a90600341b5904bbc55004b18f0604f2ef", "current_version": "^3.2.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitest/coverage-v8` is 1 major version(s) behind (^3.2.4 -> 4.1.8)"}, "properties": {"repobilityId": 66466, "scanner": "repobility-dependency-currency", "fingerprint": "4a044b9dc901c0e2c53e8c761ce2d47d84e84db3b9daee1b659b4ba277b5f7d2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/coverage-v8", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|4a044b9dc901c0e2c53e8c761ce2d47d84e84db3b9daee1b659b4ba277b5f7d2", "current_version": "^3.2.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/jsdom` is 7 major version(s) behind (^21.1.7 -> 28.0.3)"}, "properties": {"repobilityId": 66465, "scanner": "repobility-dependency-currency", "fingerprint": "955f62ceeb3848e1682696f335d3cc831333f4472a9d1d2c56e446087a5d8ae9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "7 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/jsdom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "28.0.3", "correlation_key": "fp|955f62ceeb3848e1682696f335d3cc831333f4472a9d1d2c56e446087a5d8ae9", "current_version": "^21.1.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@eslint/js` is 1 major version(s) behind (^9.26.0 -> 10.0.1)"}, "properties": {"repobilityId": 66463, "scanner": "repobility-dependency-currency", "fingerprint": "0ad42616b63d1dbe9bfd3940a7fcf2e5cdaf00a630d699262cb676767c3a9bf1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|0ad42616b63d1dbe9bfd3940a7fcf2e5cdaf00a630d699262cb676767c3a9bf1", "current_version": "^9.26.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@cypress/code-coverage` is 1 major version(s) behind (^3.14.7 -> 4.0.3)"}, "properties": {"repobilityId": 66462, "scanner": "repobility-dependency-currency", "fingerprint": "e1a16a068417d7314ae2631e8ac0419657caaea3f12ac6889f0241b5582c19e4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@cypress/code-coverage", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.3", "correlation_key": "fp|e1a16a068417d7314ae2631e8ac0419657caaea3f12ac6889f0241b5582c19e4", "current_version": "^3.14.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@cspell/eslint-plugin` is 1 major version(s) behind (^9.3.2 -> 10.0.1)"}, "properties": {"repobilityId": 66461, "scanner": "repobility-dependency-currency", "fingerprint": "0b354883b51716439448eb43fc7cec4d08ba6a12274043c022d4e0835f174cb4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@cspell/eslint-plugin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|0b354883b51716439448eb43fc7cec4d08ba6a12274043c022d4e0835f174cb4", "current_version": "^9.3.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@argos-ci/cypress` is 1 major version(s) behind (^6.2.12 -> 7.0.5)"}, "properties": {"repobilityId": 66458, "scanner": "repobility-dependency-currency", "fingerprint": "073815cbae4bf33f33317a9756e1484da82cce5567b382e28875ffc0c8ecb69a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@argos-ci/cypress", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.0.5", "correlation_key": "fp|073815cbae4bf33f33317a9756e1484da82cce5567b382e28875ffc0c8ecb69a", "current_version": "^6.2.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 66620, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 66619, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 66618, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 66617, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8fgc-7cc6-rx7x", "level": "note", "message": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "properties": {"repobilityId": 66609, "scanner": "osv-scanner", "fingerprint": "1993c610a1e199945bd3223101121d865411366cc66303a7a26ce1368fa7ffb3", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68458"], "package": "webpack", "rule_id": "GHSA-8fgc-7cc6-rx7x", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68458|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38r7-794h-5758", "level": "note", "message": {"text": "webpack: GHSA-38r7-794h-5758"}, "properties": {"repobilityId": 66608, "scanner": "osv-scanner", "fingerprint": "f17ee9fc81b3ebbf6275da2f4ff0c137ea8a2828a01f73eb453ed488df735491", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68157"], "package": "webpack", "rule_id": "GHSA-38r7-794h-5758", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68157|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w7fw-mjwx-w883", "level": "note", "message": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "properties": {"repobilityId": 66597, "scanner": "osv-scanner", "fingerprint": "a8ebfae1708877f4dd9d37cacb9e0f82aeb99b56d968b81a86d1302c6d3af0c2", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2391"], "package": "qs", "rule_id": "GHSA-w7fw-mjwx-w883", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-2391|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 66549, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mermaid", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 66548, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mermaid", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 66513, "scanner": "repobility-threat-engine", "fingerprint": "65ba03cdf6ba4fb337b4fec9dd48b6cc354c926e71f8af3b6226f1f61843f14e", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|125|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/verify-diagram/verify.mjs"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 66511, "scanner": "repobility-threat-engine", "fingerprint": "824d676de7f9c196994892bd17f062d08f5de2e0cc31880db5362d630f72b76c", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = r", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|81|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid-zenuml/src/zenumlRenderer.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `eslint-plugin-tsdoc` is minor version(s) behind (^0.4.0 -> 0.5.2)"}, "properties": {"repobilityId": 66481, "scanner": "repobility-dependency-currency", "fingerprint": "cf3c982fffdab8b64a33455dd5f99725d3c4e04a892cfbaf4d08b2b2435c30b8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-tsdoc", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.2", "correlation_key": "fp|cf3c982fffdab8b64a33455dd5f99725d3c4e04a892cfbaf4d08b2b2435c30b8", "current_version": "^0.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `eslint-plugin-no-only-tests` is minor version(s) behind (^3.3.0 -> 3.4.0)"}, "properties": {"repobilityId": 66480, "scanner": "repobility-dependency-currency", "fingerprint": "fd72758259a0a56d59cc02693e391121a7241b35fdda69d7ed0458a10386dc4f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-no-only-tests", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.4.0", "correlation_key": "fp|fd72758259a0a56d59cc02693e391121a7241b35fdda69d7ed0458a10386dc4f", "current_version": "^3.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `eslint-plugin-jest` is minor version(s) behind (^29.0.1 -> 29.15.2)"}, "properties": {"repobilityId": 66479, "scanner": "repobility-dependency-currency", "fingerprint": "17a9e96e5ae96006ce37e4a92a4854354d6eabbed4f61a78282480bba9f264be", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-jest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "29.15.2", "correlation_key": "fp|17a9e96e5ae96006ce37e4a92a4854354d6eabbed4f61a78282480bba9f264be", "current_version": "^29.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `esbuild` is minor version(s) behind (^0.25.12 -> 0.28.0)"}, "properties": {"repobilityId": 66477, "scanner": "repobility-dependency-currency", "fingerprint": "f8688547f3a2c302f4208282de2cd062846017d3b836871d6cb6c6954b0dd8f1", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "esbuild", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.28.0", "correlation_key": "fp|f8688547f3a2c302f4208282de2cd062846017d3b836871d6cb6c6954b0dd8f1", "current_version": "^0.25.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `dotenv` is minor version(s) behind (^17.2.4 -> 17.4.2)"}, "properties": {"repobilityId": 66476, "scanner": "repobility-dependency-currency", "fingerprint": "4ae8c2f6dd75bff63ab1669c14d4023702c0f2a24138f08845e0ab8885815a3e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dotenv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.4.2", "correlation_key": "fp|4ae8c2f6dd75bff63ab1669c14d4023702c0f2a24138f08845e0ab8885815a3e", "current_version": "^17.2.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `ajv` is minor version(s) behind (^8.17.1 -> 8.20.0)"}, "properties": {"repobilityId": 66469, "scanner": "repobility-dependency-currency", "fingerprint": "6f74d6b06e3f5af0c7e48a7df85840d846836f3fe2cda0d785785e2eca7e860d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ajv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.20.0", "correlation_key": "fp|6f74d6b06e3f5af0c7e48a7df85840d846836f3fe2cda0d785785e2eca7e860d", "current_version": "^8.17.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@rollup/plugin-typescript` is minor version(s) behind (^12.1.4 -> 12.3.0)"}, "properties": {"repobilityId": 66464, "scanner": "repobility-dependency-currency", "fingerprint": "6f1817b8990fa0ba835de09ac288f84a44fa43fd5cea3d00f9866b4383855cc3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@rollup/plugin-typescript", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.3.0", "correlation_key": "fp|6f1817b8990fa0ba835de09ac288f84a44fa43fd5cea3d00f9866b4383855cc3", "current_version": "^12.1.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@changesets/cli` is minor version(s) behind (^2.29.8 -> 2.31.0)"}, "properties": {"repobilityId": 66460, "scanner": "repobility-dependency-currency", "fingerprint": "36a5e3a9bfd2a2d6d4e5fde0eb09f1aaa8981d2b75b930b57b3fddceb4fd1d05", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@changesets/cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.31.0", "correlation_key": "fp|36a5e3a9bfd2a2d6d4e5fde0eb09f1aaa8981d2b75b930b57b3fddceb4fd1d05", "current_version": "^2.29.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@changesets/changelog-github` is minor version(s) behind (^0.5.2 -> 0.7.0)"}, "properties": {"repobilityId": 66459, "scanner": "repobility-dependency-currency", "fingerprint": "db86ac27d1719bf2f75a2e73d5c52ee541e277e4bdeccb3b471c6e5644a28a4a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@changesets/changelog-github", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.7.0", "correlation_key": "fp|db86ac27d1719bf2f75a2e73d5c52ee541e277e4bdeccb3b471c6e5644a28a4a", "current_version": "^0.5.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66449, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1aa8b0125ffb2237161feb815c1e1de20af886b4e6f33e889451ada465e380de", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/adjustLayout.ts", "duplicate_line": 82, "correlation_key": "fp|1aa8b0125ffb2237161feb815c1e1de20af886b4e6f33e889451ada465e380de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/rendering-elements/edges.js"}, "region": {"startLine": 212}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66448, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b58d4afd2f6cf51d96082543de70b09c225114bd14f88320752be11a1c31226", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/dagre-wrapper/edges.js", "duplicate_line": 39, "correlation_key": "fp|3b58d4afd2f6cf51d96082543de70b09c225114bd14f88320752be11a1c31226"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/rendering-elements/edges.js"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66447, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c472ea0b1899e932529d023cc18d9179f6f1533e7c69e9a5103c5fc94f049079", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/dagre-wrapper/createLabel.js", "duplicate_line": 4, "correlation_key": "fp|c472ea0b1899e932529d023cc18d9179f6f1533e7c69e9a5103c5fc94f049079"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/rendering-elements/createLabel.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66446, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b34d2a98c1565ba68fda35ab42431bc836aec679824b107e669fb5aa320fdc77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/dagre-wrapper/clusters.js", "duplicate_line": 70, "correlation_key": "fp|b34d2a98c1565ba68fda35ab42431bc836aec679824b107e669fb5aa320fdc77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/rendering-elements/clusters.js"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66445, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e028efd4279a408e439455a543787bfc47e8fc4b7bbc1db0fb136dcfff6dc097", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/direction/materializedGeometry.ts", "duplicate_line": 308, "correlation_key": "fp|e028efd4279a408e439455a543787bfc47e8fc4b7bbc1db0fb136dcfff6dc097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/direction/sharedTrackNudging.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66444, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f7cdabe1ac9ba47baadeaa4260900ffd52f2c5f96a3df02105e511707a2b043", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/dagre-wrapper/edges.js", "duplicate_line": 158, "correlation_key": "fp|8f7cdabe1ac9ba47baadeaa4260900ffd52f2c5f96a3df02105e511707a2b043"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/adjustLayout.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66443, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca514484f04cbcc1d2b538bc9b8bcbbf82281f7134215e9f5b7151c9f5c6b356", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/dagre-wrapper/intersect/intersect-rect.js", "duplicate_line": 9, "correlation_key": "fp|ca514484f04cbcc1d2b538bc9b8bcbbf82281f7134215e9f5b7151c9f5c6b356"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/layout-algorithms/layout-utils/scoreLayout.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66442, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0d50b781bffeec46360402cd35836e2fc605ee1bd0eea0100c3a6b4d31b268c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/dagre-wrapper/mermaid-graphlib.js", "duplicate_line": 37, "correlation_key": "fp|0d50b781bffeec46360402cd35836e2fc605ee1bd0eea0100c3a6b4d31b268c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/layout-algorithms/dagre/mermaid-graphlib.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66441, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9cbaf2267800caddfaeb8b6830230d0ee8d940d30c18ca1373d0181e6ce74199", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/dagre-wrapper/index.js", "duplicate_line": 54, "correlation_key": "fp|9cbaf2267800caddfaeb8b6830230d0ee8d940d30c18ca1373d0181e6ce74199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/layout-algorithms/dagre/index.js"}, "region": {"startLine": 266}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66440, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca5083fbeeb0a0b4c454840ad5f34044519a84ad740ff7849a7c9df29a6d5932", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid-layout-tidy-tree/src/render.ts", "duplicate_line": 11, "correlation_key": "fp|ca5083fbeeb0a0b4c454840ad5f34044519a84ad740ff7849a7c9df29a6d5932"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/layout-algorithms/cose-bilkent/render.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66439, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ca065f5290c46037c46c4f967d1af42a269c0465562b866748af72c37bca006", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/timeline/svgDraw.js", "duplicate_line": 17, "correlation_key": "fp|9ca065f5290c46037c46c4f967d1af42a269c0465562b866748af72c37bca006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/user-journey/svgDraw.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66438, "scanner": "repobility-ai-code-hygiene", "fingerprint": "82a72cfc74ec99132932c581b65951cde3aaa1cc32099c3db6d985baa43c7225", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/block/styles.ts", "duplicate_line": 51, "correlation_key": "fp|82a72cfc74ec99132932c581b65951cde3aaa1cc32099c3db6d985baa43c7225"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/user-journey/styles.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66437, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88afa6fa0b7cc5f0f3164fbacd3ca6f44ac1e21f3bd1f63f67a24c89c9e293a5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/timeline/timelineDb.js", "duplicate_line": 22, "correlation_key": "fp|88afa6fa0b7cc5f0f3164fbacd3ca6f44ac1e21f3bd1f63f67a24c89c9e293a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/user-journey/journeyDb.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66436, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a76e17d94af7b0f2339502d140eb85cae816a6dc48f2f32927061867a33aa023", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/timeline/timelineRenderer.ts", "duplicate_line": 9, "correlation_key": "fp|a76e17d94af7b0f2339502d140eb85cae816a6dc48f2f32927061867a33aa023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/timeline/timelineRendererVertical.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66435, "scanner": "repobility-ai-code-hygiene", "fingerprint": "82a5a0a0ac4686e5a218af0ce1c9e679979ad72e8e1c85e0c1cee9a2a71c7fa8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/mindmap/mindmapRenderer.ts", "duplicate_line": 63, "correlation_key": "fp|82a5a0a0ac4686e5a218af0ce1c9e679979ad72e8e1c85e0c1cee9a2a71c7fa8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/timeline/timelineRenderer.ts"}, "region": {"startLine": 187}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66434, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9e0fff8102fe0f62222400a6440da3678ddc81df47c6ae2f593795ccda8bf17", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/kanban/styles.ts", "duplicate_line": 24, "correlation_key": "fp|d9e0fff8102fe0f62222400a6440da3678ddc81df47c6ae2f593795ccda8bf17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/timeline/styles.js"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66433, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64e2f572468dea57cbef8e7e23435395b3e687a9f0c7dbdbca9dd3da5b4ef161", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/flowchart/styles.ts", "duplicate_line": 82, "correlation_key": "fp|64e2f572468dea57cbef8e7e23435395b3e687a9f0c7dbdbca9dd3da5b4ef161"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/state/styles.js"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66432, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a675cd9dc7af761b4d6b21e8eaa482aa67d89407887c7ec7642c094df538257", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/class/classRenderer-v3-unified.ts", "duplicate_line": 10, "correlation_key": "fp|6a675cd9dc7af761b4d6b21e8eaa482aa67d89407887c7ec7642c094df538257"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/state/stateRenderer-v3-unified.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66431, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d38eacd54609ee584548e6382f27eb134a61c3799a2ae3ade38780532c8eea46", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/class/svgDraw.js", "duplicate_line": 19, "correlation_key": "fp|d38eacd54609ee584548e6382f27eb134a61c3799a2ae3ade38780532c8eea46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/state/shapes.js"}, "region": {"startLine": 297}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66430, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a1b3cc098f3789aac1047e053cfe0f77c9e1de40ed456633914d09701a49ad2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/c4/c4Db.js", "duplicate_line": 659, "correlation_key": "fp|3a1b3cc098f3789aac1047e053cfe0f77c9e1de40ed456633914d09701a49ad2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/sequence/sequenceDb.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66429, "scanner": "repobility-ai-code-hygiene", "fingerprint": "872afd69daa6e1cf6b6b973ccd584809fa55efbc0d89f7003a25d2e2fce43581", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/config.type.ts", "duplicate_line": 603, "correlation_key": "fp|872afd69daa6e1cf6b6b973ccd584809fa55efbc0d89f7003a25d2e2fce43581"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/railroad/railroadTypes.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66428, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ec2eef1e76f5ff0fc6ed1267c8010c7c5bec5a76b688c79842451ae8775128a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/kanban/styles.ts", "duplicate_line": 27, "correlation_key": "fp|1ec2eef1e76f5ff0fc6ed1267c8010c7c5bec5a76b688c79842451ae8775128a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/mindmap/styles.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66427, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39a8a929dc8a82493c4104c127f7750632b7ae18e91db4477db698a088653ad7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/class/classDb.ts", "duplicate_line": 340, "correlation_key": "fp|39a8a929dc8a82493c4104c127f7750632b7ae18e91db4477db698a088653ad7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/gantt/ganttDb.js"}, "region": {"startLine": 542}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66426, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d0501fbd4c4ef66ea483d97f0dc8b072ec5316131849fb300777574b8d1e941", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/class/styles.js", "duplicate_line": 20, "correlation_key": "fp|2d0501fbd4c4ef66ea483d97f0dc8b072ec5316131849fb300777574b8d1e941"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/flowchart/styles.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66425, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7754524fee28cb7ccc600782df0315276b7cb2b2534af5d2c9a83fe7aa52f21", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/block/styles.ts", "duplicate_line": 4, "correlation_key": "fp|b7754524fee28cb7ccc600782df0315276b7cb2b2534af5d2c9a83fe7aa52f21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/flowchart/styles.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66424, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c935b6acb346686406fe3f89e178a4a4b8ebfe24880af18109baec38cfb36fe9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/class/classDb.ts", "duplicate_line": 537, "correlation_key": "fp|c935b6acb346686406fe3f89e178a4a4b8ebfe24880af18109baec38cfb36fe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/class/classRenderer-v2.ts"}, "region": {"startLine": 309}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66423, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee14a6d98d191be6352874a5833beea4079a05dd9d7db27271dd1a0d040e3e42", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid/src/diagrams/class/classDiagram-v2.ts", "duplicate_line": 1, "correlation_key": "fp|ee14a6d98d191be6352874a5833beea4079a05dd9d7db27271dd1a0d040e3e42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/class/classDiagram.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66422, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12d980f56bab1deeea5c5322340f7cea372eee77fe52cbcf1e24f3bae54c8482", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid-layout-tidy-tree/src/layout.ts", "duplicate_line": 302, "correlation_key": "fp|12d980f56bab1deeea5c5322340f7cea372eee77fe52cbcf1e24f3bae54c8482"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/dagre-wrapper/edges.js"}, "region": {"startLine": 256}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66421, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ee491df65b4b8f625355e38a7680aa5fde267d5d91ea1750f5b575b0fcf24fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid-example-diagram/src/mermaidUtils.ts", "duplicate_line": 1, "correlation_key": "fp|5ee491df65b4b8f625355e38a7680aa5fde267d5d91ea1750f5b575b0fcf24fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid-zenuml/src/mermaidUtils.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66420, "scanner": "repobility-ai-code-hygiene", "fingerprint": "580499f244824472731cac85d54a719d1f6669bde42ea787937cb912bdb6d1a5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mermaid-layout-elk/src/geometry.ts", "duplicate_line": 46, "correlation_key": "fp|580499f244824472731cac85d54a719d1f6669bde42ea787937cb912bdb6d1a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid-layout-tidy-tree/src/layout.ts"}, "region": {"startLine": 311}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 66543, "scanner": "repobility-threat-engine", "fingerprint": "10405ed5972d0163fa5681e2bb04cbe673746353d2f755e6d028c473b94466e9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|10405ed5972d0163fa5681e2bb04cbe673746353d2f755e6d028c473b94466e9", "aggregated_count": 11}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 66542, "scanner": "repobility-threat-engine", "fingerprint": "b8ea3d8f5bb0ef67661c8901509915ad3f7e3ca2e2d9907bd6e7a53c3a65091f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8ea3d8f5bb0ef67661c8901509915ad3f7e3ca2e2d9907bd6e7a53c3a65091f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/treemap/parser.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 66541, "scanner": "repobility-threat-engine", "fingerprint": "935671f27b144483958c2e149fbc672fcc2237d78db0087d2452067cb93c812a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|935671f27b144483958c2e149fbc672fcc2237d78db0087d2452067cb93c812a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/radar/styles.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 66540, "scanner": "repobility-threat-engine", "fingerprint": "72afe37b813eb1b106d4725916da7596337dfa36a62a2f6b634015615af27d84", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72afe37b813eb1b106d4725916da7596337dfa36a62a2f6b634015615af27d84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/eventmodeling/parser.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 66539, "scanner": "repobility-threat-engine", "fingerprint": "b76c739e454f474f79e1a75fd36537fa81be32cd24aacbb4d15b084f3000f42d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b76c739e454f474f79e1a75fd36537fa81be32cd24aacbb4d15b084f3000f42d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/verify-diagram/verify.mjs"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 66538, "scanner": "repobility-threat-engine", "fingerprint": "cac9dfb036603f1468779d7a5fb71383e0b88571f18ee7f58c9e03e555401395", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cac9dfb036603f1468779d7a5fb71383e0b88571f18ee7f58c9e03e555401395"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/class/svgDraw.js"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC005", "level": "none", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 66537, "scanner": "repobility-threat-engine", "fingerprint": "c0f555d3e8c9495a21a3dfab94a282bd419f364d1cc77cadc15cfc73748f5456", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "evidence": {"match": "exec(input", "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|32|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/parser/src/language/treemap/valueConverter.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC005", "level": "none", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 66536, "scanner": "repobility-threat-engine", "fingerprint": "400cb320aa9ea8d90287f20e6eb39856986b5c2054cb302d9018d9c2afb5cf38", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "evidence": {"match": "exec(input", "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|53|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/parser/src/language/common/valueConverter.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC005", "level": "none", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 66535, "scanner": "repobility-threat-engine", "fingerprint": "faccde976098878b1597e37828c9677977dca7c4cf4a08652ccbbcf9b987f859", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "evidence": {"match": "exec(input", "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|85|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/class/classTypes.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 66534, "scanner": "repobility-threat-engine", "fingerprint": "5523e60b1dc8a944defadff18fd27285ca7823b9184972b5126e133bf66244aa", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5523e60b1dc8a944defadff18fd27285ca7823b9184972b5126e133bf66244aa"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 66530, "scanner": "repobility-threat-engine", "fingerprint": "e6f2b2e43438c0a72db7c4b00ebac5cca9defebed1ab82756cd4b4eaff0d5869", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e6f2b2e43438c0a72db7c4b00ebac5cca9defebed1ab82756cd4b4eaff0d5869"}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 66517, "scanner": "repobility-threat-engine", "fingerprint": "23ba48d73a18e702bf90a1f1eb45ca617fe03e579b9da1a5fdba610201e20755", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23ba48d73a18e702bf90a1f1eb45ca617fe03e579b9da1a5fdba610201e20755"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/jison/lint.mts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 66516, "scanner": "repobility-threat-engine", "fingerprint": "d2d1750fb2edbab241fd558a87b64c89916d9fc514036123e1c023fa05d37d3e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2d1750fb2edbab241fd558a87b64c89916d9fc514036123e1c023fa05d37d3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/scripts/create-types-from-json-schema.mts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 66514, "scanner": "repobility-threat-engine", "fingerprint": "f95c2a87531c64e05e956138cf860a65f213babd647ebbe8dfe752e5c19e386a", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.error('\u274c Error: ./src/config.type.ts will be changed.')", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|15|console.error error: ./src/config.type.ts will be changed."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/scripts/create-types-from-json-schema.mts"}, "region": {"startLine": 152}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 66512, "scanner": "repobility-threat-engine", "fingerprint": "d2b2c689ff043dace616ca8f545d616a2b927bc16111ae9cc27e4fcc24e0fd16", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Sanitization detected ('sanitize') \u2014 output is likely sanitized", "evidence": {"match": ".innerHTML = a", "reason": "Sanitization detected ('sanitize') \u2014 output is likely sanitized", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|309|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/common/common.ts"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 66510, "scanner": "repobility-threat-engine", "fingerprint": "5fc6fc2fe541f1cc762de18f3b4734b2927de94690bc3fbbd3cc04b5de9fe023", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5fc6fc2fe541f1cc762de18f3b4734b2927de94690bc3fbbd3cc04b5de9fe023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/rendering-elements/shapes/util.ts"}, "region": {"startLine": 261}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 66509, "scanner": "repobility-threat-engine", "fingerprint": "f4ffc722f82e2d2c31d9bff9d5ba34d366dd567e2716b33de6bb9ea3478a7825", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f4ffc722f82e2d2c31d9bff9d5ba34d366dd567e2716b33de6bb9ea3478a7825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/state/stateRenderer-v3-unified.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 66508, "scanner": "repobility-threat-engine", "fingerprint": "0e90607b08bb3a11eeb6a34dd63d804980e5b9d33f8d134b942ee9c69c6b339c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e90607b08bb3a11eeb6a34dd63d804980e5b9d33f8d134b942ee9c69c6b339c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid-local-editor/static/js/renderer.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 66504, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "properties": {"repobilityId": 66500, "scanner": "repobility-threat-engine", "fingerprint": "cf2c7cfeef733c6be9eb62e89877024132656e25b16c9d1ba5798c30b6b70a0e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cf2c7cfeef733c6be9eb62e89877024132656e25b16c9d1ba5798c30b6b70a0e", "aggregated_count": 33}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 66499, "scanner": "repobility-threat-engine", "fingerprint": "6d6ca4a490396bd5e17cf197cb4686ec023ca7e0bb0ef5f71260194048ea7afe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d6ca4a490396bd5e17cf197cb4686ec023ca7e0bb0ef5f71260194048ea7afe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid-layout-tidy-tree/src/render.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 66498, "scanner": "repobility-threat-engine", "fingerprint": "e1ad8dd850eb102d74a18c3bd6e64350553e567c164fd76e6f3af87774cb44c0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e1ad8dd850eb102d74a18c3bd6e64350553e567c164fd76e6f3af87774cb44c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid-example-diagram/src/mermaidUtils.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 66497, "scanner": "repobility-threat-engine", "fingerprint": "93475631b7176f305a3ab40c2516dd28978ac8c84d5c190aa7cbcfa6834fa996", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|93475631b7176f305a3ab40c2516dd28978ac8c84d5c190aa7cbcfa6834fa996"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/dev-explorer/console-panel.ts"}, "region": {"startLine": 184}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 66495, "scanner": "repobility-threat-engine", "fingerprint": "a600c5f1b687e0363f6cd72bae70904050dbf8acc3244366b5b6101b65c34836", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a600c5f1b687e0363f6cd72bae70904050dbf8acc3244366b5b6101b65c34836"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 66491, "scanner": "repobility-threat-engine", "fingerprint": "0fed97dd8660e8c5e0eff6eb1a741e4fd953e819b03d0f56c14a88604f5ec0f9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0fed97dd8660e8c5e0eff6eb1a741e4fd953e819b03d0f56c14a88604f5ec0f9", "aggregated_count": 29}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 66490, "scanner": "repobility-threat-engine", "fingerprint": "2a68e77f2af235747229ce011ac418e1144b86bf4c77ecb30e4744dcfd9c5a73", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a68e77f2af235747229ce011ac418e1144b86bf4c77ecb30e4744dcfd9c5a73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/architecture/architectureParser.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 66489, "scanner": "repobility-threat-engine", "fingerprint": "f7808d5d330d06e147ff62fd68a7707cfe88b1b827c88e3e0e60ec7beff0f822", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f7808d5d330d06e147ff62fd68a7707cfe88b1b827c88e3e0e60ec7beff0f822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid-layout-tidy-tree/src/render.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 66488, "scanner": "repobility-threat-engine", "fingerprint": "8c22b8e14ef20c9b57969a72d62083d876baec0b178cdf1ad36379850a9e1617", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c22b8e14ef20c9b57969a72d62083d876baec0b178cdf1ad36379850a9e1617"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/build.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 66487, "scanner": "repobility-threat-engine", "fingerprint": "ffc9ba3b9d5bd2d29c31b01830a880750f5647e3c9f440819f3cb38c6944b1b4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ffc9ba3b9d5bd2d29c31b01830a880750f5647e3c9f440819f3cb38c6944b1b4", "aggregated_count": 16}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 66486, "scanner": "repobility-threat-engine", "fingerprint": "bcc361b644caa19b5c334fc80828ce03b11e84eaa183e7e3467715fa75c7ffa9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bcc361b644caa19b5c334fc80828ce03b11e84eaa183e7e3467715fa75c7ffa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".vite/build.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 66485, "scanner": "repobility-threat-engine", "fingerprint": "44ec2ee468bb9e779c5a9fa56b2530aa396a76cf8641a19d2620e8fc985fcf99", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|44ec2ee468bb9e779c5a9fa56b2530aa396a76cf8641a19d2620e8fc985fcf99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/build.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 66484, "scanner": "repobility-threat-engine", "fingerprint": "35a6cb94a74053923408ff5e52438a65a850b083be2bcbe83fad05772ac016e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|35a6cb94a74053923408ff5e52438a65a850b083be2bcbe83fad05772ac016e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".build/types.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "GHSA-qpx9-hpmf-5gmw", "level": "error", "message": {"text": "underscore: GHSA-qpx9-hpmf-5gmw"}, "properties": {"repobilityId": 66603, "scanner": "osv-scanner", "fingerprint": "2178a695e49cbd2369c430eb881495965fbf0ce6758abdeded7e3cbeb280b0f6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27601"], "package": "underscore", "rule_id": "GHSA-qpx9-hpmf-5gmw", "scanner": "osv-scanner", "correlation_key": "vuln|underscore|CVE-2026-27601|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 66602, "scanner": "osv-scanner", "fingerprint": "85237a582679ce02ed5374b4c960bb9330e68d29c31080114a7ec45740887db3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vj76-c3g6-qr5v", "level": "error", "message": {"text": "tar-fs: GHSA-vj76-c3g6-qr5v"}, "properties": {"repobilityId": 66601, "scanner": "osv-scanner", "fingerprint": "a908968c3376c9dbf88e9849fc6469b496b10375689119e420833f0feea7a41e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-59343"], "package": "tar-fs", "rule_id": "GHSA-vj76-c3g6-qr5v", "scanner": "osv-scanner", "correlation_key": "vuln|tar-fs|CVE-2025-59343|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 66598, "scanner": "osv-scanner", "fingerprint": "de4935b665c57173b6330e6fb3d06a59e8b21f8a73cc30ee4bd8c133ec29eb0f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-36hm-qxxp-pg3m", "level": "error", "message": {"text": "preact: GHSA-36hm-qxxp-pg3m"}, "properties": {"repobilityId": 66594, "scanner": "osv-scanner", "fingerprint": "c8c42b0a877800ea9d9fb4387ae0bc0cabe48ec1e6df4e62e9f78af761059011", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-22028"], "package": "preact", "rule_id": "GHSA-36hm-qxxp-pg3m", "scanner": "osv-scanner", "correlation_key": "vuln|preact|CVE-2026-22028|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 66592, "scanner": "osv-scanner", "fingerprint": "a3dd2390244022d96de63689cdd673fb906d1165f495d6a42a0980e956db632d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j3q9-mxjg-w52f", "level": "error", "message": {"text": "path-to-regexp: GHSA-j3q9-mxjg-w52f"}, "properties": {"repobilityId": 66590, "scanner": "osv-scanner", "fingerprint": "7430ad422b469928b240b563ae546401b374bbe16856d03d234e7895b9d8d7d3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4926"], "package": "path-to-regexp", "rule_id": "GHSA-j3q9-mxjg-w52f", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4926|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37ch-88jc-xwx2", "level": "error", "message": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "properties": {"repobilityId": 66588, "scanner": "osv-scanner", "fingerprint": "5f84f52bbcd46db66c79dfd59714ac90c668d089fbb31ecd1c685bce826e6c9c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4867"], "package": "path-to-regexp", "rule_id": "GHSA-37ch-88jc-xwx2", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4867|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q67f-28xg-22rw", "level": "error", "message": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "properties": {"repobilityId": 66587, "scanner": "osv-scanner", "fingerprint": "a69db64dde57e37f7dce01118e6ddc618411910f6d20e61e2200dfd33f8f982e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33895"], "package": "node-forge", "rule_id": "GHSA-q67f-28xg-22rw", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33895|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ppp5-5v6c-4jwp", "level": "error", "message": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "properties": {"repobilityId": 66586, "scanner": "osv-scanner", "fingerprint": "678f289e9900c57e676593d804de0a138b236439c6c97c2d2e4d4239b16dfcfa", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33894"], "package": "node-forge", "rule_id": "GHSA-ppp5-5v6c-4jwp", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33894|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5m6q-g25r-mvwx", "level": "error", "message": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "properties": {"repobilityId": 66584, "scanner": "osv-scanner", "fingerprint": "dc5fa214bdc6d63d473f50f22af42dea35347f5fb1cf540d539cfe46604ac6da", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33891"], "package": "node-forge", "rule_id": "GHSA-5m6q-g25r-mvwx", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33891|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5gfm-wpxj-wjgq", "level": "error", "message": {"text": "node-forge: GHSA-5gfm-wpxj-wjgq"}, "properties": {"repobilityId": 66583, "scanner": "osv-scanner", "fingerprint": "37801c7f7d41e93aee859018f0d1a1c4846220b2d52b16a3ee24c8dbb5c5ab1c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-12816"], "package": "node-forge", "rule_id": "GHSA-5gfm-wpxj-wjgq", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-12816|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-554w-wpv2-vw27", "level": "error", "message": {"text": "node-forge: GHSA-554w-wpv2-vw27"}, "properties": {"repobilityId": 66582, "scanner": "osv-scanner", "fingerprint": "8812c16a4e42dd19d361ca520f98bbaf875b31b039c35da8ded934aa4337f617", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66031"], "package": "node-forge", "rule_id": "GHSA-554w-wpv2-vw27", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-66031|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2328-f5f3-gj25", "level": "error", "message": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "properties": {"repobilityId": 66581, "scanner": "osv-scanner", "fingerprint": "541e84349945fccc3e4ec79e0a4d02d9c0e7ba223c81a229c94604f1bc507cf5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33896"], "package": "node-forge", "rule_id": "GHSA-2328-f5f3-gj25", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33896|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 66580, "scanner": "osv-scanner", "fingerprint": "c3482c8b051b710219b686b962c8edfcc83babb0e1e54a2b470ae7782dd0b574", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 66579, "scanner": "osv-scanner", "fingerprint": "2fd5e24a94dfd2116cfc5d9aeb4e4f584669c9b76d1795010331a7b69b3682a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 66578, "scanner": "osv-scanner", "fingerprint": "af7663e4c51288986bfb4927d06e33aa650fed364bb14d31804c3d4da5638193", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 66575, "scanner": "osv-scanner", "fingerprint": "01498d7ea9aef0d6a550e7cd86ec4127d89b0518382f7ad5d22570091f535b91", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash-es", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-4800|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 66572, "scanner": "osv-scanner", "fingerprint": "853deeac541f0dc49600a5a4216f851e15bffd93ce8be267a82d13637ceb9e7d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5j98-mcp5-4vw2", "level": "error", "message": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "properties": {"repobilityId": 66569, "scanner": "osv-scanner", "fingerprint": "eb4e2489dccfcd558471ee06a12a3834967a0dcf3de2afa6a148d01c6659b4de", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64756"], "package": "glob", "rule_id": "GHSA-5j98-mcp5-4vw2", "scanner": "osv-scanner", "correlation_key": "vuln|glob|CVE-2025-64756|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 66567, "scanner": "osv-scanner", "fingerprint": "bb0508d8b81791b93a087ab900f213d85cb4d8a9469875be9a0c401a10ba6490", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 66566, "scanner": "osv-scanner", "fingerprint": "68dd2c69540d2eac4711f2087ccd7176bb1037726ae0451ddfe3dcae14fc6d75", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 66565, "scanner": "osv-scanner", "fingerprint": "757ca37fe4ebddf5cdaa5c162265d6a31d93aef1fb513c46093294c58d5112ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 66564, "scanner": "osv-scanner", "fingerprint": "25bb35258c39d7fb16dad079b84e7a9b4b5253e8dee49c1760d88494d1e449a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-737v-mqg7-c878", "level": "error", "message": {"text": "defu: GHSA-737v-mqg7-c878"}, "properties": {"repobilityId": 66562, "scanner": "osv-scanner", "fingerprint": "af606e9886cffaeede5516b5c778494cf847acee018be87081ce5243df80140f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-35209"], "package": "defu", "rule_id": "GHSA-737v-mqg7-c878", "scanner": "osv-scanner", "correlation_key": "vuln|defu|CVE-2026-35209|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x6wf-f3px-wcqx", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "properties": {"repobilityId": 66558, "scanner": "osv-scanner", "fingerprint": "c0f892c139bfd4e3348f362e745baf38b56e6953910dde5f826a86b96dc17653", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41675"], "package": "@xmldom/xmldom", "rule_id": "GHSA-x6wf-f3px-wcqx", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41675|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wh4c-j3r5-mjhp", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp"}, "properties": {"repobilityId": 66557, "scanner": "osv-scanner", "fingerprint": "db94dcf07b884daf08ec926465070f7f756d1520f6dc5cc08d6c7aecc02215c2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34601"], "package": "@xmldom/xmldom", "rule_id": "GHSA-wh4c-j3r5-mjhp", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-34601|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j759-j44w-7fr8", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "properties": {"repobilityId": 66556, "scanner": "osv-scanner", "fingerprint": "adbf58756e7176987a86c9d633b6754fa7e991a96c1763554be2ed2b350b3ff6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41672"], "package": "@xmldom/xmldom", "rule_id": "GHSA-j759-j44w-7fr8", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41672|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f6ww-3ggp-fr8h", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "properties": {"repobilityId": 66555, "scanner": "osv-scanner", "fingerprint": "a8991a924dfa5b75da05017304e4acd96f5d5b83ea10960fc2ad6db74c9a17c8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41674"], "package": "@xmldom/xmldom", "rule_id": "GHSA-f6ww-3ggp-fr8h", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41674|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2v35-w6hq-6mfw", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "properties": {"repobilityId": 66554, "scanner": "osv-scanner", "fingerprint": "611a284af499c2f75b689db4a9cf087c74833ffac8b9963a5d0d14fbde1eedee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41673"], "package": "@xmldom/xmldom", "rule_id": "GHSA-2v35-w6hq-6mfw", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41673|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fv7c-fp4j-7gwp", "level": "error", "message": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "properties": {"repobilityId": 66553, "scanner": "osv-scanner", "fingerprint": "3d3773bb1af5a0c0e60d23b512f02a6252315be1cd87814fbe02b27ce5eea5ee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44728"], "package": "@babel/plugin-transform-modules-systemjs", "rule_id": "GHSA-fv7c-fp4j-7gwp", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44728|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 66550, "scanner": "repobility-docker", "fingerprint": "64be3e3847a41dab31e3127ca79464049c76e5bdbe8af73847b55f63686658c8", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "cypress", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|64be3e3847a41dab31e3127ca79464049c76e5bdbe8af73847b55f63686658c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 66546, "scanner": "repobility-docker", "fingerprint": "95a09551cdf4a1df7573ef8d4844755f7494c4fa745124e69d305f66b30766c3", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "0:0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|95a09551cdf4a1df7573ef8d4844755f7494c4fa745124e69d305f66b30766c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 66545, "scanner": "repobility-threat-engine", "fingerprint": "efade5a3a4374f520f3b9bfa0ae4379be6dc2baada9ca47444a7bb8954babf06", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(tokenType", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|efade5a3a4374f520f3b9bfa0ae4379be6dc2baada9ca47444a7bb8954babf06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/parser/src/language/common/tokenBuilder.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 66544, "scanner": "repobility-threat-engine", "fingerprint": "32311b7fa7c188701558b2451e05d1f99879507530ee304b98bf1dffb6723b89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|32311b7fa7c188701558b2451e05d1f99879507530ee304b98bf1dffb6723b89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/treeView/db.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 66533, "scanner": "repobility-threat-engine", "fingerprint": "bb83690fafcf114eee695ae843b3550383511d660965c6682671cab2f513989a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb83690fafcf114eee695ae843b3550383511d660965c6682671cab2f513989a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/er/erDb.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 66532, "scanner": "repobility-threat-engine", "fingerprint": "b68bf2b78f7dc3e796fdc5f6409e9e119512955c34ccb6f6737259329088f578", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b68bf2b78f7dc3e796fdc5f6409e9e119512955c34ccb6f6737259329088f578"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/class/classTypes.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 66531, "scanner": "repobility-threat-engine", "fingerprint": "92eab6e6ec7e4ec9824e76548ff1ce4ae9e23c7fa6ce170dff7e81797f55487e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(attrib", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92eab6e6ec7e4ec9824e76548ff1ce4ae9e23c7fa6ce170dff7e81797f55487e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/block/blockDB.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 66507, "scanner": "repobility-threat-engine", "fingerprint": "378dc5f7ab512655532823538000965ef46f10c314bd7689ae9619a6338e9c4d", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|378dc5f7ab512655532823538000965ef46f10c314bd7689ae9619a6338e9c4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid-local-editor/static/js/renderer.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 66506, "scanner": "repobility-threat-engine", "fingerprint": "b1aaf553505462c7438fc6c2e670e62d4d2df0ed21c72089b5e3cc575d23bcfd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "storage.create(name);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1aaf553505462c7438fc6c2e670e62d4d2df0ed21c72089b5e3cc575d23bcfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid-local-editor/static/js/ui.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 66505, "scanner": "repobility-threat-engine", "fingerprint": "70186933789d8bc1bf065072ab054ae3faedbc03addf8d151fda64d149c05c8f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url.searchParams.delete('path');", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|70186933789d8bc1bf065072ab054ae3faedbc03addf8d151fda64d149c05c8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/dev-explorer/explorer-app.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 66503, "scanner": "repobility-threat-engine", "fingerprint": "10794b754f65dae9cfbd92940a60bbe2cb8f45de7215b4d9119740c30245170e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10794b754f65dae9cfbd92940a60bbe2cb8f45de7215b4d9119740c30245170e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid-local-editor/static/js/ui.js"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 66502, "scanner": "repobility-threat-engine", "fingerprint": "10d08becaaca7d6198135fb6a0865a4d3d713d23be0925a6243babf2faafefbe", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10d08becaaca7d6198135fb6a0865a4d3d713d23be0925a6243babf2faafefbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".vite/jsonSchemaPlugin.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 66501, "scanner": "repobility-threat-engine", "fingerprint": "c365363f27ea34a97dfd864a07e5af4bcccb83e17d94461058f12aefca3d618c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(w", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c365363f27ea34a97dfd864a07e5af4bcccb83e17d94461058f12aefca3d618c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/dev-explorer/explorer-app.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 66494, "scanner": "repobility-threat-engine", "fingerprint": "724231344a0c19d3e5dea7f47d3b1db3dcc943e3b69692a2fefff8b53485c0d0", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((e) => `${e.id}:${e.src}->${e.dst}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|724231344a0c19d3e5dea7f47d3b1db3dcc943e3b69692a2fefff8b53485c0d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/rendering-util/layout-algorithms/swimlanes/phase1.cycles.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 66493, "scanner": "repobility-threat-engine", "fingerprint": "e54aee2be7a7b63f6a135cc77962d7b5297859e4d19363a093b3bbeaf31e09b2", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((p) => `${p.x},${p.y}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e54aee2be7a7b63f6a135cc77962d7b5297859e4d19363a093b3bbeaf31e09b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/radar/renderer.ts"}, "region": {"startLine": 169}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 66492, "scanner": "repobility-threat-engine", "fingerprint": "357d69a8d4c2371e3a6eb4333429cf17f3a2b4f6fd8063b59451986ef67c8361", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((l) => `[${formatTs(l.ts)}] ${displayLevel(l).toUpperCase()} ${l.message}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|357d69a8d4c2371e3a6eb4333429cf17f3a2b4f6fd8063b59451986ef67c8361"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/dev-explorer/console-panel.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `cypress/browsers:node-20.16.0-chrome-127.0.6533.88-1-ff-128.0.3-edge-127.0.2651.74-1` unpinned"}, "properties": {"repobilityId": 66457, "scanner": "repobility-supply-chain", "fingerprint": "54348ff2580908e5df9ed59ea5690c2d840549a44d1c119d5a446d272342db49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54348ff2580908e5df9ed59ea5690c2d840549a44d1c119d5a446d272342db49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-timings.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `cypress/browsers:node-20.16.0-chrome-127.0.6533.88-1-ff-128.0.3-edge-127.0.2651.74-1` unpinned"}, "properties": {"repobilityId": 66456, "scanner": "repobility-supply-chain", "fingerprint": "3ebbdb6796ca2b9635b0a70578e548035b88c5e010a112bef15a89a354f91026", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ebbdb6796ca2b9635b0a70578e548035b88c5e010a112bef15a89a354f91026"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `cypress/browsers:node-20.16.0-chrome-127.0.6533.88-1-ff-128.0.3-edge-127.0.2651.74-1` unpinned"}, "properties": {"repobilityId": 66455, "scanner": "repobility-supply-chain", "fingerprint": "fe1c084f75e93abb2c84d2479a447638f4a895fac9309c36a6f44acb592f2ebe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe1c084f75e93abb2c84d2479a447638f4a895fac9309c36a6f44acb592f2ebe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 66454, "scanner": "repobility-supply-chain", "fingerprint": "70e511238e18380f4b83d4c4ec477d3cd5eb771eb12eaa5d17b6fae3710c1e0d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70e511238e18380f4b83d4c4ec477d3cd5eb771eb12eaa5d17b6fae3710c1e0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-lockfile.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 66453, "scanner": "repobility-supply-chain", "fingerprint": "a7d9e8dea2d211bdad35f6bee6cad3563c922041930d86e8812229a1f51e17e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7d9e8dea2d211bdad35f6bee6cad3563c922041930d86e8812229a1f51e17e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-lockfile.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /dev/api/sizes has no auth"}, "properties": {"repobilityId": 66452, "scanner": "repobility-route-auth", "fingerprint": "7e087b005c2feeb1a9596f47e439b0c14aee05d191f1a1a7f8d468cd0d79949a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7e087b005c2feeb1a9596f47e439b0c14aee05d191f1a1a7f8d468cd0d79949a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/server.ts"}, "region": {"startLine": 432}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /dev/api/file has no auth"}, "properties": {"repobilityId": 66451, "scanner": "repobility-route-auth", "fingerprint": "97921a358be4d9a976344fa6c711dae904f5cc8fbfccbe19f9fc443d9dd07d4b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|97921a358be4d9a976344fa6c711dae904f5cc8fbfccbe19f9fc443d9dd07d4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/server.ts"}, "region": {"startLine": 405}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /dev/api/file has no auth"}, "properties": {"repobilityId": 66450, "scanner": "repobility-route-auth", "fingerprint": "6086451bfe0af8a6fe1a909f5d2fc232ce308f595c2d752e2b2f3db69c33d7ac", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6086451bfe0af8a6fe1a909f5d2fc232ce308f595c2d752e2b2f3db69c33d7ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".esbuild/server.ts"}, "region": {"startLine": 370}}}]}, {"ruleId": "GHSA-5xrq-8626-4rwp", "level": "error", "message": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "properties": {"repobilityId": 66607, "scanner": "osv-scanner", "fingerprint": "0806fec4420135fab4b0c94dfe4a59c4faf5e0da4ecef5e379ff15a3f669b383", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47429"], "package": "vitest", "rule_id": "GHSA-5xrq-8626-4rwp", "scanner": "osv-scanner", "correlation_key": "vuln|vitest|CVE-2026-47429|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 66552, "scanner": "gitleaks", "fingerprint": "c589b6b9af673afd7f66c3a0329e07d5d459533b04df526f1de1693470ae4bb6", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token: <redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|.github/workflows/e2e.yml|23|token: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 240}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 66551, "scanner": "gitleaks", "fingerprint": "0d6612a35fb04e11ae1a628af94382ab37a2d150521a547792b9e5d4031d6966", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token: <redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|.github/workflows/test.yml|5|token: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 66526, "scanner": "repobility-threat-engine", "fingerprint": "6c5d700e53b4c73273f968c4ae2b2a65268469de8cc4930c72b7853667a90e56", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c5d700e53b4c73273f968c4ae2b2a65268469de8cc4930c72b7853667a90e56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/kanban/kanbanDb.ts"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 66525, "scanner": "repobility-threat-engine", "fingerprint": "c629793922fb05edc8354794036742ca179d2f79d82f21ea510133379167e2d2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c629793922fb05edc8354794036742ca179d2f79d82f21ea510133379167e2d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagram-api/frontmatter.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 66524, "scanner": "repobility-threat-engine", "fingerprint": "115286f6aa5a70474a6d645c7a28f3f1567191dc164dda839929245747f790d1", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|129|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/kanban/kanbanDb.ts"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 66523, "scanner": "repobility-threat-engine", "fingerprint": "ccc0f315d6efeadd05cf6e678ba840284c73780d221973741da4c38e341153c7", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|43|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagram-api/frontmatter.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 66522, "scanner": "repobility-threat-engine", "fingerprint": "ae843fe2f9a5dd4d1a47c28d2d0d6ec67cd37dd3a756bad2c92eb672f777ad64", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(yamlData, { schema: yaml.JSON_SCHEMA })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae843fe2f9a5dd4d1a47c28d2d0d6ec67cd37dd3a756bad2c92eb672f777ad64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagrams/kanban/kanbanDb.ts"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 66521, "scanner": "repobility-threat-engine", "fingerprint": "b90ae014ab8eb552796ec232c02b841ccf8c4674ec7299d4b8489db744da0f87", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(yamlBody, {\n      // To support config, we need JSON schema.\n      // https://www.yaml.org", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b90ae014ab8eb552796ec232c02b841ccf8c4674ec7299d4b8489db744da0f87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/src/diagram-api/frontmatter.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 66515, "scanner": "repobility-threat-engine", "fingerprint": "938a30b70f75beee980dda89935671c29272ecf60f450b15baf046a4d938ad96", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|938a30b70f75beee980dda89935671c29272ecf60f450b15baf046a4d938ad96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mermaid/scripts/create-types-from-json-schema.mts"}, "region": {"startLine": 43}}}]}]}]}