{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v3rj-xjv7-4jmq", "name": "smol-toml: GHSA-v3rj-xjv7-4jmq", "shortDescription": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "fullDescription": {"text": "smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wr4h-v87w-p3r7", "name": "h3: GHSA-wr4h-v87w-p3r7", "shortDescription": {"text": "h3: GHSA-wr4h-v87w-p3r7"}, "fullDescription": {"text": "h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-72gr-qfp7-vwhw", "name": "h3: GHSA-72gr-qfp7-vwhw", "shortDescription": {"text": "h3: GHSA-72gr-qfp7-vwhw"}, "fullDescription": {"text": "h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4hxc-9384-m385", "name": "h3: GHSA-4hxc-9384-m385", "shortDescription": {"text": "h3: GHSA-4hxc-9384-m385"}, "fullDescription": {"text": "h3: SSE Event Injection via Unsanitized Carriage Return (`\\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cfw5-2vxh-hr84", "name": "devalue: GHSA-cfw5-2vxh-hr84", "shortDescription": {"text": "devalue: GHSA-cfw5-2vxh-hr84"}, "fullDescription": {"text": "devalue has prototype pollution in devalue.parse and devalue.unflatten"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j687-52p2-xcff", "name": "astro: GHSA-j687-52p2-xcff", "shortDescription": {"text": "astro: GHSA-j687-52p2-xcff"}, "fullDescription": {"text": "Astro: XSS in define:vars via incomplete </script> tag sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-phc3-fgpg-7m6h", "name": "undici: GHSA-phc3-fgpg-7m6h", "shortDescription": {"text": "undici: GHSA-phc3-fgpg-7m6h"}, "fullDescription": {"text": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4992-7rv2-5pvq", "name": "undici: GHSA-4992-7rv2-5pvq", "shortDescription": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "fullDescription": {"text": "Undici has CRLF Injection in undici via `upgrade` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2mjp-6q6p-2qxm", "name": "undici: GHSA-2mjp-6q6p-2qxm", "shortDescription": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "fullDescription": {"text": "Undici has an HTTP Request/Response Smuggling issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f22v-gfqf-p8f3", "name": "react-router: GHSA-f22v-gfqf-p8f3", "shortDescription": {"text": "react-router: GHSA-f22v-gfqf-p8f3"}, "fullDescription": {"text": "React Router has stored XSS via unescaped Location header in prerendered redirect HTML"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2j2x-hqr9-3h42", "name": "react-router: GHSA-2j2x-hqr9-3h42", "shortDescription": {"text": "react-router: GHSA-2j2x-hqr9-3h42"}, "fullDescription": {"text": "React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xrhx-7g5j-rcj5", "name": "hono: GHSA-xrhx-7g5j-rcj5", "shortDescription": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "fullDescription": {"text": "Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xpcf-pg52-r92g", "name": "hono: GHSA-xpcf-pg52-r92g", "shortDescription": {"text": "hono: GHSA-xpcf-pg52-r92g"}, "fullDescription": {"text": "Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xf4j-xp2r-rqqx", "name": "hono: GHSA-xf4j-xp2r-rqqx", "shortDescription": {"text": "hono: GHSA-xf4j-xp2r-rqqx"}, "fullDescription": {"text": "Hono: Path traversal in toSSG() allows writing files outside the output directory"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wmmm-f939-6g9c", "name": "hono: GHSA-wmmm-f939-6g9c", "shortDescription": {"text": "hono: GHSA-wmmm-f939-6g9c"}, "fullDescription": {"text": "Hono: Middleware bypass via repeated slashes in serveStatic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5rp-j6wh-rvv4", "name": "hono: GHSA-r5rp-j6wh-rvv4", "shortDescription": {"text": "hono: GHSA-r5rp-j6wh-rvv4"}, "fullDescription": {"text": "Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qp7p-654g-cw7p", "name": "hono: GHSA-qp7p-654g-cw7p", "shortDescription": {"text": "hono: GHSA-qp7p-654g-cw7p"}, "fullDescription": {"text": "Hono has CSS Declaration Injection via Style Object Values in JSX SSR"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p77w-8qqv-26rm", "name": "hono: GHSA-p77w-8qqv-26rm", "shortDescription": {"text": "hono: GHSA-p77w-8qqv-26rm"}, "fullDescription": {"text": "Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f577-qrjj-4474", "name": "hono: GHSA-f577-qrjj-4474", "shortDescription": {"text": "hono: GHSA-f577-qrjj-4474"}, "fullDescription": {"text": "Hono: JWT middleware accepts any Authorization scheme, not only Bearer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9vqf-7f2p-gf9v", "name": "hono: GHSA-9vqf-7f2p-gf9v", "shortDescription": {"text": "hono: GHSA-9vqf-7f2p-gf9v"}, "fullDescription": {"text": "Hono: bodyLimit() can be bypassed for chunked / unknown-length requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-69xw-7hcm-h432", "name": "hono: GHSA-69xw-7hcm-h432", "shortDescription": {"text": "hono: GHSA-69xw-7hcm-h432"}, "fullDescription": {"text": "hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-458j-xx4x-4375", "name": "hono: GHSA-458j-xx4x-4375", "shortDescription": {"text": "hono: GHSA-458j-xx4x-4375"}, "fullDescription": {"text": "hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3hrh-pfw6-9m5x", "name": "hono: GHSA-3hrh-pfw6-9m5x", "shortDescription": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "fullDescription": {"text": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2gcr-mfcq-wcc3", "name": "hono: GHSA-2gcr-mfcq-wcc3", "shortDescription": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "fullDescription": {"text": "Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-26pp-8wgv-hjvm", "name": "hono: GHSA-26pp-8wgv-hjvm", "shortDescription": {"text": "hono: GHSA-26pp-8wgv-hjvm"}, "fullDescription": {"text": "Hono missing validation of cookie name on write path in setCookie()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-92pp-h63x-v22m", "name": "@hono/node-server: GHSA-92pp-h63x-v22m", "shortDescription": {"text": "@hono/node-server: GHSA-92pp-h63x-v22m"}, "fullDescription": {"text": "@hono/node-server: Middleware bypass via repeated slashes in serveStatic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7gmj-67g7-phm9", "name": "tauri: GHSA-7gmj-67g7-phm9", "shortDescription": {"text": "tauri: GHSA-7gmj-67g7-phm9"}, "fullDescription": {"text": "Tauri has an Origin Confusion Issue that Allows Remote Pages to Invoke Local-Only IPC Commands"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3pv8-6f4r-ffg2", "name": "tar: GHSA-3pv8-6f4r-ffg2", "shortDescription": {"text": "tar: GHSA-3pv8-6f4r-ffg2"}, "fullDescription": {"text": "tar has a PAX header desynchronization issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xv59-967r-8726", "name": "openssl: GHSA-xv59-967r-8726", "shortDescription": {"text": "openssl: GHSA-xv59-967r-8726"}, "fullDescription": {"text": "rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-phqj-4mhp-q6mq", "name": "openssl: GHSA-phqj-4mhp-q6mq", "shortDescription": {"text": "openssl: GHSA-phqj-4mhp-q6mq"}, "fullDescription": {"text": "rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `yep-sandbox` image has no explicit tag", "shortDescription": {"text": "Compose service `yep-sandbox` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexi", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weig"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 15."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `shiki` is 1 major version(s) behind (3.23.0 -> 4.2.0)", "shortDescription": {"text": "npm package `shiki` is 1 major version(s) behind (3.23.0 -> 4.2.0)"}, "fullDescription": {"text": "`shiki` is pinned/resolved at 3.23.0 but the latest stable release on the npm registry is 4.2.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwv9-gp5h-frr4", "name": "devalue: GHSA-mwv9-gp5h-frr4", "shortDescription": {"text": "devalue: GHSA-mwv9-gp5h-frr4"}, "fullDescription": {"text": "Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xr5h-phrj-8vxv", "name": "astro: GHSA-xr5h-phrj-8vxv", "shortDescription": {"text": "astro: GHSA-xr5h-phrj-8vxv"}, "fullDescription": {"text": "Astro: Server island encrypted parameters vulnerable to cross-component replay"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g735-7g2w-hh3f", "name": "astro: GHSA-g735-7g2w-hh3f", "shortDescription": {"text": "astro: GHSA-g735-7g2w-hh3f"}, "fullDescription": {"text": "Astro: Remote allowlist bypass via unanchored matchPathname wildcard"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hm8q-7f3q-5f36", "name": "hono: GHSA-hm8q-7f3q-5f36", "shortDescription": {"text": "hono: GHSA-hm8q-7f3q-5f36"}, "fullDescription": {"text": "Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xmgf-hq76-4vx2", "name": "openssl: GHSA-xmgf-hq76-4vx2", "shortDescription": {"text": "openssl: GHSA-xmgf-hq76-4vx2"}, "fullDescription": {"text": "rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Repositories with several agent instruction, progress, or completion marker files are often generated scaffolds. They are not automatically wrong, but they deserve a reachability and ownership review before users treat the code as production-ready."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 6 more): Same pattern found in 6 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED031] React Direct State Mutation (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 74 more): Same pattern found in 74 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 74 more): Same pattern found in 74 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9ff-h696-f583", "name": "vite: GHSA-p9ff-h696-f583", "shortDescription": {"text": "vite: GHSA-p9ff-h696-f583"}, "fullDescription": {"text": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xpqw-6gx7-v673", "name": "svgo: GHSA-xpqw-6gx7-v673", "shortDescription": {"text": "svgo: GHSA-xpqw-6gx7-v673"}, "fullDescription": {"text": "SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-22cc-p3c6-wpvm", "name": "h3: GHSA-22cc-p3c6-wpvm", "shortDescription": {"text": "h3: GHSA-22cc-p3c6-wpvm"}, "fullDescription": {"text": "h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-77vg-94rm-hx3p", "name": "devalue: GHSA-77vg-94rm-hx3p", "shortDescription": {"text": "devalue: GHSA-77vg-94rm-hx3p"}, "fullDescription": {"text": "Svelte devalue: DoS via sparse array deserialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-737v-mqg7-c878", "name": "defu: GHSA-737v-mqg7-c878", "shortDescription": {"text": "defu: GHSA-737v-mqg7-c878"}, "fullDescription": {"text": "defu: Prototype pollution via `__proto__` key in defaults argument"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vrm6-8vpv-qv8q", "name": "undici: GHSA-vrm6-8vpv-qv8q", "shortDescription": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "fullDescription": {"text": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v9p9-hfj2-hcw8", "name": "undici: GHSA-v9p9-hfj2-hcw8", "shortDescription": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "fullDescription": {"text": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f269-vfmq-vjvj", "name": "undici: GHSA-f269-vfmq-vjvj", "shortDescription": {"text": "undici: GHSA-f269-vfmq-vjvj"}, "fullDescription": {"text": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2wj-q39q-566r", "name": "vite: GHSA-v2wj-q39q-566r", "shortDescription": {"text": "vite: GHSA-v2wj-q39q-566r"}, "fullDescription": {"text": "Vite: `server.fs.deny` bypassed with queries"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rxv8-25v2-qmq8", "name": "react-router: GHSA-rxv8-25v2-qmq8", "shortDescription": {"text": "react-router: GHSA-rxv8-25v2-qmq8"}, "fullDescription": {"text": "React Router vulnerable to Denial of Service via reflected user input in single-fetch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8x6r-g9mw-2r78", "name": "react-router: GHSA-8x6r-g9mw-2r78", "shortDescription": {"text": "react-router: GHSA-8x6r-g9mw-2r78"}, "fullDescription": {"text": "React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8646-j5j9-6r62", "name": "react-router: GHSA-8646-j5j9-6r62", "shortDescription": {"text": "react-router: GHSA-8646-j5j9-6r62"}, "fullDescription": {"text": "React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-49rj-9fvp-4h2h", "name": "react-router: GHSA-49rj-9fvp-4h2h", "shortDescription": {"text": "react-router: GHSA-49rj-9fvp-4h2h"}, "fullDescription": {"text": "React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0098", "name": "unic-ucd-version: RUSTSEC-2025-0098", "shortDescription": {"text": "unic-ucd-version: RUSTSEC-2025-0098"}, "fullDescription": {"text": "`unic-ucd-version` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0100", "name": "unic-ucd-ident: RUSTSEC-2025-0100", "shortDescription": {"text": "unic-ucd-ident: RUSTSEC-2025-0100"}, "fullDescription": {"text": "`unic-ucd-ident` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0080", "name": "unic-common: RUSTSEC-2025-0080", "shortDescription": {"text": "unic-common: RUSTSEC-2025-0080"}, "fullDescription": {"text": "`unic-common` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0075", "name": "unic-char-range: RUSTSEC-2025-0075", "shortDescription": {"text": "unic-char-range: RUSTSEC-2025-0075"}, "fullDescription": {"text": "`unic-char-range` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0081", "name": "unic-char-property: RUSTSEC-2025-0081", "shortDescription": {"text": "unic-char-property: RUSTSEC-2025-0081"}, "fullDescription": {"text": "`unic-char-property` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0370", "name": "proc-macro-error: RUSTSEC-2024-0370", "shortDescription": {"text": "proc-macro-error: RUSTSEC-2024-0370"}, "fullDescription": {"text": "proc-macro-error is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0419", "name": "gtk3-macros: RUSTSEC-2024-0419", "shortDescription": {"text": "gtk3-macros: RUSTSEC-2024-0419"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0420", "name": "gtk-sys: RUSTSEC-2024-0420", "shortDescription": {"text": "gtk-sys: RUSTSEC-2024-0420"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0415", "name": "gtk: RUSTSEC-2024-0415", "shortDescription": {"text": "gtk: RUSTSEC-2024-0415"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0414", "name": "gdkx11-sys: RUSTSEC-2024-0414", "shortDescription": {"text": "gdkx11-sys: RUSTSEC-2024-0414"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0417", "name": "gdkx11: RUSTSEC-2024-0417", "shortDescription": {"text": "gdkx11: RUSTSEC-2024-0417"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0411", "name": "gdkwayland-sys: RUSTSEC-2024-0411", "shortDescription": {"text": "gdkwayland-sys: RUSTSEC-2024-0411"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0418", "name": "gdk-sys: RUSTSEC-2024-0418", "shortDescription": {"text": "gdk-sys: RUSTSEC-2024-0418"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0412", "name": "gdk: RUSTSEC-2024-0412", "shortDescription": {"text": "gdk: RUSTSEC-2024-0412"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0057", "name": "fxhash: RUSTSEC-2025-0057", "shortDescription": {"text": "fxhash: RUSTSEC-2025-0057"}, "fullDescription": {"text": "fxhash - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0416", "name": "atk-sys: RUSTSEC-2024-0416", "shortDescription": {"text": "atk-sys: RUSTSEC-2024-0416"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0413", "name": "atk: RUSTSEC-2024-0413", "shortDescription": {"text": "atk: RUSTSEC-2024-0413"}, "fullDescription": {"text": "gtk-rs GTK3 bindings - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5039", "name": "stdlib: GO-2026-5039", "shortDescription": {"text": "stdlib: GO-2026-5039"}, "fullDescription": {"text": "Arbitrary inputs are included in errors without any escaping in net/textproto"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5038", "name": "stdlib: GO-2026-5038", "shortDescription": {"text": "stdlib: GO-2026-5038"}, "fullDescription": {"text": "Quadratic complexity in WordDecoder.DecodeHeader in mime"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5037", "name": "stdlib: GO-2026-5037", "shortDescription": {"text": "stdlib: GO-2026-5037"}, "fullDescription": {"text": "Inefficient candidate hostname parsing in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4986", "name": "stdlib: GO-2026-4986", "shortDescription": {"text": "stdlib: GO-2026-4986"}, "fullDescription": {"text": "Quadratic string concatentation in consumeComment in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4982", "name": "stdlib: GO-2026-4982", "shortDescription": {"text": "stdlib: GO-2026-4982"}, "fullDescription": {"text": "Bypass of meta content URL escaping causes XSS in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4981", "name": "stdlib: GO-2026-4981", "shortDescription": {"text": "stdlib: GO-2026-4981"}, "fullDescription": {"text": "Crash when handling long CNAME response in net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4980", "name": "stdlib: GO-2026-4980", "shortDescription": {"text": "stdlib: GO-2026-4980"}, "fullDescription": {"text": "Escaper bypass leads to XSS in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4977", "name": "stdlib: GO-2026-4977", "shortDescription": {"text": "stdlib: GO-2026-4977"}, "fullDescription": {"text": "Quadratic string concatenation in consumePhrase in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4976", "name": "stdlib: GO-2026-4976", "shortDescription": {"text": "stdlib: GO-2026-4976"}, "fullDescription": {"text": "ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4971", "name": "stdlib: GO-2026-4971", "shortDescription": {"text": "stdlib: GO-2026-4971"}, "fullDescription": {"text": "Panic in Dial and LookupPort when handling NUL byte on Windows in net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4947", "name": "stdlib: GO-2026-4947", "shortDescription": {"text": "stdlib: GO-2026-4947"}, "fullDescription": {"text": "Unexpected work during chain building in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4946", "name": "stdlib: GO-2026-4946", "shortDescription": {"text": "stdlib: GO-2026-4946"}, "fullDescription": {"text": "Inefficient policy validation in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4918", "name": "stdlib: GO-2026-4918", "shortDescription": {"text": "stdlib: GO-2026-4918"}, "fullDescription": {"text": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4870", "name": "stdlib: GO-2026-4870", "shortDescription": {"text": "stdlib: GO-2026-4870"}, "fullDescription": {"text": "Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4869", "name": "stdlib: GO-2026-4869", "shortDescription": {"text": "stdlib: GO-2026-4869"}, "fullDescription": {"text": "Unbounded allocation for old GNU sparse in archive/tar"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4865", "name": "stdlib: GO-2026-4865", "shortDescription": {"text": "stdlib: GO-2026-4865"}, "fullDescription": {"text": "JsBraceDepth Context Tracking Bugs (XSS) in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4864", "name": "stdlib: GO-2026-4864", "shortDescription": {"text": "stdlib: GO-2026-4864"}, "fullDescription": {"text": "TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4603", "name": "stdlib: GO-2026-4603", "shortDescription": {"text": "stdlib: GO-2026-4603"}, "fullDescription": {"text": "URLs in meta content attribute actions are not escaped in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4602", "name": "stdlib: GO-2026-4602", "shortDescription": {"text": "stdlib: GO-2026-4602"}, "fullDescription": {"text": "FileInfo can escape from a Root in os"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4601", "name": "stdlib: GO-2026-4601", "shortDescription": {"text": "stdlib: GO-2026-4601"}, "fullDescription": {"text": "Incorrect parsing of IPv6 host literals in net/url"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4342", "name": "stdlib: GO-2026-4342", "shortDescription": {"text": "stdlib: GO-2026-4342"}, "fullDescription": {"text": "Excessive CPU consumption when building archive index in archive/zip"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4341", "name": "stdlib: GO-2026-4341", "shortDescription": {"text": "stdlib: GO-2026-4341"}, "fullDescription": {"text": "Memory exhaustion in query parameter parsing in net/url"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4340", "name": "stdlib: GO-2026-4340", "shortDescription": {"text": "stdlib: GO-2026-4340"}, "fullDescription": {"text": "Handshake messages may be processed at the incorrect encryption level in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4337", "name": "stdlib: GO-2026-4337", "shortDescription": {"text": "stdlib: GO-2026-4337"}, "fullDescription": {"text": "Unexpected session resumption in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4175", "name": "stdlib: GO-2025-4175", "shortDescription": {"text": "stdlib: GO-2025-4175"}, "fullDescription": {"text": "Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4155", "name": "stdlib: GO-2025-4155", "shortDescription": {"text": "stdlib: GO-2025-4155"}, "fullDescription": {"text": "Excessive resource consumption when printing error string for host certificate validation in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4015", "name": "stdlib: GO-2025-4015", "shortDescription": {"text": "stdlib: GO-2025-4015"}, "fullDescription": {"text": "Excessive CPU consumption in Reader.ReadResponse in net/textproto"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4014", "name": "stdlib: GO-2025-4014", "shortDescription": {"text": "stdlib: GO-2025-4014"}, "fullDescription": {"text": "Unbounded allocation when parsing GNU sparse map in archive/tar"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4013", "name": "stdlib: GO-2025-4013", "shortDescription": {"text": "stdlib: GO-2025-4013"}, "fullDescription": {"text": "Panic when validating certificates with DSA public keys in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4012", "name": "stdlib: GO-2025-4012", "shortDescription": {"text": "stdlib: GO-2025-4012"}, "fullDescription": {"text": "Lack of limit when parsing cookies can cause memory exhaustion in net/http"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4011", "name": "stdlib: GO-2025-4011", "shortDescription": {"text": "stdlib: GO-2025-4011"}, "fullDescription": {"text": "Parsing DER payload can cause memory exhaustion in encoding/asn1"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4010", "name": "stdlib: GO-2025-4010", "shortDescription": {"text": "stdlib: GO-2025-4010"}, "fullDescription": {"text": "Insufficient validation of bracketed IPv6 hostnames in net/url"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4009", "name": "stdlib: GO-2025-4009", "shortDescription": {"text": "stdlib: GO-2025-4009"}, "fullDescription": {"text": "Quadratic complexity when parsing some invalid inputs in encoding/pem"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4008", "name": "stdlib: GO-2025-4008", "shortDescription": {"text": "stdlib: GO-2025-4008"}, "fullDescription": {"text": "ALPN negotiation error contains attacker controlled information in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4007", "name": "stdlib: GO-2025-4007", "shortDescription": {"text": "stdlib: GO-2025-4007"}, "fullDescription": {"text": "Quadratic complexity when checking name constraints in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4006", "name": "stdlib: GO-2025-4006", "shortDescription": {"text": "stdlib: GO-2025-4006"}, "fullDescription": {"text": "Excessive CPU consumption in ParseAddress in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3955", "name": "stdlib: GO-2025-3955", "shortDescription": {"text": "stdlib: GO-2025-3955"}, "fullDescription": {"text": "CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5024", "name": "golang.org/x/sys: GO-2026-5024", "shortDescription": {"text": "golang.org/x/sys: GO-2026-5024"}, "fullDescription": {"text": "Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5030", "name": "golang.org/x/net: GO-2026-5030", "shortDescription": {"text": "golang.org/x/net: GO-2026-5030"}, "fullDescription": {"text": "Invoking duplicate attributes can cause XSS in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5029", "name": "golang.org/x/net: GO-2026-5029", "shortDescription": {"text": "golang.org/x/net: GO-2026-5029"}, "fullDescription": {"text": "Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5028", "name": "golang.org/x/net: GO-2026-5028", "shortDescription": {"text": "golang.org/x/net: GO-2026-5028"}, "fullDescription": {"text": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5027", "name": "golang.org/x/net: GO-2026-5027", "shortDescription": {"text": "golang.org/x/net: GO-2026-5027"}, "fullDescription": {"text": "Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5026", "name": "golang.org/x/net: GO-2026-5026", "shortDescription": {"text": "golang.org/x/net: GO-2026-5026"}, "fullDescription": {"text": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5025", "name": "golang.org/x/net: GO-2026-5025", "shortDescription": {"text": "golang.org/x/net: GO-2026-5025"}, "fullDescription": {"text": "Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4559", "name": "golang.org/x/net: GO-2026-4559", "shortDescription": {"text": "golang.org/x/net: GO-2026-4559"}, "fullDescription": {"text": "Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5033", "name": "golang.org/x/crypto: GO-2026-5033", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5033"}, "fullDescription": {"text": "Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5023", "name": "golang.org/x/crypto: GO-2026-5023", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5023"}, "fullDescription": {"text": "Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5021", "name": "golang.org/x/crypto: GO-2026-5021", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5021"}, "fullDescription": {"text": "Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5020", "name": "golang.org/x/crypto: GO-2026-5020", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5020"}, "fullDescription": {"text": "Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5019", "name": "golang.org/x/crypto: GO-2026-5019", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5019"}, "fullDescription": {"text": "Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5018", "name": "golang.org/x/crypto: GO-2026-5018", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5018"}, "fullDescription": {"text": "Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5017", "name": "golang.org/x/crypto: GO-2026-5017", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5017"}, "fullDescription": {"text": "Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5016", "name": "golang.org/x/crypto: GO-2026-5016", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5016"}, "fullDescription": {"text": "Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5015", "name": "golang.org/x/crypto: GO-2026-5015", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5015"}, "fullDescription": {"text": "Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5014", "name": "golang.org/x/crypto: GO-2026-5014", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5014"}, "fullDescription": {"text": "Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5013", "name": "golang.org/x/crypto: GO-2026-5013", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5013"}, "fullDescription": {"text": "Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5006", "name": "golang.org/x/crypto: GO-2026-5006", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5006"}, "fullDescription": {"text": "Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5005", "name": "golang.org/x/crypto: GO-2026-5005", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5005"}, "fullDescription": {"text": "Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0068", "name": "tar: RUSTSEC-2026-0068", "shortDescription": {"text": "tar: RUSTSEC-2026-0068"}, "fullDescription": {"text": "tar-rs incorrectly ignores PAX size headers if header size is nonzero"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0067", "name": "tar: RUSTSEC-2026-0067", "shortDescription": {"text": "tar: RUSTSEC-2026-0067"}, "fullDescription": {"text": "`unpack_in` can chmod arbitrary directories by following symlinks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2017-0008", "name": "serial: RUSTSEC-2017-0008", "shortDescription": {"text": "serial: RUSTSEC-2017-0008"}, "fullDescription": {"text": "`serial` crate is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0104", "name": "rustls-webpki: RUSTSEC-2026-0104", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "fullDescription": {"text": "Reachable panic in certificate revocation list parsing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0099", "name": "rustls-webpki: RUSTSEC-2026-0099", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "fullDescription": {"text": "Name constraints were accepted for certificates asserting a wildcard name"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0098", "name": "rustls-webpki: RUSTSEC-2026-0098", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "fullDescription": {"text": "Name constraints for URI names were incorrectly accepted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0049", "name": "rustls-webpki: RUSTSEC-2026-0049", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0049"}, "fullDescription": {"text": "CRLs not considered authoritative by Distribution Point due to faulty matching logic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0097", "name": "rand: RUSTSEC-2026-0097", "shortDescription": {"text": "rand: RUSTSEC-2026-0097"}, "fullDescription": {"text": "Rand is unsound with a custom logger using `rand::rng()`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0037", "name": "quinn-proto: RUSTSEC-2026-0037", "shortDescription": {"text": "quinn-proto: RUSTSEC-2026-0037"}, "fullDescription": {"text": "Denial of service in Quinn endpoints"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xp3w-r5p5-63rr", "name": "openssl: GHSA-xp3w-r5p5-63rr", "shortDescription": {"text": "openssl: GHSA-xp3w-r5p5-63rr"}, "fullDescription": {"text": "rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pqf5-4pqq-29f5", "name": "openssl: GHSA-pqf5-4pqq-29f5", "shortDescription": {"text": "openssl: GHSA-pqf5-4pqq-29f5"}, "fullDescription": {"text": "rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hppc-g8h3-xhp3", "name": "openssl: GHSA-hppc-g8h3-xhp3", "shortDescription": {"text": "openssl: GHSA-hppc-g8h3-xhp3"}, "fullDescription": {"text": "rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ghm9-cr32-g9qj", "name": "openssl: GHSA-ghm9-cr32-g9qj", "shortDescription": {"text": "openssl: GHSA-ghm9-cr32-g9qj"}, "fullDescription": {"text": "rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8c75-8mhr-p7r9", "name": "openssl: GHSA-8c75-8mhr-p7r9", "shortDescription": {"text": "openssl: GHSA-8c75-8mhr-p7r9"}, "fullDescription": {"text": "rust-openssl has incorrect bounds assertion in aes key wrap"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0429", "name": "glib: RUSTSEC-2024-0429", "shortDescription": {"text": "glib: RUSTSEC-2024-0429"}, "fullDescription": {"text": "Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.", "shortDescription": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.", "shortDescription": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `packages/mobile/src-tauri/gen/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `packages/mobile/src-tauri/gen/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`packages/mobile/src-tauri/gen/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (59,203 bytes) committed to a repo that otherwise has 980 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:22-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:22-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express DELETE /sessions has no auth", "shortDescription": {"text": "Express DELETE /sessions has no auth"}, "fullDescription": {"text": "Express route DELETE /sessions declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "GHSA-5xrq-8626-4rwp", "name": "vitest: GHSA-5xrq-8626-4rwp", "shortDescription": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "fullDescription": {"text": "When Vitest UI server is listening, arbitrary file can be read and executed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p77j-4mvh-x3m3", "name": "google.golang.org/grpc: GHSA-p77j-4mvh-x3m3", "shortDescription": {"text": "google.golang.org/grpc: GHSA-p77j-4mvh-x3m3"}, "fullDescription": {"text": "gRPC-Go has an authorization bypass via missing leading slash in :path"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.TAURI_SIGNING_PRIVATE_KEY` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.TAURI_SIGNING_PRIVATE_KEY` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TAURI_SIGNING_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1201"}, "properties": {"repository": "kzahel/yepanywhere", "repoUrl": "https://github.com/kzahel/yepanywhere", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 121407, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 121406, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 121398, "scanner": "osv-scanner", "fingerprint": "12297de7fcfdbcf74df8835251b38a054aaef1415dd95ff4a1573078453ac83d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 121396, "scanner": "osv-scanner", "fingerprint": "d4c7da6328e0366e17e4ae274c52b5cd4174616ece287f5338261683c8d720b8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v3rj-xjv7-4jmq", "level": "warning", "message": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "properties": {"repobilityId": 121394, "scanner": "osv-scanner", "fingerprint": "c488fc34dad2815d511a9a1bb72d9a8111f3370898e0ce11704d4ce3aa7bb83c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "smol-toml", "rule_id": "GHSA-v3rj-xjv7-4jmq", "scanner": "osv-scanner", "correlation_key": "vuln|smol-toml|GHSA-V3RJ-XJV7-4JMQ|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 121393, "scanner": "osv-scanner", "fingerprint": "324bde79da3ccdbd43c10679e4aea5d559c55b89fdf50bc6f321e579d4f52c36", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 121391, "scanner": "osv-scanner", "fingerprint": "28236a4e05f02ea8880dc5f9cec3aa8820471cc40537dd710e8f5d587f18db86", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 121390, "scanner": "osv-scanner", "fingerprint": "f4adb138517e7594e53e3ce682f0739aaeb7e743c405827b11f0bdac393cc5a4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 121388, "scanner": "osv-scanner", "fingerprint": "41a3c8715988add9f6087c4b35f549614bdc88439c4461cfe835017d95776978", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wr4h-v87w-p3r7", "level": "warning", "message": {"text": "h3: GHSA-wr4h-v87w-p3r7"}, "properties": {"repobilityId": 121387, "scanner": "osv-scanner", "fingerprint": "94c4c45ed89801a0e86b63a64f67f129514b7eba1074e5c0224ae742f4a2b093", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "h3", "rule_id": "GHSA-wr4h-v87w-p3r7", "scanner": "osv-scanner", "correlation_key": "vuln|h3|GHSA-WR4H-V87W-P3R7|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-72gr-qfp7-vwhw", "level": "warning", "message": {"text": "h3: GHSA-72gr-qfp7-vwhw"}, "properties": {"repobilityId": 121386, "scanner": "osv-scanner", "fingerprint": "ab861c4e6b36cbc606a896392b9bed6507c44f8ea0028441c8adf5bdd539e747", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "h3", "rule_id": "GHSA-72gr-qfp7-vwhw", "scanner": "osv-scanner", "correlation_key": "vuln|h3|GHSA-72GR-QFP7-VWHW|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4hxc-9384-m385", "level": "warning", "message": {"text": "h3: GHSA-4hxc-9384-m385"}, "properties": {"repobilityId": 121385, "scanner": "osv-scanner", "fingerprint": "5c392bc3eb412f04a9c141ee4444885f1857fad12822c0e1bc2396341450da87", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "h3", "rule_id": "GHSA-4hxc-9384-m385", "scanner": "osv-scanner", "correlation_key": "vuln|h3|GHSA-4HXC-9384-M385|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cfw5-2vxh-hr84", "level": "warning", "message": {"text": "devalue: GHSA-cfw5-2vxh-hr84"}, "properties": {"repobilityId": 121380, "scanner": "osv-scanner", "fingerprint": "794264a2f0eecb27a97ee1e6033cbebb900142042928297c07e7657ed882e223", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-30226"], "package": "devalue", "rule_id": "GHSA-cfw5-2vxh-hr84", "scanner": "osv-scanner", "correlation_key": "vuln|devalue|CVE-2026-30226|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j687-52p2-xcff", "level": "warning", "message": {"text": "astro: GHSA-j687-52p2-xcff"}, "properties": {"repobilityId": 121376, "scanner": "osv-scanner", "fingerprint": "edea03d2225470c3852039727cba2ad32bd44ceb6beb5c841080b632bcac72f6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41067"], "package": "astro", "rule_id": "GHSA-j687-52p2-xcff", "scanner": "osv-scanner", "correlation_key": "vuln|astro|CVE-2026-41067|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 121374, "scanner": "osv-scanner", "fingerprint": "5caf92f3d249d9ef68c892266b193040dad1d1a25eab63cd610c2e7c1488e630", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sharing-worker/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-phc3-fgpg-7m6h", "level": "warning", "message": {"text": "undici: GHSA-phc3-fgpg-7m6h"}, "properties": {"repobilityId": 121371, "scanner": "osv-scanner", "fingerprint": "f36579791a2a9d52da29e9b841651ce9aa549ad17a1ee0482a321768485197e1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2581"], "package": "undici", "rule_id": "GHSA-phc3-fgpg-7m6h", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-2581|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sharing-worker/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4992-7rv2-5pvq", "level": "warning", "message": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "properties": {"repobilityId": 121369, "scanner": "osv-scanner", "fingerprint": "9c490bb74e1550aa30f87b1e551284475c753bc94802660582c8e1bcc5964370", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1527"], "package": "undici", "rule_id": "GHSA-4992-7rv2-5pvq", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1527|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sharing-worker/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2mjp-6q6p-2qxm", "level": "warning", "message": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "properties": {"repobilityId": 121368, "scanner": "osv-scanner", "fingerprint": "6e635159b7b2b659f2546044b6365637d2e2ec195998a6bd42d9bde6744af8a6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1525"], "package": "undici", "rule_id": "GHSA-2mjp-6q6p-2qxm", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1525|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sharing-worker/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 121367, "scanner": "osv-scanner", "fingerprint": "d698c0969dae25e950d4f8b65b021df28bdeb91476dcc255cdcc9ca9ba3ee73e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 121363, "scanner": "osv-scanner", "fingerprint": "a2c12e2b28152cf8b2318c26eb42f38e3894a8280e15146de8ce046c997d7d89", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f22v-gfqf-p8f3", "level": "warning", "message": {"text": "react-router: GHSA-f22v-gfqf-p8f3"}, "properties": {"repobilityId": 121361, "scanner": "osv-scanner", "fingerprint": "edaf4a3735dfb27b8ccf9d8a430c8b7c40fd5445e3e953fb159dfd64c53c9a42", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33244"], "package": "react-router", "rule_id": "GHSA-f22v-gfqf-p8f3", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-33244|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2j2x-hqr9-3h42", "level": "warning", "message": {"text": "react-router: GHSA-2j2x-hqr9-3h42"}, "properties": {"repobilityId": 121357, "scanner": "osv-scanner", "fingerprint": "8882ed93f6a1eda255f48a9ddff70179f1ab14058f5efa928633116ad7210cc1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40181"], "package": "react-router", "rule_id": "GHSA-2j2x-hqr9-3h42", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-40181|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 121356, "scanner": "osv-scanner", "fingerprint": "0727364e57c088dabd2840fd21980edb99b147969b7db2965e7188703dcea5f1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 121355, "scanner": "osv-scanner", "fingerprint": "0b1dff5c952a767b7990e67b0d60cc580116a9b63b14cf0d44b920a59028efbf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 121353, "scanner": "osv-scanner", "fingerprint": "d9d26d972991fffb51a1613b08ac1e8e722be1c10191fb43cced54b770250e8d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 121352, "scanner": "osv-scanner", "fingerprint": "62020e206e8925629e9ce81503c184fb7740327a8f08e1c3e188f1738ecc7bb4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xrhx-7g5j-rcj5", "level": "warning", "message": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "properties": {"repobilityId": 121351, "scanner": "osv-scanner", "fingerprint": "00bc496edb613ec402ac6d8d8cfe96cc08bcc97644f9ea2395620de72362a06e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47674"], "package": "hono", "rule_id": "GHSA-xrhx-7g5j-rcj5", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47674|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xpcf-pg52-r92g", "level": "warning", "message": {"text": "hono: GHSA-xpcf-pg52-r92g"}, "properties": {"repobilityId": 121350, "scanner": "osv-scanner", "fingerprint": "3879085545b4d7b2571a8ee2a97d250bb3d9c113e71e7e1301464ccbe66166ac", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39409"], "package": "hono", "rule_id": "GHSA-xpcf-pg52-r92g", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39409|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xf4j-xp2r-rqqx", "level": "warning", "message": {"text": "hono: GHSA-xf4j-xp2r-rqqx"}, "properties": {"repobilityId": 121349, "scanner": "osv-scanner", "fingerprint": "bdffe3a2dc5829fb1afe38da51bdf92242247f49604d97fbcbaf0f26a951e163", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39408"], "package": "hono", "rule_id": "GHSA-xf4j-xp2r-rqqx", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39408|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wmmm-f939-6g9c", "level": "warning", "message": {"text": "hono: GHSA-wmmm-f939-6g9c"}, "properties": {"repobilityId": 121348, "scanner": "osv-scanner", "fingerprint": "c77b82a60375096dacf2cf7ee222622af311e0ae11424c14f9aa45dcad3fa154", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39407"], "package": "hono", "rule_id": "GHSA-wmmm-f939-6g9c", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39407|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5rp-j6wh-rvv4", "level": "warning", "message": {"text": "hono: GHSA-r5rp-j6wh-rvv4"}, "properties": {"repobilityId": 121347, "scanner": "osv-scanner", "fingerprint": "dd3b1b37c7562561dc589af48bd2dcabc82559f640f46797a2cc854973bab190", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39410"], "package": "hono", "rule_id": "GHSA-r5rp-j6wh-rvv4", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39410|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qp7p-654g-cw7p", "level": "warning", "message": {"text": "hono: GHSA-qp7p-654g-cw7p"}, "properties": {"repobilityId": 121346, "scanner": "osv-scanner", "fingerprint": "36b6d52ad6da58f0ea59be15733c0fbf8556a0970c284daa6278b0f7f4417274", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44458"], "package": "hono", "rule_id": "GHSA-qp7p-654g-cw7p", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44458|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p77w-8qqv-26rm", "level": "warning", "message": {"text": "hono: GHSA-p77w-8qqv-26rm"}, "properties": {"repobilityId": 121345, "scanner": "osv-scanner", "fingerprint": "7bc3f88c5d70fe72bc2f4e3891b9cdcadf15632869e7b9c4d30dd741a32a910a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44457"], "package": "hono", "rule_id": "GHSA-p77w-8qqv-26rm", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44457|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f577-qrjj-4474", "level": "warning", "message": {"text": "hono: GHSA-f577-qrjj-4474"}, "properties": {"repobilityId": 121343, "scanner": "osv-scanner", "fingerprint": "e208e70fa87227fbe53da3f61fe2ac217a8f9277ac8c866372d70757d173a82a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47673"], "package": "hono", "rule_id": "GHSA-f577-qrjj-4474", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47673|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9vqf-7f2p-gf9v", "level": "warning", "message": {"text": "hono: GHSA-9vqf-7f2p-gf9v"}, "properties": {"repobilityId": 121342, "scanner": "osv-scanner", "fingerprint": "f968051640d4b009cb2d9424b8282eca45c8c6e9109d8d7fb0f97d0befebb3dd", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44456"], "package": "hono", "rule_id": "GHSA-9vqf-7f2p-gf9v", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44456|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-69xw-7hcm-h432", "level": "warning", "message": {"text": "hono: GHSA-69xw-7hcm-h432"}, "properties": {"repobilityId": 121341, "scanner": "osv-scanner", "fingerprint": "b9015a2006b4b8877139a0a84e28714702bf9e7ab7003879ec3b08713dc911b0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44455"], "package": "hono", "rule_id": "GHSA-69xw-7hcm-h432", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44455|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-458j-xx4x-4375", "level": "warning", "message": {"text": "hono: GHSA-458j-xx4x-4375"}, "properties": {"repobilityId": 121340, "scanner": "osv-scanner", "fingerprint": "e54929094efcc9c71ed2bea47d7a2efe72a47913e3cbf6518bd9706d19056dc6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "hono", "rule_id": "GHSA-458j-xx4x-4375", "scanner": "osv-scanner", "correlation_key": "vuln|hono|GHSA-458J-XX4X-4375|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3hrh-pfw6-9m5x", "level": "warning", "message": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "properties": {"repobilityId": 121339, "scanner": "osv-scanner", "fingerprint": "e0310fecceaa1b185e84974a0e921e9246e915ec57dc03dd475b24154a382bb8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47675"], "package": "hono", "rule_id": "GHSA-3hrh-pfw6-9m5x", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47675|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2gcr-mfcq-wcc3", "level": "warning", "message": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "properties": {"repobilityId": 121338, "scanner": "osv-scanner", "fingerprint": "82be9ca729a9b377be787e2a4870ae0fe637910fd7001804d481802695279c06", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47676"], "package": "hono", "rule_id": "GHSA-2gcr-mfcq-wcc3", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47676|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-26pp-8wgv-hjvm", "level": "warning", "message": {"text": "hono: GHSA-26pp-8wgv-hjvm"}, "properties": {"repobilityId": 121337, "scanner": "osv-scanner", "fingerprint": "58b4203660be5a4cdb5a1cbe81f209fc96a940ee90dd2aef542f80e8d17c9555", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "hono", "rule_id": "GHSA-26pp-8wgv-hjvm", "scanner": "osv-scanner", "correlation_key": "vuln|hono|GHSA-26PP-8WGV-HJVM|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 121336, "scanner": "osv-scanner", "fingerprint": "6f390e2ea2dc5e15147a7d495e55d42a4ae00467d7b3f2ca1cebb7aa445a73b9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 121333, "scanner": "osv-scanner", "fingerprint": "41f281ca33e7758f3ed49d251cab103d4cb0c6de82ba0c8149194ad02717accb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-92pp-h63x-v22m", "level": "warning", "message": {"text": "@hono/node-server: GHSA-92pp-h63x-v22m"}, "properties": {"repobilityId": 121332, "scanner": "osv-scanner", "fingerprint": "9dc4af0ce4e69cd302c18a60fee266d778f63bfd65f3810d1ed3661496fd5f32", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39406"], "package": "@hono/node-server", "rule_id": "GHSA-92pp-h63x-v22m", "scanner": "osv-scanner", "correlation_key": "vuln|hono/node-server|CVE-2026-39406|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7gmj-67g7-phm9", "level": "warning", "message": {"text": "tauri: GHSA-7gmj-67g7-phm9"}, "properties": {"repobilityId": 121249, "scanner": "osv-scanner", "fingerprint": "602172df3fe0a2382f736ee421f442d0ee8eaad05439a3709e450c13901927df", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-42184"], "package": "tauri", "rule_id": "GHSA-7gmj-67g7-phm9", "scanner": "osv-scanner", "correlation_key": "vuln|tauri|CVE-2026-42184|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-7gmj-67g7-phm9"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["054c20dd6b572a9eb644e7d6bae7775bacfc3fe23a8d8c719a53d839667c05f9", "602172df3fe0a2382f736ee421f442d0ee8eaad05439a3709e450c13901927df"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3pv8-6f4r-ffg2", "level": "warning", "message": {"text": "tar: GHSA-3pv8-6f4r-ffg2"}, "properties": {"repobilityId": 121248, "scanner": "osv-scanner", "fingerprint": "e58f91c1e65f9318150b7879a43e1ef892280e50bbf2f77ea9cbcd5b7e30b6b5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "tar", "rule_id": "GHSA-3pv8-6f4r-ffg2", "scanner": "osv-scanner", "correlation_key": "vuln|tar|GHSA-3PV8-6F4R-FFG2|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xv59-967r-8726", "level": "warning", "message": {"text": "openssl: GHSA-xv59-967r-8726"}, "properties": {"repobilityId": 121237, "scanner": "osv-scanner", "fingerprint": "cb677ead60e5be67216f94ba67db90cbf1a0bf0b815bde0e2e4492d6e27a1590", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44662"], "package": "openssl", "rule_id": "GHSA-xv59-967r-8726", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-44662|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-phqj-4mhp-q6mq", "level": "warning", "message": {"text": "openssl: GHSA-phqj-4mhp-q6mq"}, "properties": {"repobilityId": 121233, "scanner": "osv-scanner", "fingerprint": "974605f755a3ce90ecf108fd969525670360f270ad57d8eb9ba22d0e7dce2015", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45784"], "package": "openssl", "rule_id": "GHSA-phqj-4mhp-q6mq", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-45784|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `yep-sandbox` image has no explicit tag"}, "properties": {"repobilityId": 121211, "scanner": "repobility-docker", "fingerprint": "abc98e22d70f97479703783d117b66845cfbe58f493ba2de929738a405a94f80", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "yep-sandbox", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|abc98e22d70f97479703783d117b66845cfbe58f493ba2de929738a405a94f80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 121210, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, except=3, for=1, if=1, nested_bonus=3, or=2, ternary=3."}, "properties": {"repobilityId": 121207, "scanner": "repobility-threat-engine", "fingerprint": "73690cb840c87acdd490b596c4c86d0b42421a9b916ab6730253f0198ea1fc6b", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 15 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 1, "or": 2, "for": 1, "except": 3, "ternary": 3, "continue": 2, "nested_bonus": 3}, "complexity": 15, "correlation_key": "fp|73690cb840c87acdd490b596c4c86d0b42421a9b916ab6730253f0198ea1fc6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/voice/whisper_worker.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 121178, "scanner": "repobility-threat-engine", "fingerprint": "f2e10c9e2fa739ff16303318b5e2e4bf06f239cba4db7a000c783d91770e810b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:        addr,\n\t\tHandler:     mux,\n\t\tReadTimeout: 30 * time.Second,\n\t\tIdleTimeout", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2e10c9e2fa739ff16303318b5e2e4bf06f239cba4db7a000c783d91770e810b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/cmd/bridge/main.go"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 121177, "scanner": "repobility-threat-engine", "fingerprint": "98fc58119a7c187692b7e85c0b89edd2024be6ebc38b412261e1f99a075f2648", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = serverUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|98fc58119a7c187692b7e85c0b89edd2024be6ebc38b412261e1f99a075f2648"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/main/MainLayout.tsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 121170, "scanner": "repobility-threat-engine", "fingerprint": "c8522a24f0fd2c48f13e767f96ec647b1268414f34bacf96e071ab29a82078c6", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: setup/install wizard (placeholder values)]", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: setup/install wizard (placeholder values)]", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "fp|c8522a24f0fd2c48f13e767f96ec647b1268414f34bacf96e071ab29a82078c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/wizard/AuthPage.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 121169, "scanner": "repobility-threat-engine", "fingerprint": "bb0816544e1329dedb1ae7306d3d686d3f8276be71ef749daa9ec074d533ffec", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb0816544e1329dedb1ae7306d3d686d3f8276be71ef749daa9ec074d533ffec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/settings/AboutSettings.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 121145, "scanner": "repobility-threat-engine", "fingerprint": "f6c8baca85e9238da898f30043641b9a007c0297f70a216ae91a8cabe389dec5", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|93|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/relay/src/client-ip.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 121144, "scanner": "repobility-threat-engine", "fingerprint": "4f975c104a69c60dd68ddd69255f3cb530d9e644049a3d8518238f784b294ead", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|178|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/contexts/PublicShareContext.tsx"}, "region": {"startLine": 178}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 121143, "scanner": "repobility-threat-engine", "fingerprint": "2fca2cf32fe8f867c2c0bf7ae86bfd6b810665e0b4957b67693cd2d93e831e1b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|20|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ThinkingText.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 121130, "scanner": "repobility-agent-runtime", "fingerprint": "f137aea17b533dae993b507228e33d87e31c40b0e7b9b6e7dd113189c815a2ad", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f137aea17b533dae993b507228e33d87e31c40b0e7b9b6e7dd113189c815a2ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/server-info.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 121129, "scanner": "repobility-agent-runtime", "fingerprint": "79cfd5219786417e52e5280c1007fb95b04aa909d591656c0410948cb06adf59", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|79cfd5219786417e52e5280c1007fb95b04aa909d591656c0410948cb06adf59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/projects/scanner.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 121128, "scanner": "repobility-agent-runtime", "fingerprint": "75cef9c8666c2cc607779bc9b51e1e6768c0c21753dad7c8373b1dfde2a38c44", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|75cef9c8666c2cc607779bc9b51e1e6768c0c21753dad7c8373b1dfde2a38c44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/projects/paths.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 121127, "scanner": "repobility-agent-runtime", "fingerprint": "a02a35e9dde6c26c59727a759bb0e762c58a697c6f2db0a028feea79f053d724", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a02a35e9dde6c26c59727a759bb0e762c58a697c6f2db0a028feea79f053d724"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/indexes/SessionIndexService.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 121126, "scanner": "repobility-agent-runtime", "fingerprint": "55c2dabd70c9dd8bc1ce281645c118a1e9e1d4d24afa4cc8fe411f17390737ec", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|55c2dabd70c9dd8bc1ce281645c118a1e9e1d4d24afa4cc8fe411f17390737ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 212}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 121125, "scanner": "repobility-agent-runtime", "fingerprint": "78ef114666e4536af717cb41e47165743fc9be613efe5b5dcc4810fb2983985c", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|78ef114666e4536af717cb41e47165743fc9be613efe5b5dcc4810fb2983985c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/cli.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 121124, "scanner": "repobility-agent-runtime", "fingerprint": "0f2686952193a4fc1ed3ea38191e460f2188b8c66a983e680e246e8c4ce7878c", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|0f2686952193a4fc1ed3ea38191e460f2188b8c66a983e680e246e8c4ce7878c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/lib/hostStorage.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 121123, "scanner": "repobility-agent-runtime", "fingerprint": "102ae24c8270587e520a35d8fdbfdb01bf3b16534a27aa32ec852c8d828772c9", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|102ae24c8270587e520a35d8fdbfdb01bf3b16534a27aa32ec852c8d828772c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/hooks/useSession.ts"}, "region": {"startLine": 338}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 121122, "scanner": "repobility-agent-runtime", "fingerprint": "fe5535122213e04da841502d8771042fe098dfd1f07bb15e8dfd9fc4fbddb33e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|fe5535122213e04da841502d8771042fe098dfd1f07bb15e8dfd9fc4fbddb33e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/hooks/useRemoteCompatibilityNoticeDismissals.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 121121, "scanner": "repobility-agent-runtime", "fingerprint": "0ada0fae3576ca316daf4e5b1b120cc2af45f5afab458a30f560d19313b0cc08", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|0ada0fae3576ca316daf4e5b1b120cc2af45f5afab458a30f560d19313b0cc08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/hooks/useDrafts.ts"}, "region": {"startLine": 163}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 121120, "scanner": "repobility-agent-runtime", "fingerprint": "02f97f9c76d46382b7ef58d1e3f3b0e0bd72161916b6c46253f0f56cbfbcce4a", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|02f97f9c76d46382b7ef58d1e3f3b0e0bd72161916b6c46253f0f56cbfbcce4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/hooks/useDraftPersistence.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 121119, "scanner": "repobility-agent-runtime", "fingerprint": "ba18da4f873d1c3bfa0f7b6faa76861a9eaa4455656f84136d7636565004c54a", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ba18da4f873d1c3bfa0f7b6faa76861a9eaa4455656f84136d7636565004c54a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/contexts/RemoteConnectionContext.tsx"}, "region": {"startLine": 169}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 121118, "scanner": "repobility-agent-runtime", "fingerprint": "26bb7bed5c2004fe9162f6df5560e2d23902b238b8c353214b6a2d894f769a32", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|26bb7bed5c2004fe9162f6df5560e2d23902b238b8c353214b6a2d894f769a32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/CodexUpdatePrompt.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 121117, "scanner": "repobility-agent-runtime", "fingerprint": "6109c9e0735aba6e1dc52d65d18c2a7d73cf343dcc516e2c8382062666218ccb", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|6109c9e0735aba6e1dc52d65d18c2a7d73cf343dcc516e2c8382062666218ccb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/e2e/global-setup.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 121116, "scanner": "repobility-agent-runtime", "fingerprint": "b038b4abaf06eb73da385fd9dbd4b5f25041c3fae42b5a33bdd9bf06cbd35347", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b038b4abaf06eb73da385fd9dbd4b5f25041c3fae42b5a33bdd9bf06cbd35347"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/research/subscription-access-approaches.md"}, "region": {"startLine": 44}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 121115, "scanner": "repobility-agent-runtime", "fingerprint": "08163b7245ad1a883614b9e3bce6f1215da0325e0c15fc6fb2210c4f5e019205", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|08163b7245ad1a883614b9e3bce6f1215da0325e0c15fc6fb2210c4f5e019205"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/competitive/emdash.md"}, "region": {"startLine": 42}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 121114, "scanner": "repobility-agent-runtime", "fingerprint": "2e58b3bac95358c29d2510c8207328076a9b453a0066f29d044e029f605fe566", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2e58b3bac95358c29d2510c8207328076a9b453a0066f29d044e029f605fe566"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/archive/claude-anywhere-vision.md"}, "region": {"startLine": 299}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `shiki` is 1 major version(s) behind (3.23.0 -> 4.2.0)"}, "properties": {"repobilityId": 121102, "scanner": "repobility-dependency-currency", "fingerprint": "f0d6f9cf4354509adc5d05ef393a94112523a693f32d8549bfba13d176fceab2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shiki", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.0", "correlation_key": "fp|f0d6f9cf4354509adc5d05ef393a94112523a693f32d8549bfba13d176fceab2", "current_version": "3.23.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `marked` is 1 major version(s) behind (^17.0.1 -> 18.0.5)"}, "properties": {"repobilityId": 121099, "scanner": "repobility-dependency-currency", "fingerprint": "c97d7703cfce9783ed39935a19cf44441ddc0fd202196f1e0fe71a049cc825ab", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "marked", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.5", "correlation_key": "fp|c97d7703cfce9783ed39935a19cf44441ddc0fd202196f1e0fe71a049cc825ab", "current_version": "^17.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `diff` is 1 major version(s) behind (8.0.3 -> 9.0.0)"}, "properties": {"repobilityId": 121097, "scanner": "repobility-dependency-currency", "fingerprint": "9406ca6a78b68c8ebd010a8ca4f188f24a4bb08214488281d91ee88b1bfae1fd", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "diff", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.0", "correlation_key": "fp|9406ca6a78b68c8ebd010a8ca4f188f24a4bb08214488281d91ee88b1bfae1fd", "current_version": "8.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@hono/node-server` is 1 major version(s) behind (^1.19.9 -> 2.0.4)"}, "properties": {"repobilityId": 121095, "scanner": "repobility-dependency-currency", "fingerprint": "8a9a55b58dcef37c7defe26c65fbdf6bfdf3805340c9502abccab94838ba9909", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@hono/node-server", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.4", "correlation_key": "fp|8a9a55b58dcef37c7defe26c65fbdf6bfdf3805340c9502abccab94838ba9909", "current_version": "^1.19.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 121016, "scanner": "repobility-ast-engine", "fingerprint": "22124131aa595bf1457f0586c1ad7f1b4453e036dd9f6c760fbefa65d41efe31", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22124131aa595bf1457f0586c1ad7f1b4453e036dd9f6c760fbefa65d41efe31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/voice/whisper_worker.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 121015, "scanner": "repobility-ast-engine", "fingerprint": "7d0b3ab4f3b99c12e94a3e7873a0c0a312f438ef2d9bbd0efb620155aed1a5f8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7d0b3ab4f3b99c12e94a3e7873a0c0a312f438ef2d9bbd0efb620155aed1a5f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/voice/whisper_worker.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 121405, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 121404, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 121403, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 121402, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwv9-gp5h-frr4", "level": "note", "message": {"text": "devalue: GHSA-mwv9-gp5h-frr4"}, "properties": {"repobilityId": 121381, "scanner": "osv-scanner", "fingerprint": "b18ae0e8e93cb5ce2871f2b103fe75ef1cf848e4745b16cf4b4033dbc2ec202a", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "devalue", "rule_id": "GHSA-mwv9-gp5h-frr4", "scanner": "osv-scanner", "correlation_key": "vuln|devalue|GHSA-MWV9-GP5H-FRR4|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xr5h-phrj-8vxv", "level": "note", "message": {"text": "astro: GHSA-xr5h-phrj-8vxv"}, "properties": {"repobilityId": 121377, "scanner": "osv-scanner", "fingerprint": "928d3fb3abe6831bfa82fbfb3a46f6c1b4ff904f826e3fab5da1e6a44a44819d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45028"], "package": "astro", "rule_id": "GHSA-xr5h-phrj-8vxv", "scanner": "osv-scanner", "correlation_key": "vuln|astro|CVE-2026-45028|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g735-7g2w-hh3f", "level": "note", "message": {"text": "astro: GHSA-g735-7g2w-hh3f"}, "properties": {"repobilityId": 121375, "scanner": "osv-scanner", "fingerprint": "a2b737bc3c23ac18607ca7ea63344a11b46eef747e07c42aaeb74e4147dc19ea", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33769"], "package": "astro", "rule_id": "GHSA-g735-7g2w-hh3f", "scanner": "osv-scanner", "correlation_key": "vuln|astro|CVE-2026-33769|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hm8q-7f3q-5f36", "level": "note", "message": {"text": "hono: GHSA-hm8q-7f3q-5f36"}, "properties": {"repobilityId": 121344, "scanner": "osv-scanner", "fingerprint": "7fd3c15228d52b639071c13076b2a0652a502eeed6bebe74b270a7d297575d68", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44459"], "package": "hono", "rule_id": "GHSA-hm8q-7f3q-5f36", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44459|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xmgf-hq76-4vx2", "level": "note", "message": {"text": "openssl: GHSA-xmgf-hq76-4vx2"}, "properties": {"repobilityId": 121235, "scanner": "osv-scanner", "fingerprint": "f5ad82621dec2ff5c955378bede783334de3ea3a62e0eb65e41fbe67a69fd509", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41677"], "package": "openssl", "rule_id": "GHSA-xmgf-hq76-4vx2", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-41677|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 121212, "scanner": "repobility-docker", "fingerprint": "35946a2a62c37dd39085daf32aeb128735fbe31da8557ca76bfab4410bb9a367", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "yep-sandbox", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|35946a2a62c37dd39085daf32aeb128735fbe31da8557ca76bfab4410bb9a367"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 121209, "scanner": "repobility-docker", "fingerprint": "56adefc4254cb3aadc64ee488998a2eb69428a07a76eb3914d7965e9a897398e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|56adefc4254cb3aadc64ee488998a2eb69428a07a76eb3914d7965e9a897398e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 121180, "scanner": "repobility-threat-engine", "fingerprint": "05cf9bc923f503a17f051b86573a0d22d8bfc461b9b33d456c2c20fa00edef24", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = stdin.Close(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|05cf9bc923f503a17f051b86573a0d22d8bfc461b9b33d456c2c20fa00edef24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/internal/device/chromeos_device.go"}, "region": {"startLine": 60}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 121179, "scanner": "repobility-threat-engine", "fingerprint": "d545021117d04d60175dc02116f15139749ef300b971ac0579d76720b51ca614", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = fs.Sub(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d545021117d04d60175dc02116f15139749ef300b971ac0579d76720b51ca614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/cmd/bridge/main.go"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 121158, "scanner": "repobility-threat-engine", "fingerprint": "868b00832d621506d43d6034e9d1dfe27146335536dff9aa75afe5327b8219d8", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|20|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/publicShareFileViewerSource.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/cli` is minor version(s) behind (^2 -> 2.11.2)"}, "properties": {"repobilityId": 121113, "scanner": "repobility-dependency-currency", "fingerprint": "18bcb0ceb8aa1e819893e29332f78d4e0b18bbe2ef2af2162b8f59c73f8d3a06", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.11.2", "correlation_key": "fp|18bcb0ceb8aa1e819893e29332f78d4e0b18bbe2ef2af2162b8f59c73f8d3a06", "current_version": "^2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@xterm/addon-fit` is minor version(s) behind (^0.10.0 -> 0.11.0)"}, "properties": {"repobilityId": 121112, "scanner": "repobility-dependency-currency", "fingerprint": "2e34813827f4c006a8eef6d229c7c1dd800844fffd11a9ae499ab9dfcfc95214", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@xterm/addon-fit", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.11.0", "correlation_key": "fp|2e34813827f4c006a8eef6d229c7c1dd800844fffd11a9ae499ab9dfcfc95214", "current_version": "^0.10.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/plugin-updater` is minor version(s) behind (^2 -> 2.10.1)"}, "properties": {"repobilityId": 121111, "scanner": "repobility-dependency-currency", "fingerprint": "65ee18f474f88930d76d1ae8b86fba75bf0b439b58f27239e9ae0fb59fd5e215", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-updater", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.10.1", "correlation_key": "fp|65ee18f474f88930d76d1ae8b86fba75bf0b439b58f27239e9ae0fb59fd5e215", "current_version": "^2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/plugin-shell` is minor version(s) behind (^2 -> 2.3.5)"}, "properties": {"repobilityId": 121110, "scanner": "repobility-dependency-currency", "fingerprint": "0c51cb3765b4f6a64e02e4572682143a3ef9ef64147c6d5e1122443ef5bcdc61", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-shell", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.3.5", "correlation_key": "fp|0c51cb3765b4f6a64e02e4572682143a3ef9ef64147c6d5e1122443ef5bcdc61", "current_version": "^2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/plugin-process` is minor version(s) behind (^2 -> 2.3.1)"}, "properties": {"repobilityId": 121109, "scanner": "repobility-dependency-currency", "fingerprint": "9f8f2665188fffcecda844ab4f1c0794089c630e02b9befe25c2beabc2cfe7c7", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-process", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.3.1", "correlation_key": "fp|9f8f2665188fffcecda844ab4f1c0794089c630e02b9befe25c2beabc2cfe7c7", "current_version": "^2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/plugin-opener` is minor version(s) behind (^2 -> 2.5.4)"}, "properties": {"repobilityId": 121108, "scanner": "repobility-dependency-currency", "fingerprint": "78a174b29f99f11f0425f38190080b1aeb532c19128be35522ade2cb893b184b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/plugin-opener", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.5.4", "correlation_key": "fp|78a174b29f99f11f0425f38190080b1aeb532c19128be35522ade2cb893b184b", "current_version": "^2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/api` is minor version(s) behind (^2 -> 2.11.0)"}, "properties": {"repobilityId": 121107, "scanner": "repobility-dependency-currency", "fingerprint": "2a1500e60265bcaba78e746c596ae6e3f060e82bbe5c67b22e7c091472aafc07", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.11.0", "correlation_key": "fp|2a1500e60265bcaba78e746c596ae6e3f060e82bbe5c67b22e7c091472aafc07", "current_version": "^2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tauri-apps/cli` is minor version(s) behind (^2 -> 2.11.2)"}, "properties": {"repobilityId": 121106, "scanner": "repobility-dependency-currency", "fingerprint": "179610afc018729d8ff74625f367eadb71efe6dbad76dfc8227ea356d2f127e0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tauri-apps/cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.11.2", "correlation_key": "fp|179610afc018729d8ff74625f367eadb71efe6dbad76dfc8227ea356d2f127e0", "current_version": "^2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tsx` is minor version(s) behind (^4.19.2 -> 4.22.4)"}, "properties": {"repobilityId": 121105, "scanner": "repobility-dependency-currency", "fingerprint": "23b91b28b58546e5596b684f81fc23d7fb31c833b25ac8b2af620b8af6429bb4", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|23b91b28b58546e5596b684f81fc23d7fb31c833b25ac8b2af620b8af6429bb4", "current_version": "^4.19.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `ws` is minor version(s) behind (8.18.0 -> 8.21.0)"}, "properties": {"repobilityId": 121103, "scanner": "repobility-dependency-currency", "fingerprint": "2453f8150ce40404ed853f230dc3e38c54ab27dbc5e481552353295671e771f1", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ws", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.21.0", "correlation_key": "fp|2453f8150ce40404ed853f230dc3e38c54ab27dbc5e481552353295671e771f1", "current_version": "8.18.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `pino` is minor version(s) behind (^10.1.0 -> 10.3.1)"}, "properties": {"repobilityId": 121100, "scanner": "repobility-dependency-currency", "fingerprint": "6c23288b6fec809c368eb24921e5412ab4c1072dab6e452b24b56c7c58bf15a0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pino", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.3.1", "correlation_key": "fp|6c23288b6fec809c368eb24921e5412ab4c1072dab6e452b24b56c7c58bf15a0", "current_version": "^10.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `katex` is minor version(s) behind (^0.16.45 -> 0.17.0)"}, "properties": {"repobilityId": 121098, "scanner": "repobility-dependency-currency", "fingerprint": "aad25ec82f737e136ff2a566cfa25f1607e579c7ca912733b1839e675cf159c0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "katex", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.17.0", "correlation_key": "fp|aad25ec82f737e136ff2a566cfa25f1607e579c7ca912733b1839e675cf159c0", "current_version": "^0.16.45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@hono/node-ws` is minor version(s) behind (^1.2.0 -> 1.3.1)"}, "properties": {"repobilityId": 121096, "scanner": "repobility-dependency-currency", "fingerprint": "40ff0f06bd0ebddabfb91ccc3a8cb22888d6b8a874739425a224278b91aba0f9", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@hono/node-ws", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.3.1", "correlation_key": "fp|40ff0f06bd0ebddabfb91ccc3a8cb22888d6b8a874739425a224278b91aba0f9", "current_version": "^1.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@agentclientprotocol/sdk` is minor version(s) behind (^0.12.0 -> 0.25.0)"}, "properties": {"repobilityId": 121093, "scanner": "repobility-dependency-currency", "fingerprint": "33ab879533336e800cf122d14643af1c99ef21d04da8c30340dc7593d02bcd63", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@agentclientprotocol/sdk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.25.0", "correlation_key": "fp|33ab879533336e800cf122d14643af1c99ef21d04da8c30340dc7593d02bcd63", "current_version": "^0.12.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@cloudflare/workers-types` is minor version(s) behind (4.20260302.0 -> 4.20260605.1)"}, "properties": {"repobilityId": 121090, "scanner": "repobility-dependency-currency", "fingerprint": "b2fbd67f92bd8044ba0af6bc7a67f0ed23a3f529988e64ff3e7d399c2a862941", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@cloudflare/workers-types", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.20260605.1", "correlation_key": "fp|b2fbd67f92bd8044ba0af6bc7a67f0ed23a3f529988e64ff3e7d399c2a862941", "current_version": "4.20260302.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sharing-worker/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tsx` is minor version(s) behind (^4.19.2 -> 4.22.4)"}, "properties": {"repobilityId": 121089, "scanner": "repobility-dependency-currency", "fingerprint": "aeeee92e19506eca34dea37c79de5333d7a813727848b14db93b45ba9fa88084", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|aeeee92e19506eca34dea37c79de5333d7a813727848b14db93b45ba9fa88084", "current_version": "^4.19.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121014, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e2d894be6123c129e913964b2d295e67997adc60e1d79af623cfaed99c6dcaf5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/vite.config.remote.ts", "duplicate_line": 6, "correlation_key": "fp|e2d894be6123c129e913964b2d295e67997adc60e1d79af623cfaed99c6dcaf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/vite.config.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121013, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b56d799818a64becbc2048cfb54ff77a117b81d0684fbb9d49140a03840bd490", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/pages/HostPickerPage.tsx", "duplicate_line": 178, "correlation_key": "fp|b56d799818a64becbc2048cfb54ff77a117b81d0684fbb9d49140a03840bd490"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/RemoteLoginModePage.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121012, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad87f5f835dd6ba167ec11f510d42df0e98b16dcb09c561c0a12892364078711", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/pages/DirectLoginPage.tsx", "duplicate_line": 26, "correlation_key": "fp|ad87f5f835dd6ba167ec11f510d42df0e98b16dcb09c561c0a12892364078711"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/RelayLoginPage.tsx"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121011, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65a6e5111a5b982b8d24bf3a5a622f70066e958fb4755c535143de76b52a7a36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/pages/PublicShareFilePage.tsx", "duplicate_line": 29, "correlation_key": "fp|65a6e5111a5b982b8d24bf3a5a622f70066e958fb4755c535143de76b52a7a36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/PublicSharePage.tsx"}, "region": {"startLine": 225}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121010, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e303ef2ecf9412edadf1eee677f691e475ff595c6deb53007e86bfa6be68a6fa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/InboxContent.tsx", "duplicate_line": 238, "correlation_key": "fp|e303ef2ecf9412edadf1eee677f691e475ff595c6deb53007e86bfa6be68a6fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/ProjectsPage.tsx"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121009, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca75eed87504f88c447fae8d4d466464ee6fa9c98044dad4f2380c87780a478b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/ProjectCard.tsx", "duplicate_line": 70, "correlation_key": "fp|ca75eed87504f88c447fae8d4d466464ee6fa9c98044dad4f2380c87780a478b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/ProjectsPage.tsx"}, "region": {"startLine": 117}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121008, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eab324c929cbd2d591473093b1d6ff97155a86d64c1ea4757560d94e54f28146", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/BulkActionBar.tsx", "duplicate_line": 56, "correlation_key": "fp|eab324c929cbd2d591473093b1d6ff97155a86d64c1ea4757560d94e54f28146"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/ProjectsPage.tsx"}, "region": {"startLine": 116}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121007, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1f336ad461e5907bea8d592f371790cee223352163ec215361407e3b91252e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/pages/DirectLoginPage.tsx", "duplicate_line": 26, "correlation_key": "fp|e1f336ad461e5907bea8d592f371790cee223352163ec215361407e3b91252e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/HostPickerPage.tsx"}, "region": {"startLine": 170}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121006, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a50f38672d160f8936e27b93b23932d7fd7af0b3082f36ca51e8026e8545bb38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/SidebarNavItem.tsx", "duplicate_line": 117, "correlation_key": "fp|a50f38672d160f8936e27b93b23932d7fd7af0b3082f36ca51e8026e8545bb38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/GitStatusPage.tsx"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121005, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e235badd4f6ed5dec4e9e77721738830eec00e893825230c9b0075ac4076bf0d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/LocalMediaModal.tsx", "duplicate_line": 255, "correlation_key": "fp|e235badd4f6ed5dec4e9e77721738830eec00e893825230c9b0075ac4076bf0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/lib/connection/DirectConnection.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121004, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a7fa8c2b44fb1bddafc110c4751e6ff1946b1eed5fd5df9e18a1bd57a3d745d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/contexts/ToastContext.tsx", "duplicate_line": 26, "correlation_key": "fp|1a7fa8c2b44fb1bddafc110c4751e6ff1946b1eed5fd5df9e18a1bd57a3d745d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/hooks/useToast.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121003, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc8e2e5ddb42fb0000722705d5a3aa692453b43f0cbee2ca627208f2e882e030", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/hooks/useSessionStream.ts", "duplicate_line": 78, "correlation_key": "fp|bc8e2e5ddb42fb0000722705d5a3aa692453b43f0cbee2ca627208f2e882e030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/hooks/useSessionWatchStream.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121002, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd76892da1bd95154ebe3dc2e74275308ae2e768d8498e3ca0056c02f890d7af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/SpeechSmartTurnControls.tsx", "duplicate_line": 17, "correlation_key": "fp|bd76892da1bd95154ebe3dc2e74275308ae2e768d8498e3ca0056c02f890d7af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/hooks/useModelSettings.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121001, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1cfbe11cfa41b06f09cb7b964a781a00a0c554d8b177cf651014baa1ac5856a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/FilePathLink.tsx", "duplicate_line": 212, "correlation_key": "fp|d1cfbe11cfa41b06f09cb7b964a781a00a0c554d8b177cf651014baa1ac5856a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ui/Modal.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121000, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36373b47500040dc909b2276f742e3045c606e4d265ad000e9fe211bb0287c51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/blocks/TextBlock.tsx", "duplicate_line": 205, "correlation_key": "fp|36373b47500040dc909b2276f742e3045c606e4d265ad000e9fe211bb0287c51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ui/CopyTextButton.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120999, "scanner": "repobility-ai-code-hygiene", "fingerprint": "57229ae3129e7e7ef4ea52409f7f0205e3f250e9170eb61a30285f0d4ef74829", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/renderers/tools/BashRenderer.tsx", "duplicate_line": 292, "correlation_key": "fp|57229ae3129e7e7ef4ea52409f7f0205e3f250e9170eb61a30285f0d4ef74829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/renderers/tools/WriteRenderer.tsx"}, "region": {"startLine": 242}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120998, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df26d5b58d2a62dc617d94d4fb3e11f6288b0d91f9d36bc321aec9d8970201c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/renderers/tools/ReadRenderer.tsx", "duplicate_line": 240, "correlation_key": "fp|df26d5b58d2a62dc617d94d4fb3e11f6288b0d91f9d36bc321aec9d8970201c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/renderers/tools/WriteRenderer.tsx"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120997, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b061fcd00ebdde4f0860bba62e622657f71ca72679a5e05b92229c54036a548c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/renderers/tools/GrepRenderer.tsx", "duplicate_line": 253, "correlation_key": "fp|b061fcd00ebdde4f0860bba62e622657f71ca72679a5e05b92229c54036a548c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/renderers/tools/WebFetchRenderer.tsx"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120996, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8dbbbda5464199106bf7243b1bd61a0935b5bb996351224219d8b3ba96f39994", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/renderers/tools/GlobRenderer.tsx", "duplicate_line": 83, "correlation_key": "fp|8dbbbda5464199106bf7243b1bd61a0935b5bb996351224219d8b3ba96f39994"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/renderers/tools/GrepRenderer.tsx"}, "region": {"startLine": 212}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120995, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f38b2a1ae5c7c00152f7c479508f376b680316ea1d134eedc4becc22190c8fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/blocks/TextBlock.tsx", "duplicate_line": 222, "correlation_key": "fp|0f38b2a1ae5c7c00152f7c479508f376b680316ea1d134eedc4becc22190c8fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/renderers/tools/BashRenderer.tsx"}, "region": {"startLine": 113}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120994, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1182ef7b5e9db12cc84e4303c7727419456c3a2ab6f571469167d9a91871eed1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/blocks/TextBlock.tsx", "duplicate_line": 182, "correlation_key": "fp|1182ef7b5e9db12cc84e4303c7727419456c3a2ab6f571469167d9a91871eed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/renderers/blocks/TextRenderer.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120993, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4aa4830e9f5b7aba0c25a9e94cc4daf082cca51c1d0a44627360f8f78b65f55", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "site/public/branding/yepanywhere-final.jsx", "duplicate_line": 355, "correlation_key": "fp|d4aa4830e9f5b7aba0c25a9e94cc4daf082cca51c1d0a44627360f8f78b65f55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/YepAnywhereLogo.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120992, "scanner": "repobility-ai-code-hygiene", "fingerprint": "646a3974ad81157857c55f98e43b6fac9be5afbea673f881c00cfd766366e3bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/QuestionAnswerPanel.tsx", "duplicate_line": 176, "correlation_key": "fp|646a3974ad81157857c55f98e43b6fac9be5afbea673f881c00cfd766366e3bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ToolApprovalPanel.tsx"}, "region": {"startLine": 192}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120991, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7741d265727d63ab981f41e317fe393af1b949cb3a2008f7b076d86f07e2b1c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/BulkActionBar.tsx", "duplicate_line": 245, "correlation_key": "fp|7741d265727d63ab981f41e317fe393af1b949cb3a2008f7b076d86f07e2b1c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/SidebarNavItem.tsx"}, "region": {"startLine": 132}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120990, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1936620ba3f831fdba0d365e81c329585e7d7b36d2be00517424dbc99433ab56", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/PageHeader.tsx", "duplicate_line": 14, "correlation_key": "fp|1936620ba3f831fdba0d365e81c329585e7d7b36d2be00517424dbc99433ab56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/Sidebar.tsx"}, "region": {"startLine": 436}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120989, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9acf9278c10307830cfbaca8bf98355f4f4177fddbc8f1b11a14a1f96733b9f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/ModelSwitchModal.tsx", "duplicate_line": 428, "correlation_key": "fp|9acf9278c10307830cfbaca8bf98355f4f4177fddbc8f1b11a14a1f96733b9f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/RestartSessionModal.tsx"}, "region": {"startLine": 638}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120988, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dac2710f0a2f96daed3174f2e0821f5ee6fcab8c353774b278faaa7a043915dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/FilterDropdown.tsx", "duplicate_line": 95, "correlation_key": "fp|dac2710f0a2f96daed3174f2e0821f5ee6fcab8c353774b278faaa7a043915dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ProjectSelector.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120987, "scanner": "repobility-ai-code-hygiene", "fingerprint": "41f4a478e39aea03bb15f0ec6dc5def0d4e6838a06eef44e1b9b2b97870b5b37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/BulkActionBar.tsx", "duplicate_line": 56, "correlation_key": "fp|41f4a478e39aea03bb15f0ec6dc5def0d4e6838a06eef44e1b9b2b97870b5b37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ProjectCard.tsx"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120986, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a76745331e20b725426b5aeb3b105fe52b6b0d47e6a21b72eccfe2074af2531e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/components/FilterDropdown.tsx", "duplicate_line": 105, "correlation_key": "fp|a76745331e20b725426b5aeb3b105fe52b6b0d47e6a21b72eccfe2074af2531e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ModeSelector.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120985, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00d02e343bee9216ea9c3f0b139fdac3157ef475fb86c6b2b7151727be53aa4c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/App.tsx", "duplicate_line": 44, "correlation_key": "fp|00d02e343bee9216ea9c3f0b139fdac3157ef475fb86c6b2b7151727be53aa4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/RemoteApp.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120984, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eed01818c5a83ad73c28903efdf8bb5c258fbd32cbf935df32591622c78c6cf7", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "final", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|eed01818c5a83ad73c28903efdf8bb5c258fbd32cbf935df32591622c78c6cf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/public/branding/yepanywhere-final.jsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 120983, "scanner": "repobility-ai-code-hygiene", "fingerprint": "637be4b7d792540c9eb7ec6ecee111643252bb60385776703cb965bcde5506e0", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": [".cursorrules", "AGENTS.md", "CLAUDE.md", "GEMINI.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|637be4b7d792540c9eb7ec6ecee111643252bb60385776703cb965bcde5506e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".cursorrules"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 120982, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 121208, "scanner": "repobility-threat-engine", "fingerprint": "43737fa86dcc94fed56ee60ee1c32acc399eedfdae1069ab270390be3ff75051", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|43737fa86dcc94fed56ee60ee1c32acc399eedfdae1069ab270390be3ff75051"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-bundle.ts"}, "region": {"startLine": 319}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 121206, "scanner": "repobility-threat-engine", "fingerprint": "73ba017206308343ec4c3caccfc62e6b8e6fba4f3b730c18ac9381bfc9a7d25f", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.warn(\"[sharing] Missing or empty field: secret\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|console.warn sharing missing or empty field: secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/SharingService.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 121203, "scanner": "repobility-threat-engine", "fingerprint": "c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0"}}}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 121199, "scanner": "repobility-threat-engine", "fingerprint": "0e6e1eba61c6534138b0e996edff7f84d3befe0034fc817c7ee20f69e696ce17", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0e6e1eba61c6534138b0e996edff7f84d3befe0034fc817c7ee20f69e696ce17"}}}, {"ruleId": "MINED031", "level": "none", "message": {"text": "[MINED031] React Direct State Mutation (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 121195, "scanner": "repobility-threat-engine", "fingerprint": "4655a4b594df43737189fb698770c6a9494bced612d07eabc87ea9568303d386", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4655a4b594df43737189fb698770c6a9494bced612d07eabc87ea9568303d386", "aggregated_count": 5}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 121191, "scanner": "repobility-threat-engine", "fingerprint": "ffae1b4df5f729a65e16a6b28127862977218868cf1e6ae4bbe28350eb438f32", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ffae1b4df5f729a65e16a6b28127862977218868cf1e6ae4bbe28350eb438f32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/relay/src/server.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 121190, "scanner": "repobility-threat-engine", "fingerprint": "3c9b98a8916276cf6a779c2e34bf8688b14d6e2de709571128ecf1b5209c2eaa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3c9b98a8916276cf6a779c2e34bf8688b14d6e2de709571128ecf1b5209c2eaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/relay/src/origin-policy.ts"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 121189, "scanner": "repobility-threat-engine", "fingerprint": "e7ddd6945d43fe435ad181cd0ef6f781386fbf57074d3109250a2ca28e453866", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7ddd6945d43fe435ad181cd0ef6f781386fbf57074d3109250a2ca28e453866"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/relay/src/index.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 121187, "scanner": "repobility-threat-engine", "fingerprint": "fcf286a56c9b7bbfc780627a1a28988dbbacf71aa351f16138de683ada9d3401", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fcf286a56c9b7bbfc780627a1a28988dbbacf71aa351f16138de683ada9d3401", "aggregated_count": 1}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 121186, "scanner": "repobility-threat-engine", "fingerprint": "7ff65db6f6e9be618cb4601002a0e5e88898f9463f5dc4cd26968ca8816b3bee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ff65db6f6e9be618cb4601002a0e5e88898f9463f5dc4cd26968ca8816b3bee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/internal/emulator/client.go"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 121185, "scanner": "repobility-threat-engine", "fingerprint": "33a94a46227616125b7fa6497f8e93ae78e8f692ae24aeefaebde44606ce0451", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33a94a46227616125b7fa6497f8e93ae78e8f692ae24aeefaebde44606ce0451"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/internal/device/frame_source.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 121184, "scanner": "repobility-threat-engine", "fingerprint": "f189dac886958262c66c19f007356a60044a5252f39f05b42a7d2842675efafa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f189dac886958262c66c19f007356a60044a5252f39f05b42a7d2842675efafa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/cmd/validate/main.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 121176, "scanner": "repobility-threat-engine", "fingerprint": "f8cbca2dec30fe966a993c49d11f4a7b7c4f2b7de1794645c35f60b5619d5f7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f8cbca2dec30fe966a993c49d11f4a7b7c4f2b7de1794645c35f60b5619d5f7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/src/server.rs"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 121175, "scanner": "repobility-threat-engine", "fingerprint": "b1de668590313e083974290216229119617fff98965e630206041a8ed50c9172", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b1de668590313e083974290216229119617fff98965e630206041a8ed50c9172"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/src/lib.rs"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 121174, "scanner": "repobility-threat-engine", "fingerprint": "18bfaa0065ad874300bf50041e3cd68979f6c54398e32368624cf8a3a613b0ef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18bfaa0065ad874300bf50041e3cd68979f6c54398e32368624cf8a3a613b0ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/src/lib.rs"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 121173, "scanner": "repobility-threat-engine", "fingerprint": "eb8dd2358a71c769b7ea9bec7f9f0f48ca1f107ab68b59b88f572e2051ee5d0f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb8dd2358a71c769b7ea9bec7f9f0f48ca1f107ab68b59b88f572e2051ee5d0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/src/config.rs"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 121168, "scanner": "repobility-threat-engine", "fingerprint": "b6c1362f58db0c2d406a939f889786f1003ae2a63495eaa17cb30a3e3da02153", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6c1362f58db0c2d406a939f889786f1003ae2a63495eaa17cb30a3e3da02153"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shared/src/ya-client-url.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 121167, "scanner": "repobility-threat-engine", "fingerprint": "81660ee3c13cb9061c5ab5d840c7a10fb4488e252ae8c3c1ef96130886fd94dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|81660ee3c13cb9061c5ab5d840c7a10fb4488e252ae8c3c1ef96130886fd94dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/DirectLoginPage.tsx"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 121166, "scanner": "repobility-threat-engine", "fingerprint": "a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "aggregated_count": 4}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 121165, "scanner": "repobility-threat-engine", "fingerprint": "d383edc577cb0e07ea51dd27b2460a611911d4cf310bedb90e0e37f24714c1b2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d383edc577cb0e07ea51dd27b2460a611911d4cf310bedb90e0e37f24714c1b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/vite-plugin-csp.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 121164, "scanner": "repobility-threat-engine", "fingerprint": "3155b9789a7df4aafa0060fedc65e252a21023709076b157bf911c8ba85a8955", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3155b9789a7df4aafa0060fedc65e252a21023709076b157bf911c8ba85a8955"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/hooks/useSpeechRecognition.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 121163, "scanner": "repobility-threat-engine", "fingerprint": "9f29cad0c0efc709792d1b057990fe6814ce423a2eaf892abe9fb6a6f9ee719e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f29cad0c0efc709792d1b057990fe6814ce423a2eaf892abe9fb6a6f9ee719e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/hooks/useNotifyInApp.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 121162, "scanner": "repobility-threat-engine", "fingerprint": "a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d"}}}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 121157, "scanner": "repobility-threat-engine", "fingerprint": "b0b5664ec0e8a7543e20308d390a116c11976001cc122649fc7ffe5c7ca8f3a9", "category": "injection", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "React dangerouslySetInnerHTML \u2014 deliberate pattern with built-in XSS warnings", "evidence": {"match": ".innerHTML = h", "reason": "React dangerouslySetInnerHTML \u2014 deliberate pattern with built-in XSS warnings", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|injection|token|23|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/blocks/TextBlock.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 121156, "scanner": "repobility-threat-engine", "fingerprint": "75e97b7e5032a4f8b44e191a73892a87b930ad9f8576997ceac71d9b2dff8c9b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|75e97b7e5032a4f8b44e191a73892a87b930ad9f8576997ceac71d9b2dff8c9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src/wizard/WizardLayout.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 121155, "scanner": "repobility-threat-engine", "fingerprint": "f3db86c607d7cb9873f4024e4528fa76bd4c54499ad9128c407a8860d00de8ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3db86c607d7cb9873f4024e4528fa76bd4c54499ad9128c407a8860d00de8ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ThinkingText.tsx"}, "region": {"startLine": 196}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 121154, "scanner": "repobility-threat-engine", "fingerprint": "cab71e3e0d858a3b16cef86155b5a70720336ed5d7b2fcc3b519bb449894bd76", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cab71e3e0d858a3b16cef86155b5a70720336ed5d7b2fcc3b519bb449894bd76"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 121150, "scanner": "repobility-threat-engine", "fingerprint": "9ad9bf0c265cd321c150a08a072a8e145739f2cd1982875a84041789b62e4bac", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9ad9bf0c265cd321c150a08a072a8e145739f2cd1982875a84041789b62e4bac"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 121146, "scanner": "repobility-threat-engine", "fingerprint": "c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 121142, "scanner": "repobility-threat-engine", "fingerprint": "b00d577a1057957f67ad2302cbc95a6a91a9ef4fe2a39ce058aadf87e6fd4ded", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b00d577a1057957f67ad2302cbc95a6a91a9ef4fe2a39ce058aadf87e6fd4ded", "aggregated_count": 4}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 121141, "scanner": "repobility-threat-engine", "fingerprint": "3f68824e3a57652c220073a77ddfac219ba60fe642e960ee0abf8aacf2cabb85", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f68824e3a57652c220073a77ddfac219ba60fe642e960ee0abf8aacf2cabb85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/renderers/blocks/TextRenderer.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 121140, "scanner": "repobility-threat-engine", "fingerprint": "61f646d842bbbb55fc54c0f2ab8520c831c51542ba3eb97a3c26b2018bef1b21", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|61f646d842bbbb55fc54c0f2ab8520c831c51542ba3eb97a3c26b2018bef1b21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/blocks/TextBlock.tsx"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 121139, "scanner": "repobility-threat-engine", "fingerprint": "56a82795cc6280fe1f82308b72a3e1c317217a6e1c6b5de95c0c9e17269f6aee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|56a82795cc6280fe1f82308b72a3e1c317217a6e1c6b5de95c0c9e17269f6aee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/MarkdownPreview.tsx"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 121138, "scanner": "repobility-threat-engine", "fingerprint": "063abbc1a988e6c8b43781a2091a8af2089bfaa08444dfc3e5781c1eafa01559", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|063abbc1a988e6c8b43781a2091a8af2089bfaa08444dfc3e5781c1eafa01559"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 74 more): Same pattern found in 74 additional files. Review if needed."}, "properties": {"repobilityId": 121134, "scanner": "repobility-threat-engine", "fingerprint": "22746cb9e5e18719cf317f76d2dd3f52c6f3896913cc89b77c5da63c8fbc388f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 74 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|22746cb9e5e18719cf317f76d2dd3f52c6f3896913cc89b77c5da63c8fbc388f", "aggregated_count": 74}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 121133, "scanner": "repobility-threat-engine", "fingerprint": "56db3b1b635ac3193b84ced09157094ebf4931c6ef924cde54123d4228271957", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|56db3b1b635ac3193b84ced09157094ebf4931c6ef924cde54123d4228271957"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ErrorBoundary.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 121132, "scanner": "repobility-threat-engine", "fingerprint": "209a07db1778a0a610a75b16a1a486203a0e542abbb24d1314687d5f9b18a70c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|209a07db1778a0a610a75b16a1a486203a0e542abbb24d1314687d5f9b18a70c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/api/upload.ts"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 121131, "scanner": "repobility-threat-engine", "fingerprint": "a3a87e1c99ab5389ae050725d4e14b8f6551b3f698cc5b82f11bc966569c3d35", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a3a87e1c99ab5389ae050725d4e14b8f6551b3f698cc5b82f11bc966569c3d35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/tasks/archive/analyze-claude-messages.js"}, "region": {"startLine": 372}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/sanitize-html` is patch version(s) behind (^2.16.0 -> 2.16.1)"}, "properties": {"repobilityId": 121104, "scanner": "repobility-dependency-currency", "fingerprint": "b1d36dc0625461ed43e42291ca4c9edd6af3aa6c6becf0024e3001e10d4f29a0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/sanitize-html", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.16.1", "correlation_key": "fp|b1d36dc0625461ed43e42291ca4c9edd6af3aa6c6becf0024e3001e10d4f29a0", "current_version": "^2.16.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `sanitize-html` is patch version(s) behind (^2.17.1 -> 2.17.4)"}, "properties": {"repobilityId": 121101, "scanner": "repobility-dependency-currency", "fingerprint": "18efe83f51e846296dd0770b662a588f03d9e8ecb4d0deb62811f6aea24cde40", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "sanitize-html", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.17.4", "correlation_key": "fp|18efe83f51e846296dd0770b662a588f03d9e8ecb4d0deb62811f6aea24cde40", "current_version": "^2.17.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@anthropic-ai/claude-agent-sdk` is patch version(s) behind (^0.3.158 -> 0.3.165)"}, "properties": {"repobilityId": 121094, "scanner": "repobility-dependency-currency", "fingerprint": "95a83c4b448c8e2a44e23c0d3c2b1d9cfa6d797f9cd6018cad819a27ef36483c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@anthropic-ai/claude-agent-sdk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.3.165", "correlation_key": "fp|95a83c4b448c8e2a44e23c0d3c2b1d9cfa6d797f9cd6018cad819a27ef36483c", "current_version": "^0.3.158"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@astrojs/sitemap` is patch version(s) behind (3.7.0 -> 3.7.3)"}, "properties": {"repobilityId": 121092, "scanner": "repobility-dependency-currency", "fingerprint": "ad597a753776beb8f7d0dc7f88c89cc80cd442b9cab477d50f675168dc2e8b42", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@astrojs/sitemap", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.7.3", "correlation_key": "fp|ad597a753776beb8f7d0dc7f88c89cc80cd442b9cab477d50f675168dc2e8b42", "current_version": "3.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@astrojs/check` is patch version(s) behind (0.9.6 -> 0.9.9)"}, "properties": {"repobilityId": 121091, "scanner": "repobility-dependency-currency", "fingerprint": "16294f0dd470dcc2abbd3675b40c62f563e66c841ddc25aa52d24475fd95cf45", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@astrojs/check", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.9.9", "correlation_key": "fp|16294f0dd470dcc2abbd3675b40c62f563e66c841ddc25aa52d24475fd95cf45", "current_version": "0.9.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 121401, "scanner": "repobility-journey-contract", "fingerprint": "fcedfa0e5e220997fe6645a6c84840a5e80ad56acd3a7f052b40bb653778bbeb", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|105|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/LoginPage.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 121400, "scanner": "repobility-journey-contract", "fingerprint": "46cdc1b1d1b932e9022ca7addae3c17882e9fc296ca0f187c0b24bde6be3f0ab", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|173|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/DirectLoginPage.tsx"}, "region": {"startLine": 173}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 121399, "scanner": "repobility-journey-contract", "fingerprint": "734eb07669c427547a95f524dc33aec2ec76aeedb6a4ac9a07d9c727262ac41f", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|535|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/RemoteAccessSetup.tsx"}, "region": {"startLine": 535}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 121397, "scanner": "osv-scanner", "fingerprint": "fea3fda6800466f29753a339843d26fadec7730e2847a04c2bf372c29e838499", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xpqw-6gx7-v673", "level": "error", "message": {"text": "svgo: GHSA-xpqw-6gx7-v673"}, "properties": {"repobilityId": 121395, "scanner": "osv-scanner", "fingerprint": "271a948939205a41e0ecd9abd48547b6c6d0788663d563df716ce4f584e69dfa", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29074"], "package": "svgo", "rule_id": "GHSA-xpqw-6gx7-v673", "scanner": "osv-scanner", "correlation_key": "vuln|svgo|CVE-2026-29074|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 121392, "scanner": "osv-scanner", "fingerprint": "50bf6ad2058c31a2e6f8f89fd9710217424058f98d8dffa7388a5cbb98098048", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 121389, "scanner": "osv-scanner", "fingerprint": "3eb12b82ddd80fc28022262456f2c2752cbc82513b0a15ad95c1d2aad6eccd9e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-22cc-p3c6-wpvm", "level": "error", "message": {"text": "h3: GHSA-22cc-p3c6-wpvm"}, "properties": {"repobilityId": 121384, "scanner": "osv-scanner", "fingerprint": "aae32f41975a66a0f590610368898245c4e1b492c7bce835c4f78921cce7b832", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33128"], "package": "h3", "rule_id": "GHSA-22cc-p3c6-wpvm", "scanner": "osv-scanner", "correlation_key": "vuln|h3|CVE-2026-33128|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 121383, "scanner": "osv-scanner", "fingerprint": "4ea96714f96887ddf4d45e10005dcc796610734725208bd611da2f8dd0e0aa67", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 121382, "scanner": "osv-scanner", "fingerprint": "e347ab58d4e5a86a046bab6b87a6c262b9741a40ded28552fb3d080f850c3253", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-77vg-94rm-hx3p", "level": "error", "message": {"text": "devalue: GHSA-77vg-94rm-hx3p"}, "properties": {"repobilityId": 121379, "scanner": "osv-scanner", "fingerprint": "b85797609b192f60858a44fc3670a8ca4885960bb50becc5d437dfe8ef8c1fd1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42570"], "package": "devalue", "rule_id": "GHSA-77vg-94rm-hx3p", "scanner": "osv-scanner", "correlation_key": "vuln|devalue|CVE-2026-42570|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-737v-mqg7-c878", "level": "error", "message": {"text": "defu: GHSA-737v-mqg7-c878"}, "properties": {"repobilityId": 121378, "scanner": "osv-scanner", "fingerprint": "df7af04916820971703d6efc3d233c67e217f14587c4be68709fa65bacdcd3e7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-35209"], "package": "defu", "rule_id": "GHSA-737v-mqg7-c878", "scanner": "osv-scanner", "correlation_key": "vuln|defu|CVE-2026-35209|site/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vrm6-8vpv-qv8q", "level": "error", "message": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "properties": {"repobilityId": 121373, "scanner": "osv-scanner", "fingerprint": "4d0860a4182e1ff9e9fb7151ed65e6676221a4197e91a2c74593329530c9ff9b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1526"], "package": "undici", "rule_id": "GHSA-vrm6-8vpv-qv8q", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1526|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sharing-worker/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v9p9-hfj2-hcw8", "level": "error", "message": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "properties": {"repobilityId": 121372, "scanner": "osv-scanner", "fingerprint": "ae4d93399a2a37ac91c0642c2e26edab3abd910faada104c9dd6ca939487c664", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2229"], "package": "undici", "rule_id": "GHSA-v9p9-hfj2-hcw8", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-2229|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sharing-worker/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f269-vfmq-vjvj", "level": "error", "message": {"text": "undici: GHSA-f269-vfmq-vjvj"}, "properties": {"repobilityId": 121370, "scanner": "osv-scanner", "fingerprint": "af60b1ba219944d6f382dd76c005e0c980c9c20fd0d077cfe29bc103dcf44fb1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1528"], "package": "undici", "rule_id": "GHSA-f269-vfmq-vjvj", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1528|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sharing-worker/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2wj-q39q-566r", "level": "error", "message": {"text": "vite: GHSA-v2wj-q39q-566r"}, "properties": {"repobilityId": 121365, "scanner": "osv-scanner", "fingerprint": "68a0844d20f136d615ab0960bcb9f017c7f8e1b97ee41d092d4cde292e2641fe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39364"], "package": "vite", "rule_id": "GHSA-v2wj-q39q-566r", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39364|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 121364, "scanner": "osv-scanner", "fingerprint": "e4e3f54a4dc9146916e0304c9d50318b9ef24b5c1473da2baafc759d95054cac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rxv8-25v2-qmq8", "level": "error", "message": {"text": "react-router: GHSA-rxv8-25v2-qmq8"}, "properties": {"repobilityId": 121362, "scanner": "osv-scanner", "fingerprint": "d54ac0ae65b50040718e99582db89fb0d65bde968ac072dd7b73b9173edcd4ec", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34077"], "package": "react-router", "rule_id": "GHSA-rxv8-25v2-qmq8", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-34077|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8x6r-g9mw-2r78", "level": "error", "message": {"text": "react-router: GHSA-8x6r-g9mw-2r78"}, "properties": {"repobilityId": 121360, "scanner": "osv-scanner", "fingerprint": "d7a5713bd8c11d0c7b750d95ec72c61cc7ef2e5ceddc2dde6961001c7a686ca1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42342"], "package": "react-router", "rule_id": "GHSA-8x6r-g9mw-2r78", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-42342|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8646-j5j9-6r62", "level": "error", "message": {"text": "react-router: GHSA-8646-j5j9-6r62"}, "properties": {"repobilityId": 121359, "scanner": "osv-scanner", "fingerprint": "db9c15188deb72c2a224efa9b3e547156e60e57f1c44d647e8c25428a4a07309", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33245"], "package": "react-router", "rule_id": "GHSA-8646-j5j9-6r62", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-33245|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-49rj-9fvp-4h2h", "level": "error", "message": {"text": "react-router: GHSA-49rj-9fvp-4h2h"}, "properties": {"repobilityId": 121358, "scanner": "osv-scanner", "fingerprint": "dfdffa7311db25bf67c737a1115316d3514658a2b848b528389f63b55085770a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42211"], "package": "react-router", "rule_id": "GHSA-49rj-9fvp-4h2h", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-42211|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 121354, "scanner": "osv-scanner", "fingerprint": "a3dd2390244022d96de63689cdd673fb906d1165f495d6a42a0980e956db632d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 121335, "scanner": "osv-scanner", "fingerprint": "757ca37fe4ebddf5cdaa5c162265d6a31d93aef1fb513c46093294c58d5112ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 121334, "scanner": "osv-scanner", "fingerprint": "25bb35258c39d7fb16dad079b84e7a9b4b5253e8dee49c1760d88494d1e449a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0098", "level": "error", "message": {"text": "unic-ucd-version: RUSTSEC-2025-0098"}, "properties": {"repobilityId": 121331, "scanner": "osv-scanner", "fingerprint": "1886244b591fcbb1d6ed981c3af69fc3dc214313f9025cfc06ff99589eb1d100", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-ucd-version", "rule_id": "RUSTSEC-2025-0098", "scanner": "osv-scanner", "correlation_key": "fp|1886244b591fcbb1d6ed981c3af69fc3dc214313f9025cfc06ff99589eb1d100"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0100", "level": "error", "message": {"text": "unic-ucd-ident: RUSTSEC-2025-0100"}, "properties": {"repobilityId": 121330, "scanner": "osv-scanner", "fingerprint": "e9bb31c1d126041478e4a7934e3d785e8ecea18d96cba0b23bf7592df1f39b7e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-ucd-ident", "rule_id": "RUSTSEC-2025-0100", "scanner": "osv-scanner", "correlation_key": "fp|e9bb31c1d126041478e4a7934e3d785e8ecea18d96cba0b23bf7592df1f39b7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0080", "level": "error", "message": {"text": "unic-common: RUSTSEC-2025-0080"}, "properties": {"repobilityId": 121329, "scanner": "osv-scanner", "fingerprint": "64e77e8365c77967fe79a8aae4aec0ffac6f884a0ca08e259cbfadf013c790ec", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-common", "rule_id": "RUSTSEC-2025-0080", "scanner": "osv-scanner", "correlation_key": "fp|64e77e8365c77967fe79a8aae4aec0ffac6f884a0ca08e259cbfadf013c790ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0075", "level": "error", "message": {"text": "unic-char-range: RUSTSEC-2025-0075"}, "properties": {"repobilityId": 121328, "scanner": "osv-scanner", "fingerprint": "465880996637694cad9138114525e82cd26ca7981eda9414de1352388e0548c2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-char-range", "rule_id": "RUSTSEC-2025-0075", "scanner": "osv-scanner", "correlation_key": "fp|465880996637694cad9138114525e82cd26ca7981eda9414de1352388e0548c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0081", "level": "error", "message": {"text": "unic-char-property: RUSTSEC-2025-0081"}, "properties": {"repobilityId": 121327, "scanner": "osv-scanner", "fingerprint": "e7e56fa6443fbdaabf32ea0589d79e8c5877438978f6dcb48a8244ecf3af739f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-char-property", "rule_id": "RUSTSEC-2025-0081", "scanner": "osv-scanner", "correlation_key": "fp|e7e56fa6443fbdaabf32ea0589d79e8c5877438978f6dcb48a8244ecf3af739f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0370", "level": "error", "message": {"text": "proc-macro-error: RUSTSEC-2024-0370"}, "properties": {"repobilityId": 121326, "scanner": "osv-scanner", "fingerprint": "725684f391c7264d0ff284454b6ef738c13dbf151d15d1bfb61a3b93b4546486", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "proc-macro-error", "rule_id": "RUSTSEC-2024-0370", "scanner": "osv-scanner", "correlation_key": "fp|725684f391c7264d0ff284454b6ef738c13dbf151d15d1bfb61a3b93b4546486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0419", "level": "error", "message": {"text": "gtk3-macros: RUSTSEC-2024-0419"}, "properties": {"repobilityId": 121325, "scanner": "osv-scanner", "fingerprint": "b8f044f42adcf399a449c9b981561e089f98971ad69e116fe35600e8ed77d25a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gtk3-macros", "rule_id": "RUSTSEC-2024-0419", "scanner": "osv-scanner", "correlation_key": "fp|b8f044f42adcf399a449c9b981561e089f98971ad69e116fe35600e8ed77d25a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0420", "level": "error", "message": {"text": "gtk-sys: RUSTSEC-2024-0420"}, "properties": {"repobilityId": 121324, "scanner": "osv-scanner", "fingerprint": "ba0a0e967a5b3b1d6251966d526f716645af9b400a8bab16df8fa6cff6d11dfe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gtk-sys", "rule_id": "RUSTSEC-2024-0420", "scanner": "osv-scanner", "correlation_key": "fp|ba0a0e967a5b3b1d6251966d526f716645af9b400a8bab16df8fa6cff6d11dfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0415", "level": "error", "message": {"text": "gtk: RUSTSEC-2024-0415"}, "properties": {"repobilityId": 121323, "scanner": "osv-scanner", "fingerprint": "83496a6b933440685f94d893b97bd917f91ff15de4c699272ecaa71446386338", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gtk", "rule_id": "RUSTSEC-2024-0415", "scanner": "osv-scanner", "correlation_key": "fp|83496a6b933440685f94d893b97bd917f91ff15de4c699272ecaa71446386338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0414", "level": "error", "message": {"text": "gdkx11-sys: RUSTSEC-2024-0414"}, "properties": {"repobilityId": 121322, "scanner": "osv-scanner", "fingerprint": "8efbc7cf5f32816a2e8d00b6abcb389917c77a3dcacd9902abdf44c4f95da51a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdkx11-sys", "rule_id": "RUSTSEC-2024-0414", "scanner": "osv-scanner", "correlation_key": "fp|8efbc7cf5f32816a2e8d00b6abcb389917c77a3dcacd9902abdf44c4f95da51a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0417", "level": "error", "message": {"text": "gdkx11: RUSTSEC-2024-0417"}, "properties": {"repobilityId": 121321, "scanner": "osv-scanner", "fingerprint": "770096acbd442274d01e70e712c6c63103d0dc656ee933be9965f0cbad2c0fbf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdkx11", "rule_id": "RUSTSEC-2024-0417", "scanner": "osv-scanner", "correlation_key": "fp|770096acbd442274d01e70e712c6c63103d0dc656ee933be9965f0cbad2c0fbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0411", "level": "error", "message": {"text": "gdkwayland-sys: RUSTSEC-2024-0411"}, "properties": {"repobilityId": 121320, "scanner": "osv-scanner", "fingerprint": "f70a1fa81f601e31057738b2e8a379bf44f462b3a43be1ef32d200380e20ac61", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdkwayland-sys", "rule_id": "RUSTSEC-2024-0411", "scanner": "osv-scanner", "correlation_key": "fp|f70a1fa81f601e31057738b2e8a379bf44f462b3a43be1ef32d200380e20ac61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0418", "level": "error", "message": {"text": "gdk-sys: RUSTSEC-2024-0418"}, "properties": {"repobilityId": 121319, "scanner": "osv-scanner", "fingerprint": "1822e7799660d892be95ffde6880dc2cea99b60543fcf4d482275c821c26a74f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdk-sys", "rule_id": "RUSTSEC-2024-0418", "scanner": "osv-scanner", "correlation_key": "fp|1822e7799660d892be95ffde6880dc2cea99b60543fcf4d482275c821c26a74f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0412", "level": "error", "message": {"text": "gdk: RUSTSEC-2024-0412"}, "properties": {"repobilityId": 121318, "scanner": "osv-scanner", "fingerprint": "8f6f3df4511962b6c3654342dc0f2af29e4394bfadc230264ed0271cd470cb54", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdk", "rule_id": "RUSTSEC-2024-0412", "scanner": "osv-scanner", "correlation_key": "fp|8f6f3df4511962b6c3654342dc0f2af29e4394bfadc230264ed0271cd470cb54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0057", "level": "error", "message": {"text": "fxhash: RUSTSEC-2025-0057"}, "properties": {"repobilityId": 121317, "scanner": "osv-scanner", "fingerprint": "acef107b77593beeccefc644bcfc48ebedf624d3214b6e7e0e3b629992b01136", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "fxhash", "rule_id": "RUSTSEC-2025-0057", "scanner": "osv-scanner", "correlation_key": "fp|acef107b77593beeccefc644bcfc48ebedf624d3214b6e7e0e3b629992b01136"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0416", "level": "error", "message": {"text": "atk-sys: RUSTSEC-2024-0416"}, "properties": {"repobilityId": 121316, "scanner": "osv-scanner", "fingerprint": "a771b87c55d77d6fcf2038e99de648b46378618466f50f31102cb31160c8fa29", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "atk-sys", "rule_id": "RUSTSEC-2024-0416", "scanner": "osv-scanner", "correlation_key": "fp|a771b87c55d77d6fcf2038e99de648b46378618466f50f31102cb31160c8fa29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0413", "level": "error", "message": {"text": "atk: RUSTSEC-2024-0413"}, "properties": {"repobilityId": 121315, "scanner": "osv-scanner", "fingerprint": "6f51ff891e6a564b1f35010de4b9cb262b5f45816b57c392c145fa436dc4ae77", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "atk", "rule_id": "RUSTSEC-2024-0413", "scanner": "osv-scanner", "correlation_key": "fp|6f51ff891e6a564b1f35010de4b9cb262b5f45816b57c392c145fa436dc4ae77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5039", "level": "error", "message": {"text": "stdlib: GO-2026-5039"}, "properties": {"repobilityId": 121314, "scanner": "osv-scanner", "fingerprint": "1a1b74b21ad8dfd3b96759bf5553815e49eba13d9acc7418dad84a00ead9ebe2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42507", "CVE-2026-42507"], "package": "stdlib", "rule_id": "GO-2026-5039", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42507|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5038", "level": "error", "message": {"text": "stdlib: GO-2026-5038"}, "properties": {"repobilityId": 121313, "scanner": "osv-scanner", "fingerprint": "d3279e2164a34867c0a5572f4fb199e004e3cbf555e2345cee712c36edb63a98", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42504", "CVE-2026-42504"], "package": "stdlib", "rule_id": "GO-2026-5038", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42504|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5037", "level": "error", "message": {"text": "stdlib: GO-2026-5037"}, "properties": {"repobilityId": 121312, "scanner": "osv-scanner", "fingerprint": "82623eb6d07ca17760bfe7f12dbb698a1b2eadae863823d7d4b63b39257973af", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27145", "CVE-2026-27145"], "package": "stdlib", "rule_id": "GO-2026-5037", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27145|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4986", "level": "error", "message": {"text": "stdlib: GO-2026-4986"}, "properties": {"repobilityId": 121311, "scanner": "osv-scanner", "fingerprint": "72c91da685643ead2c4136c64e62de209d191d2111bd5f5d220411752fc17811", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39820", "CVE-2026-39820"], "package": "stdlib", "rule_id": "GO-2026-4986", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39820|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4982", "level": "error", "message": {"text": "stdlib: GO-2026-4982"}, "properties": {"repobilityId": 121310, "scanner": "osv-scanner", "fingerprint": "571491d99c0e8637f2069852eac38792c7cce25cf56a1607f893d29ad4568334", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39823", "CVE-2026-39823"], "package": "stdlib", "rule_id": "GO-2026-4982", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39823|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4981", "level": "error", "message": {"text": "stdlib: GO-2026-4981"}, "properties": {"repobilityId": 121309, "scanner": "osv-scanner", "fingerprint": "48ee04e3c4ca274da1ff7e95f07b603a4f77f13cd8eed2ca3fe62d4632252656", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33811", "CVE-2026-33811"], "package": "stdlib", "rule_id": "GO-2026-4981", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-33811|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4980", "level": "error", "message": {"text": "stdlib: GO-2026-4980"}, "properties": {"repobilityId": 121308, "scanner": "osv-scanner", "fingerprint": "eae813a6d68a9602a870ffd9aec4238a5fadfc1353a2c473e22a4ef325662c43", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39826", "CVE-2026-39826"], "package": "stdlib", "rule_id": "GO-2026-4980", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39826|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4977", "level": "error", "message": {"text": "stdlib: GO-2026-4977"}, "properties": {"repobilityId": 121307, "scanner": "osv-scanner", "fingerprint": "53cc1d0b1b02db0a0bccc864320f109be5b5be9d09dccc6c713fc1d337ef3376", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42499", "CVE-2026-42499"], "package": "stdlib", "rule_id": "GO-2026-4977", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42499|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4976", "level": "error", "message": {"text": "stdlib: GO-2026-4976"}, "properties": {"repobilityId": 121306, "scanner": "osv-scanner", "fingerprint": "fa9a2e67a70f8038243cb6a10c744d629011e0967727bb9b38b8704b24b88101", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39825", "CVE-2026-39825"], "package": "stdlib", "rule_id": "GO-2026-4976", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39825|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4971", "level": "error", "message": {"text": "stdlib: GO-2026-4971"}, "properties": {"repobilityId": 121305, "scanner": "osv-scanner", "fingerprint": "cba8ee4e08ef656ca3cc3a9ca3dd6cea9babee216d56fc6f6d5f997aebb5b7a9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39836", "CVE-2026-39836"], "package": "stdlib", "rule_id": "GO-2026-4971", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39836|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4947", "level": "error", "message": {"text": "stdlib: GO-2026-4947"}, "properties": {"repobilityId": 121304, "scanner": "osv-scanner", "fingerprint": "54bdfd7e348261fa010d84e868c3b5b5a96e5611ab3a55b2ab888db381bcb95d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32280", "CVE-2026-32280"], "package": "stdlib", "rule_id": "GO-2026-4947", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32280|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4946", "level": "error", "message": {"text": "stdlib: GO-2026-4946"}, "properties": {"repobilityId": 121303, "scanner": "osv-scanner", "fingerprint": "f3300f3c16ee4c977116e2eb41902857f3933b7c93266c26b8d38e01d202edb2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32281", "CVE-2026-32281"], "package": "stdlib", "rule_id": "GO-2026-4946", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32281|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4918", "level": "error", "message": {"text": "stdlib: GO-2026-4918"}, "properties": {"repobilityId": 121302, "scanner": "osv-scanner", "fingerprint": "0aecf995b096851451f867fd29f0bfb43bcfe42af3f70e646de4abe8721b0c0c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33814", "CVE-2026-33814"], "package": "stdlib", "rule_id": "GO-2026-4918", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-33814|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4870", "level": "error", "message": {"text": "stdlib: GO-2026-4870"}, "properties": {"repobilityId": 121301, "scanner": "osv-scanner", "fingerprint": "a597bbc13e4247827eaa6efd7aaa80352cc916b5e097800bde470ef814d10071", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32283", "CVE-2026-32283"], "package": "stdlib", "rule_id": "GO-2026-4870", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32283|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4869", "level": "error", "message": {"text": "stdlib: GO-2026-4869"}, "properties": {"repobilityId": 121300, "scanner": "osv-scanner", "fingerprint": "b905e6e378ddde174b2ce2cd989c7fbe931fe673883d3a39e72a000365b36eee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32288", "CVE-2026-32288"], "package": "stdlib", "rule_id": "GO-2026-4869", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32288|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4865", "level": "error", "message": {"text": "stdlib: GO-2026-4865"}, "properties": {"repobilityId": 121299, "scanner": "osv-scanner", "fingerprint": "01c12bc9672b1b3d4769d5325a3e84db23a9197aff22efa850d9ad06a90c867d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32289", "CVE-2026-32289"], "package": "stdlib", "rule_id": "GO-2026-4865", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32289|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4864", "level": "error", "message": {"text": "stdlib: GO-2026-4864"}, "properties": {"repobilityId": 121298, "scanner": "osv-scanner", "fingerprint": "51832a96e1b37dc39e83a73ddea81de3a201df982b65eed67d5162a70c5f156f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32282", "CVE-2026-32282"], "package": "stdlib", "rule_id": "GO-2026-4864", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32282|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4603", "level": "error", "message": {"text": "stdlib: GO-2026-4603"}, "properties": {"repobilityId": 121297, "scanner": "osv-scanner", "fingerprint": "3d52f1378d602e9c649f157a64777836fdb7b9eb5f4d89e8f0b295e87991af0e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27142", "CVE-2026-27142"], "package": "stdlib", "rule_id": "GO-2026-4603", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27142|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4602", "level": "error", "message": {"text": "stdlib: GO-2026-4602"}, "properties": {"repobilityId": 121296, "scanner": "osv-scanner", "fingerprint": "8d5829795ef64245358ed778f28266e0ef5f8f2ebcf93babec35790d6d42aeb2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27139", "CVE-2026-27139"], "package": "stdlib", "rule_id": "GO-2026-4602", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27139|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4601", "level": "error", "message": {"text": "stdlib: GO-2026-4601"}, "properties": {"repobilityId": 121295, "scanner": "osv-scanner", "fingerprint": "5ee24230af40dc19821234f133163e86e7e5a2c69be90f49c63ccf67824fc21b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-25679", "CVE-2026-25679"], "package": "stdlib", "rule_id": "GO-2026-4601", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-25679|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4342", "level": "error", "message": {"text": "stdlib: GO-2026-4342"}, "properties": {"repobilityId": 121294, "scanner": "osv-scanner", "fingerprint": "15e2bb7a4fbc704c608cb6b46525ed4820cba7ea9a9c89913f4182ddaf6691ac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61728", "CVE-2025-61728"], "package": "stdlib", "rule_id": "GO-2026-4342", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61728|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4341", "level": "error", "message": {"text": "stdlib: GO-2026-4341"}, "properties": {"repobilityId": 121293, "scanner": "osv-scanner", "fingerprint": "331896cb0fc7f92d9b1c52c5895947933998b4174ab17bd15fcbe4b017798a73", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61726", "CVE-2025-61726"], "package": "stdlib", "rule_id": "GO-2026-4341", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61726|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4340", "level": "error", "message": {"text": "stdlib: GO-2026-4340"}, "properties": {"repobilityId": 121292, "scanner": "osv-scanner", "fingerprint": "20d4c5c8c1066aa8619584af451c8b5c01e9a7576b0c269368d1c9bd84fa138d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61730", "CVE-2025-61730"], "package": "stdlib", "rule_id": "GO-2026-4340", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61730|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4337", "level": "error", "message": {"text": "stdlib: GO-2026-4337"}, "properties": {"repobilityId": 121291, "scanner": "osv-scanner", "fingerprint": "59706dd855368e6538fb78fcd9b1804f97078a333057a54590c745dffc8ef82a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-68121", "CVE-2025-68121"], "package": "stdlib", "rule_id": "GO-2026-4337", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-68121|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4175", "level": "error", "message": {"text": "stdlib: GO-2025-4175"}, "properties": {"repobilityId": 121290, "scanner": "osv-scanner", "fingerprint": "f1d097a34b5bc92769c33d9c1a1ff87e55d9baa9e67d0d31f67b620f6b479cee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61727", "CVE-2025-61727"], "package": "stdlib", "rule_id": "GO-2025-4175", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61727|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4155", "level": "error", "message": {"text": "stdlib: GO-2025-4155"}, "properties": {"repobilityId": 121289, "scanner": "osv-scanner", "fingerprint": "7e10f20932fd41c5e15cd176d9486d9617bc784c0bd5865ca3d7ce6bc129683f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61729", "CVE-2025-61729"], "package": "stdlib", "rule_id": "GO-2025-4155", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61729|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4015", "level": "error", "message": {"text": "stdlib: GO-2025-4015"}, "properties": {"repobilityId": 121288, "scanner": "osv-scanner", "fingerprint": "a31e84cf965de5191388995aef6107aa0fd6b259c4f7efcde1c3dc4a08649cfc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61724", "CVE-2025-61724"], "package": "stdlib", "rule_id": "GO-2025-4015", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61724|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4014", "level": "error", "message": {"text": "stdlib: GO-2025-4014"}, "properties": {"repobilityId": 121287, "scanner": "osv-scanner", "fingerprint": "ff4c9e564f96ee7f76033a253ed44871f5084dcce4afe3b3be525f0360c24571", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58183", "CVE-2025-58183"], "package": "stdlib", "rule_id": "GO-2025-4014", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58183|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4013", "level": "error", "message": {"text": "stdlib: GO-2025-4013"}, "properties": {"repobilityId": 121286, "scanner": "osv-scanner", "fingerprint": "4c6a601499dc5497159f636d253d2947f5cf7414219fc94a06837a146414d531", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58188", "CVE-2025-58188"], "package": "stdlib", "rule_id": "GO-2025-4013", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58188|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4012", "level": "error", "message": {"text": "stdlib: GO-2025-4012"}, "properties": {"repobilityId": 121285, "scanner": "osv-scanner", "fingerprint": "45271b9c27966fbcc39167d3501f5cda3bd33861472d1ed22820b796c6bfb365", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58186", "CVE-2025-58186"], "package": "stdlib", "rule_id": "GO-2025-4012", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58186|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4011", "level": "error", "message": {"text": "stdlib: GO-2025-4011"}, "properties": {"repobilityId": 121284, "scanner": "osv-scanner", "fingerprint": "6363667c0face9829ddcf19e3d892b1e4af0e330f86a6b999e6415db86f45b0d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58185", "CVE-2025-58185"], "package": "stdlib", "rule_id": "GO-2025-4011", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58185|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4010", "level": "error", "message": {"text": "stdlib: GO-2025-4010"}, "properties": {"repobilityId": 121283, "scanner": "osv-scanner", "fingerprint": "6db7b08fc1721839ad0e0fa9074dd9ba2542769f50a938f5ef7718d7379fd727", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-47912", "CVE-2025-47912"], "package": "stdlib", "rule_id": "GO-2025-4010", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-47912|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4009", "level": "error", "message": {"text": "stdlib: GO-2025-4009"}, "properties": {"repobilityId": 121282, "scanner": "osv-scanner", "fingerprint": "725ffa55f10ea4c48943efdb1cd4e1b626e8e6a4c56b82d4b575cfbe78ab5532", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61723", "CVE-2025-61723"], "package": "stdlib", "rule_id": "GO-2025-4009", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61723|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4008", "level": "error", "message": {"text": "stdlib: GO-2025-4008"}, "properties": {"repobilityId": 121281, "scanner": "osv-scanner", "fingerprint": "ae41ff94e71dd77ff94521d9e723d3d90b7cc93053aa3eb385f35425f3a87b32", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58189", "CVE-2025-58189"], "package": "stdlib", "rule_id": "GO-2025-4008", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58189|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4007", "level": "error", "message": {"text": "stdlib: GO-2025-4007"}, "properties": {"repobilityId": 121280, "scanner": "osv-scanner", "fingerprint": "475e24c6bab0f3f2f75acd11301b378a691cdbe20575540274db2ea4496a6a36", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58187", "CVE-2025-58187"], "package": "stdlib", "rule_id": "GO-2025-4007", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58187|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4006", "level": "error", "message": {"text": "stdlib: GO-2025-4006"}, "properties": {"repobilityId": 121279, "scanner": "osv-scanner", "fingerprint": "a9be39967e34429de216abecb7c6b6c68f43774ab0d8626fe65971d9d2d5e404", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61725", "CVE-2025-61725"], "package": "stdlib", "rule_id": "GO-2025-4006", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61725|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3955", "level": "error", "message": {"text": "stdlib: GO-2025-3955"}, "properties": {"repobilityId": 121278, "scanner": "osv-scanner", "fingerprint": "f99943ca4cc8bdb83f91a70b8cf196bebb2e29ffb46c4b4883f10da6d7c6a005", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-47910", "CVE-2025-47910"], "package": "stdlib", "rule_id": "GO-2025-3955", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-47910|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5024", "level": "error", "message": {"text": "golang.org/x/sys: GO-2026-5024"}, "properties": {"repobilityId": 121276, "scanner": "osv-scanner", "fingerprint": "c61a55f039aaec9f669d8e67d25090dd51767d5b573b0e8a780d9b67a2e85b2a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39824"], "package": "golang.org/x/sys", "rule_id": "GO-2026-5024", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/sys|CVE-2026-39824|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5030", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5030"}, "properties": {"repobilityId": 121275, "scanner": "osv-scanner", "fingerprint": "ca3f714fd5de1af3ee84c2c74e10def1297990289eb9e3b0a7b7234aa3912b99", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27136"], "package": "golang.org/x/net", "rule_id": "GO-2026-5030", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-27136|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5029", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5029"}, "properties": {"repobilityId": 121274, "scanner": "osv-scanner", "fingerprint": "e1ed826add7eb3e8838437bc77278ff2b97d39ab115ebc3a87584ca1fd3b791e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25681"], "package": "golang.org/x/net", "rule_id": "GO-2026-5029", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-25681|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5028", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5028"}, "properties": {"repobilityId": 121273, "scanner": "osv-scanner", "fingerprint": "e7a43068a71daeef07207743a3859bf580d5ed54fcdffbfed9f242a14066db08", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25680"], "package": "golang.org/x/net", "rule_id": "GO-2026-5028", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-25680|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5027", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5027"}, "properties": {"repobilityId": 121272, "scanner": "osv-scanner", "fingerprint": "a5112bf87d6f825fbd1b06ec0bc80391aba63388047a64981464ae8b8f75daad", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42502"], "package": "golang.org/x/net", "rule_id": "GO-2026-5027", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-42502|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5026", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5026"}, "properties": {"repobilityId": 121271, "scanner": "osv-scanner", "fingerprint": "51588d03bbc22f9eb6c00011a23945941b9c660201b67bb6c1b07fea47decb40", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39821"], "package": "golang.org/x/net", "rule_id": "GO-2026-5026", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-39821|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5025", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5025"}, "properties": {"repobilityId": 121270, "scanner": "osv-scanner", "fingerprint": "eacd5ea3d1da93cb27ad7b1c3a901bb7ccd4ae25c9e46ca3bb0fc0959ad877a8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42506"], "package": "golang.org/x/net", "rule_id": "GO-2026-5025", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-42506|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4918", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-4918"}, "properties": {"repobilityId": 121269, "scanner": "osv-scanner", "fingerprint": "7f14b8cf5d43f946953771b1468764043b446a291530c66ff9305ddfb408ce19", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33814", "CVE-2026-33814"], "package": "golang.org/x/net", "rule_id": "GO-2026-4918", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-33814|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4559", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-4559"}, "properties": {"repobilityId": 121268, "scanner": "osv-scanner", "fingerprint": "62110585a72d26ca3c14bf651111ef7b1fa1e8bbc1155de50e1d87c5a9950a49", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27141"], "package": "golang.org/x/net", "rule_id": "GO-2026-4559", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-27141|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5033", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5033"}, "properties": {"repobilityId": 121267, "scanner": "osv-scanner", "fingerprint": "f008cc8d98264806ba606265623e50dbf2b9b42b55750bab4b1157428f716a65", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46598"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5033", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46598|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5023", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5023"}, "properties": {"repobilityId": 121266, "scanner": "osv-scanner", "fingerprint": "ffbfd14ac59ea43f4285342db84445360bd38ce99775130d31db47ee64b0262d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46595"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5023", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46595|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5021", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5021"}, "properties": {"repobilityId": 121265, "scanner": "osv-scanner", "fingerprint": "0874e720c94a61eb13f2a3d8a4a4d4daf2f3f6089ecdb2cf026dbdc0dc39e693", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42508"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5021", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-42508|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5020", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5020"}, "properties": {"repobilityId": 121264, "scanner": "osv-scanner", "fingerprint": "28809adc840b9f2cde4f8ae8bc5d84b06b0c448f2b8a182b66837e20db60e933", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39834"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5020", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39834|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5019", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5019"}, "properties": {"repobilityId": 121263, "scanner": "osv-scanner", "fingerprint": "c32cd7df68344dcaf5c76565adafab76bc0a63b003574a9b5a729ec09f9c3a73", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39831"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5019", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39831|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5018", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5018"}, "properties": {"repobilityId": 121262, "scanner": "osv-scanner", "fingerprint": "63287317a08bd0bbd4f287b0d716650da8a4c968f462a36451c93e42dceeda0e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39829"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5018", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39829|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5017", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5017"}, "properties": {"repobilityId": 121261, "scanner": "osv-scanner", "fingerprint": "131a7c559b44d79535fc85578f6a0e11e3bdc370b254cb8d2b5a68c8a5e42cc4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39830"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5017", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39830|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5016", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5016"}, "properties": {"repobilityId": 121260, "scanner": "osv-scanner", "fingerprint": "47529a5c8b3eff285d8c3ef21bf909b44b9b31bb66c7cf28908cba699553f069", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39827"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5016", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39827|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5015", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5015"}, "properties": {"repobilityId": 121259, "scanner": "osv-scanner", "fingerprint": "043f767a8d2fb47361a8fe5802cf1079f5b5e26d3249086eab31517f45f8b4e7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39835"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5015", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39835|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5014", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5014"}, "properties": {"repobilityId": 121258, "scanner": "osv-scanner", "fingerprint": "3b2f7eccb723af05974b9c74c9c9c38259762f9e8d9027298ff2a835939ff7b2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39828"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5014", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39828|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5013", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5013"}, "properties": {"repobilityId": 121257, "scanner": "osv-scanner", "fingerprint": "bc3356205fcb4cfd76a15209c7427494fc15ace3de7a48c3f58f5f8993cd2da7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46597"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5013", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46597|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5006", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5006"}, "properties": {"repobilityId": 121256, "scanner": "osv-scanner", "fingerprint": "fdfe1ee2b6b3a11cbf3a82486c241f01c4f27daf126f08ecfdea1e725619b4c4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39832"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5006", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39832|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5005", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5005"}, "properties": {"repobilityId": 121255, "scanner": "osv-scanner", "fingerprint": "18e404923d4d919d3257520a60c32fadb329bb2feaaefc4b1afbd151e393268b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39833"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5005", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39833|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0098", "level": "error", "message": {"text": "unic-ucd-version: RUSTSEC-2025-0098"}, "properties": {"repobilityId": 121254, "scanner": "osv-scanner", "fingerprint": "201fbf9b85c7e0ae689138ccb07666a93e0d401e9c1e5ff2ca612bdd056ddeca", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-ucd-version", "rule_id": "RUSTSEC-2025-0098", "scanner": "osv-scanner", "correlation_key": "fp|201fbf9b85c7e0ae689138ccb07666a93e0d401e9c1e5ff2ca612bdd056ddeca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0100", "level": "error", "message": {"text": "unic-ucd-ident: RUSTSEC-2025-0100"}, "properties": {"repobilityId": 121253, "scanner": "osv-scanner", "fingerprint": "b0bd50b3a06cfd10a7cb688de6f9ccb8feb155af7400a196ebbe79f3e13a6872", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-ucd-ident", "rule_id": "RUSTSEC-2025-0100", "scanner": "osv-scanner", "correlation_key": "fp|b0bd50b3a06cfd10a7cb688de6f9ccb8feb155af7400a196ebbe79f3e13a6872"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0080", "level": "error", "message": {"text": "unic-common: RUSTSEC-2025-0080"}, "properties": {"repobilityId": 121252, "scanner": "osv-scanner", "fingerprint": "d3fd57fe3e20db6efa3556bd6c1862b5be8a9b13b97279c62a5528c1edd49918", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-common", "rule_id": "RUSTSEC-2025-0080", "scanner": "osv-scanner", "correlation_key": "fp|d3fd57fe3e20db6efa3556bd6c1862b5be8a9b13b97279c62a5528c1edd49918"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0075", "level": "error", "message": {"text": "unic-char-range: RUSTSEC-2025-0075"}, "properties": {"repobilityId": 121251, "scanner": "osv-scanner", "fingerprint": "ff96566fa036a0ab87d9c8573bbcf2a58bcfc51c11da8fa38d6cf0644eb002a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-char-range", "rule_id": "RUSTSEC-2025-0075", "scanner": "osv-scanner", "correlation_key": "fp|ff96566fa036a0ab87d9c8573bbcf2a58bcfc51c11da8fa38d6cf0644eb002a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0081", "level": "error", "message": {"text": "unic-char-property: RUSTSEC-2025-0081"}, "properties": {"repobilityId": 121250, "scanner": "osv-scanner", "fingerprint": "6e78acb982e2729a90f77f33a5719fa0c125722fdaa2f2b05b268885755bdd86", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "unic-char-property", "rule_id": "RUSTSEC-2025-0081", "scanner": "osv-scanner", "correlation_key": "fp|6e78acb982e2729a90f77f33a5719fa0c125722fdaa2f2b05b268885755bdd86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0068", "level": "error", "message": {"text": "tar: RUSTSEC-2026-0068"}, "properties": {"repobilityId": 121247, "scanner": "osv-scanner", "fingerprint": "0d06ba2f5fe78f723b191a71ff6870089718677972aca8d6918034819e506e19", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33055", "GHSA-gchp-q4r4-x4ff"], "package": "tar", "rule_id": "RUSTSEC-2026-0068", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-33055|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-gchp-q4r4-x4ff", "RUSTSEC-2026-0068"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0d06ba2f5fe78f723b191a71ff6870089718677972aca8d6918034819e506e19", "31d95a4ced431e52fbae144ea533e16fd39dc5e405f9459fa37599088599e51e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0067", "level": "error", "message": {"text": "tar: RUSTSEC-2026-0067"}, "properties": {"repobilityId": 121246, "scanner": "osv-scanner", "fingerprint": "c367272f8e981489093031d09f316352b61cba472c094e0d8e99fbb4f474ffbb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33056", "GHSA-j4xf-2g29-59ph"], "package": "tar", "rule_id": "RUSTSEC-2026-0067", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-33056|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-j4xf-2g29-59ph", "RUSTSEC-2026-0067"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["c367272f8e981489093031d09f316352b61cba472c094e0d8e99fbb4f474ffbb", "fdadc57bba4a9be5aa4754cd2e890f31286a9bd741c65d6d489a87a2e32ac12f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2017-0008", "level": "error", "message": {"text": "serial: RUSTSEC-2017-0008"}, "properties": {"repobilityId": 121245, "scanner": "osv-scanner", "fingerprint": "eca77138c18bbae7f8606fc6e6543fb76c90f26335435a59510312a368753cf6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serial", "rule_id": "RUSTSEC-2017-0008", "scanner": "osv-scanner", "correlation_key": "fp|eca77138c18bbae7f8606fc6e6543fb76c90f26335435a59510312a368753cf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0104", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "properties": {"repobilityId": 121244, "scanner": "osv-scanner", "fingerprint": "fafad8a6247a80e818d69e6e692474c8b36b867e85d29ab5e9d03c9b182bd49b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-82j2-j2ch-gfr8"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0104", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-82J2-J2CH-GFR8|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-82j2-j2ch-gfr8", "RUSTSEC-2026-0104"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["c9c795df842c9610ed25bfa8b50d69e48a4dc97fcb58388db0c63c624aaa5a5f", "fafad8a6247a80e818d69e6e692474c8b36b867e85d29ab5e9d03c9b182bd49b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0099", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "properties": {"repobilityId": 121243, "scanner": "osv-scanner", "fingerprint": "8aa3bf85fd7df0679485cd1bdaadbc4b3d0224dbf53ee6093a7d6496724a1396", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-xgp8-3hg3-c2mh"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0099", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-XGP8-3HG3-C2MH|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xgp8-3hg3-c2mh", "RUSTSEC-2026-0099"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8aa3bf85fd7df0679485cd1bdaadbc4b3d0224dbf53ee6093a7d6496724a1396", "e1fd3321bd193f456a8a699b6cf05c5ccb433ca3c4ab882fd28d69c103988001"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0098", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "properties": {"repobilityId": 121242, "scanner": "osv-scanner", "fingerprint": "99a566c2b46c65ae9e1363fefd112df75b4da39906dcf91dbcc87d144c733fe6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-965h-392x-2mh5"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0098", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-965H-392X-2MH5|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-965h-392x-2mh5", "RUSTSEC-2026-0098"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["36578b77b376c73aa6e268802ecebbcc8f94a64ee13eff7312cdbfc551aa888a", "99a566c2b46c65ae9e1363fefd112df75b4da39906dcf91dbcc87d144c733fe6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0049", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0049"}, "properties": {"repobilityId": 121241, "scanner": "osv-scanner", "fingerprint": "402c76f1a0a4ad4e17794f1cdb7f8e657aeb2509189505102bfacf2e20aa27ea", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-pwjx-qhcg-rvj4"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0049", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-PWJX-QHCG-RVJ4|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-pwjx-qhcg-rvj4", "RUSTSEC-2026-0049"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["402c76f1a0a4ad4e17794f1cdb7f8e657aeb2509189505102bfacf2e20aa27ea", "eb52fe43dc59fecc5c7f67859325e0f4e6607a3a21543441c0ba4cb733e34bbf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0097", "level": "error", "message": {"text": "rand: RUSTSEC-2026-0097"}, "properties": {"repobilityId": 121240, "scanner": "osv-scanner", "fingerprint": "d77e12bbdb9b356867c3679998d213db3eae684e6b716a1ad3964ab083986ffb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-cq8v-f236-94qc"], "package": "rand", "rule_id": "RUSTSEC-2026-0097", "scanner": "osv-scanner", "correlation_key": "vuln|rand|GHSA-CQ8V-F236-94QC|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-cq8v-f236-94qc", "RUSTSEC-2026-0097"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["288e7e759feedb2348a020b5a37d4b76f885da89c16889b942938261e787b6a6", "83bac1c5e2a18e41ca3a74aa223c2360303081f573d3caf515278fff6f60d82f", "9b3810ea09e60b862ae56d52a58a37ca6beed6bc7d1242d7d8e717d7862ef10e", "d77e12bbdb9b356867c3679998d213db3eae684e6b716a1ad3964ab083986ffb"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0037", "level": "error", "message": {"text": "quinn-proto: RUSTSEC-2026-0037"}, "properties": {"repobilityId": 121239, "scanner": "osv-scanner", "fingerprint": "25b0bf4c1436567c1c08af18d9f73f19f42d4abf14d3a0795b17ff7c42d10e9e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-31812", "GHSA-6xvm-j4wr-6v98"], "package": "quinn-proto", "rule_id": "RUSTSEC-2026-0037", "scanner": "osv-scanner", "correlation_key": "vuln|quinn-proto|CVE-2026-31812|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-6xvm-j4wr-6v98", "RUSTSEC-2026-0037"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["25b0bf4c1436567c1c08af18d9f73f19f42d4abf14d3a0795b17ff7c42d10e9e", "7b9405653747b537ce613a2ab0879a1e1f1b1cf9578149f353d0607772fd1cee"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0370", "level": "error", "message": {"text": "proc-macro-error: RUSTSEC-2024-0370"}, "properties": {"repobilityId": 121238, "scanner": "osv-scanner", "fingerprint": "af19dd07929fd38680cecd199c82b8566bc6edee4813bde277eb88ab15a8f275", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "proc-macro-error", "rule_id": "RUSTSEC-2024-0370", "scanner": "osv-scanner", "correlation_key": "fp|af19dd07929fd38680cecd199c82b8566bc6edee4813bde277eb88ab15a8f275"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xp3w-r5p5-63rr", "level": "error", "message": {"text": "openssl: GHSA-xp3w-r5p5-63rr"}, "properties": {"repobilityId": 121236, "scanner": "osv-scanner", "fingerprint": "963e82f43e38c8ad48e91c7c741332e31d960f444056f06afac9616bca35756e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42327"], "package": "openssl", "rule_id": "GHSA-xp3w-r5p5-63rr", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-42327|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pqf5-4pqq-29f5", "level": "error", "message": {"text": "openssl: GHSA-pqf5-4pqq-29f5"}, "properties": {"repobilityId": 121234, "scanner": "osv-scanner", "fingerprint": "96c1e273ab86e17cdc58d989320c80b1ce55b6683e680346955605dae2e8f10f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41676"], "package": "openssl", "rule_id": "GHSA-pqf5-4pqq-29f5", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-41676|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hppc-g8h3-xhp3", "level": "error", "message": {"text": "openssl: GHSA-hppc-g8h3-xhp3"}, "properties": {"repobilityId": 121232, "scanner": "osv-scanner", "fingerprint": "da9366e2f0ef6b612dbaed7a975ebf7e2302acb50c0b468add06ab0be5194fa8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41898"], "package": "openssl", "rule_id": "GHSA-hppc-g8h3-xhp3", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-41898|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ghm9-cr32-g9qj", "level": "error", "message": {"text": "openssl: GHSA-ghm9-cr32-g9qj"}, "properties": {"repobilityId": 121231, "scanner": "osv-scanner", "fingerprint": "d413da8a90e88030fce5981d8ebd226665bf725148016630cd8a57a346d946ff", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41681"], "package": "openssl", "rule_id": "GHSA-ghm9-cr32-g9qj", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-41681|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8c75-8mhr-p7r9", "level": "error", "message": {"text": "openssl: GHSA-8c75-8mhr-p7r9"}, "properties": {"repobilityId": 121230, "scanner": "osv-scanner", "fingerprint": "a386ee0a61e6059e229575582a3504b2bcb8c00f4f1d4801680627e274fef0f3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41678"], "package": "openssl", "rule_id": "GHSA-8c75-8mhr-p7r9", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-41678|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0419", "level": "error", "message": {"text": "gtk3-macros: RUSTSEC-2024-0419"}, "properties": {"repobilityId": 121229, "scanner": "osv-scanner", "fingerprint": "d75d7cd40f2638fc36b570764a74a575a5ab4c642f232843816319285c430a59", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gtk3-macros", "rule_id": "RUSTSEC-2024-0419", "scanner": "osv-scanner", "correlation_key": "fp|d75d7cd40f2638fc36b570764a74a575a5ab4c642f232843816319285c430a59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0420", "level": "error", "message": {"text": "gtk-sys: RUSTSEC-2024-0420"}, "properties": {"repobilityId": 121228, "scanner": "osv-scanner", "fingerprint": "99f636bab2d051154a0beb510a9157a509ff9be0d506973532b3c67b93d6f4c9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gtk-sys", "rule_id": "RUSTSEC-2024-0420", "scanner": "osv-scanner", "correlation_key": "fp|99f636bab2d051154a0beb510a9157a509ff9be0d506973532b3c67b93d6f4c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0415", "level": "error", "message": {"text": "gtk: RUSTSEC-2024-0415"}, "properties": {"repobilityId": 121227, "scanner": "osv-scanner", "fingerprint": "7ec01c6a3fe3183656ea2f81fb5cc767ef58b1d2c92ba0340cee89feab6d6cbc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gtk", "rule_id": "RUSTSEC-2024-0415", "scanner": "osv-scanner", "correlation_key": "fp|7ec01c6a3fe3183656ea2f81fb5cc767ef58b1d2c92ba0340cee89feab6d6cbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0429", "level": "error", "message": {"text": "glib: RUSTSEC-2024-0429"}, "properties": {"repobilityId": 121226, "scanner": "osv-scanner", "fingerprint": "285492715b09865f2765f895bd60f90bbd9bff08ab3a13084deb0cfc6df904a7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-wrw7-89jp-8q8g"], "package": "glib", "rule_id": "RUSTSEC-2024-0429", "scanner": "osv-scanner", "correlation_key": "vuln|glib|GHSA-WRW7-89JP-8Q8G|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-wrw7-89jp-8q8g", "RUSTSEC-2024-0429"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["08d34c02611be11b3e6bd76fb4c4f2481d46fba71575443216f167280f434826", "285492715b09865f2765f895bd60f90bbd9bff08ab3a13084deb0cfc6df904a7", "7d7fff7b92108165c77af7baa16ece10b08ba39dbcef2d8de14aac8416882955", "f1ec63fe8674ec1c7d74589ea334082c0d3cb6000fc0304b98671e53c7f3ae79"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0414", "level": "error", "message": {"text": "gdkx11-sys: RUSTSEC-2024-0414"}, "properties": {"repobilityId": 121225, "scanner": "osv-scanner", "fingerprint": "c255d4cac25cd90c54e622b84f32c952d1cd0d4c994b03b8efd9a3d0b1685b8b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdkx11-sys", "rule_id": "RUSTSEC-2024-0414", "scanner": "osv-scanner", "correlation_key": "fp|c255d4cac25cd90c54e622b84f32c952d1cd0d4c994b03b8efd9a3d0b1685b8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0417", "level": "error", "message": {"text": "gdkx11: RUSTSEC-2024-0417"}, "properties": {"repobilityId": 121224, "scanner": "osv-scanner", "fingerprint": "a4cea075d7bb8423e3c78612bb6ad99c9471d567dc40bcf7f8ee5866e7fd2a5b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdkx11", "rule_id": "RUSTSEC-2024-0417", "scanner": "osv-scanner", "correlation_key": "fp|a4cea075d7bb8423e3c78612bb6ad99c9471d567dc40bcf7f8ee5866e7fd2a5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0411", "level": "error", "message": {"text": "gdkwayland-sys: RUSTSEC-2024-0411"}, "properties": {"repobilityId": 121223, "scanner": "osv-scanner", "fingerprint": "fcb164f3a09f5fe50cfe2ac4cdfa41c694791af8339554a6bc252d54e1d47746", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdkwayland-sys", "rule_id": "RUSTSEC-2024-0411", "scanner": "osv-scanner", "correlation_key": "fp|fcb164f3a09f5fe50cfe2ac4cdfa41c694791af8339554a6bc252d54e1d47746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0418", "level": "error", "message": {"text": "gdk-sys: RUSTSEC-2024-0418"}, "properties": {"repobilityId": 121222, "scanner": "osv-scanner", "fingerprint": "842e5d0ee9f1421ebf8fe5d8a1ae3c7051a332464058e1177824d175a4c261e2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdk-sys", "rule_id": "RUSTSEC-2024-0418", "scanner": "osv-scanner", "correlation_key": "fp|842e5d0ee9f1421ebf8fe5d8a1ae3c7051a332464058e1177824d175a4c261e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0412", "level": "error", "message": {"text": "gdk: RUSTSEC-2024-0412"}, "properties": {"repobilityId": 121221, "scanner": "osv-scanner", "fingerprint": "67066a0f2d7c795023ba1db5703c5ff60d21b1cc426cdb7d94c7a0b590cc4538", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "gdk", "rule_id": "RUSTSEC-2024-0412", "scanner": "osv-scanner", "correlation_key": "fp|67066a0f2d7c795023ba1db5703c5ff60d21b1cc426cdb7d94c7a0b590cc4538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0057", "level": "error", "message": {"text": "fxhash: RUSTSEC-2025-0057"}, "properties": {"repobilityId": 121220, "scanner": "osv-scanner", "fingerprint": "f749bd58f62ad930e6d6a7d84ffd2ae5767fec0fa05b6cc5ecace8e11b88f370", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "fxhash", "rule_id": "RUSTSEC-2025-0057", "scanner": "osv-scanner", "correlation_key": "fp|f749bd58f62ad930e6d6a7d84ffd2ae5767fec0fa05b6cc5ecace8e11b88f370"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0416", "level": "error", "message": {"text": "atk-sys: RUSTSEC-2024-0416"}, "properties": {"repobilityId": 121219, "scanner": "osv-scanner", "fingerprint": "2f06e64453c86ec2dec4d4c88f03548138de36ba5f46a2a896a1d066b94e1197", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "atk-sys", "rule_id": "RUSTSEC-2024-0416", "scanner": "osv-scanner", "correlation_key": "fp|2f06e64453c86ec2dec4d4c88f03548138de36ba5f46a2a896a1d066b94e1197"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0413", "level": "error", "message": {"text": "atk: RUSTSEC-2024-0413"}, "properties": {"repobilityId": 121218, "scanner": "osv-scanner", "fingerprint": "19df597524cd15b7a6b920a4509df0f050202ad9f73d415f134ab8befa91c4bb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "atk", "rule_id": "RUSTSEC-2024-0413", "scanner": "osv-scanner", "correlation_key": "fp|19df597524cd15b7a6b920a4509df0f050202ad9f73d415f134ab8befa91c4bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 121205, "scanner": "repobility-threat-engine", "fingerprint": "04e67de47c6ca8e2dc7c5023b6914803d1c497516c95227a6300c49e40796f4a", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|78|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/voice/audioRetention.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 121204, "scanner": "repobility-threat-engine", "fingerprint": "cc83168496e5945568f50851136f21c6ec568cb8b1c0283ec87363ffe4af1baa", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(distPath, request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|51|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/frontend/static.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 121202, "scanner": "repobility-threat-engine", "fingerprint": "54c0bd746d6e50cdd7e95ee3466225024a363b298ab2d89b4a0cf63c781dd8d8", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((f) => `0x${f.toString(16).padStart(2, \"0\")}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|54c0bd746d6e50cdd7e95ee3466225024a363b298ab2d89b4a0cf63c781dd8d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/ws-message-router.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 121201, "scanner": "repobility-threat-engine", "fingerprint": "8212335e9d1df06cc63df7f78d275e784a3f1008974d348c0fd48b1fb33e9a16", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((name) => `DNS:${name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8212335e9d1df06cc63df7f78d275e784a3f1008974d348c0fd48b1fb33e9a16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/https/self-signed.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 121200, "scanner": "repobility-threat-engine", "fingerprint": "2542e131d3f136ffb9c310110ffad85d0c22561d95c0285903c1d268828e8c81", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}:${stableStringify(v)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2542e131d3f136ffb9c310110ffad85d0c22561d95c0285903c1d268828e8c81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/codex/correlationDebugLogger.ts"}, "region": {"startLine": 287}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 121198, "scanner": "repobility-threat-engine", "fingerprint": "2d664f9b9998b882f871a8a0ec9f0369746c8cf9026c8ccd213650322a3f8864", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/configure\", async (c) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2d664f9b9998b882f871a8a0ec9f0369746c8cf9026c8ccd213650322a3f8864"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/remote-access/routes.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 121197, "scanner": "repobility-threat-engine", "fingerprint": "a3bb94706316ca547491a21850fa253f3b2761fe8701698208c2c94e2506b082", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/subscribe\", async (c) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3bb94706316ca547491a21850fa253f3b2761fe8701698208c2c94e2506b082"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/push/routes.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 121196, "scanner": "repobility-threat-engine", "fingerprint": "019af3f3e646791919340aebc71fe3bdcf6853a92e27fa729945f201ff3b7411", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/enable\", async (c) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|019af3f3e646791919340aebc71fe3bdcf6853a92e27fa729945f201ff3b7411"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/auth/routes.ts"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 121194, "scanner": "repobility-threat-engine", "fingerprint": "c4101bc85e011e0b7de76f0a6f57ada41d3bec491b0ef6667c318efaab292c12", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c4101bc85e011e0b7de76f0a6f57ada41d3bec491b0ef6667c318efaab292c12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/metadata/SessionMetadataService.ts"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 121193, "scanner": "repobility-threat-engine", "fingerprint": "d57100db5e49c907a3372c983134f808e0b6e39d487960987d17c4fd4ae98bdf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d57100db5e49c907a3372c983134f808e0b6e39d487960987d17c4fd4ae98bdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/metadata/ProjectMetadataService.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 121192, "scanner": "repobility-threat-engine", "fingerprint": "4ef9df9bafa922de4359a5c2a9c837e6a32fee3eab397d116ca43005c620c137", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ef9df9bafa922de4359a5c2a9c837e6a32fee3eab397d116ca43005c620c137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/auth/AuthService.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 121188, "scanner": "repobility-threat-engine", "fingerprint": "c15209d7481964e563b932258724648e4c2e042398e6337fee7eb80ac2260544", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c15209d7481964e563b932258724648e4c2e042398e6337fee7eb80ac2260544"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/internal/ipc/handler.go"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 121183, "scanner": "repobility-threat-engine", "fingerprint": "cde476a65250680dd7ea72863b611f81fd153149b7b33b1c9f6eb071484f3765", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cde476a65250680dd7ea72863b611f81fd153149b7b33b1c9f6eb071484f3765"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/internal/emulator/client.go"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 121182, "scanner": "repobility-threat-engine", "fingerprint": "bee8853529dfd28bf0650dd30180a0911a15940190b16e96268b9256c578a014", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bee8853529dfd28bf0650dd30180a0911a15940190b16e96268b9256c578a014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/internal/conn/framing.go"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 121181, "scanner": "repobility-threat-engine", "fingerprint": "272c545e5a62646c08e8f14435dbec283885329ac84d1cfb87ab15bbd7842f13", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|272c545e5a62646c08e8f14435dbec283885329ac84d1cfb87ab15bbd7842f13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/cmd/validate/main.go"}, "region": {"startLine": 331}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 121172, "scanner": "repobility-threat-engine", "fingerprint": "723c7014e70a7757e22ea41b9b2b9ebcfdef240cfda4da13816a3239ff413f0b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|723c7014e70a7757e22ea41b9b2b9ebcfdef240cfda4da13816a3239ff413f0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/src/tray.rs"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 121171, "scanner": "repobility-threat-engine", "fingerprint": "0ff50e5722ba80fd51ebfea7fcdb2c45dc8dbe2ab3571632e80bcc2ac1ea9c36", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ff50e5722ba80fd51ebfea7fcdb2c45dc8dbe2ab3571632e80bcc2ac1ea9c36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/desktop/src-tauri/build.rs"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 121161, "scanner": "repobility-threat-engine", "fingerprint": "61f0f0d98d0e1f2e64079f826c488d656dccf582a6241251ee1f668fc0f58315", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(FILE_PATH_PATTERN", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61f0f0d98d0e1f2e64079f826c488d656dccf582a6241251ee1f668fc0f58315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shared/src/filePathDetection.ts"}, "region": {"startLine": 330}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 121160, "scanner": "repobility-threat-engine", "fingerprint": "8671facea7d7bd6753fc352ab7dbbb684543915e7380a70586ff8ad1f3c3b611", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pathFilter", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8671facea7d7bd6753fc352ab7dbbb684543915e7380a70586ff8ad1f3c3b611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/pages/ActivityPage.tsx"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 121159, "scanner": "repobility-threat-engine", "fingerprint": "07f8b4c66f439d00949c2bc98b7085fe32b24fd1aa8f527168de622f5eef668f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|07f8b4c66f439d00949c2bc98b7085fe32b24fd1aa8f527168de622f5eef668f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/hooks/useFileActivity.ts"}, "region": {"startLine": 197}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 121153, "scanner": "repobility-threat-engine", "fingerprint": "fd02252592c2c88d2e32b066a62c847b1be2c6fce61003bfa00e31b3894bce50", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd02252592c2c88d2e32b066a62c847b1be2c6fce61003bfa00e31b3894bce50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/contexts/RenderModeContext.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 121152, "scanner": "repobility-threat-engine", "fingerprint": "5084be0f094f691df2c29166ebdabe4c28e4746a084e646e9f8c7e674bb2880e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(agentId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5084be0f094f691df2c29166ebdabe4c28e4746a084e646e9f8c7e674bb2880e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/contexts/AgentContentContext.tsx"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 121151, "scanner": "repobility-threat-engine", "fingerprint": "140c93e6f768fb04df1dd0cf023de8054de353aa0b1cc067f9308b554bed65ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(section.key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|140c93e6f768fb04df1dd0cf023de8054de353aa0b1cc067f9308b554bed65ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ThinkingText.tsx"}, "region": {"startLine": 181}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 121149, "scanner": "repobility-threat-engine", "fingerprint": "6eea0ac1e56987e7be3d884ea84ecf3c2b565d9afd5c5db787b0eba831f1d242", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(stripped", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6eea0ac1e56987e7be3d884ea84ecf3c2b565d9afd5c5db787b0eba831f1d242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/relay/src/client-ip.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 121148, "scanner": "repobility-threat-engine", "fingerprint": "b02eead14912db47c03efdf0eb6bed7a93d6ba7bb56c50cacca40c364f34826e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b02eead14912db47c03efdf0eb6bed7a93d6ba7bb56c50cacca40c364f34826e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/contexts/PublicShareContext.tsx"}, "region": {"startLine": 178}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 121147, "scanner": "repobility-threat-engine", "fingerprint": "5524b3a7d0ec952ac51b85d7de9e22ab0233c967b6995e76d7d66499e1e89495", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5524b3a7d0ec952ac51b85d7de9e22ab0233c967b6995e76d7d66499e1e89495"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/ThinkingText.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 121137, "scanner": "repobility-threat-engine", "fingerprint": "383087ff8603843c4b1762eb72797f2872a7044f1483ad75fed578116eb9a9e4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n  p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|383087ff8603843c4b1762eb72797f2872a7044f1483ad75fed578116eb9a9e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/FilePathLink.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 121136, "scanner": "repobility-threat-engine", "fingerprint": "f1cc0fe36ae5aa5d3d1e609e617fe9d558dd94aec21cea11c34dd2a5b723422c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f1cc0fe36ae5aa5d3d1e609e617fe9d558dd94aec21cea11c34dd2a5b723422c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/components/AttachmentChip.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 121135, "scanner": "repobility-threat-engine", "fingerprint": "e5a8b2ff28bbd4345570b9db100d432c7b3e9ca15f7eb5841afcefe52a73c947", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n  p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5a8b2ff28bbd4345570b9db100d432c7b3e9ca15f7eb5841afcefe52a73c947"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/api/upload.ts"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `packages/mobile/src-tauri/gen/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 121088, "scanner": "repobility-supply-chain", "fingerprint": "e57b43d63298d09255418965be1c64a8b8c8ace0527d72b18071d56af1cdc027", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e57b43d63298d09255418965be1c64a8b8c8ace0527d72b18071d56af1cdc027"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mobile/src-tauri/gen/android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `packages/android-device-server/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 121087, "scanner": "repobility-supply-chain", "fingerprint": "f0d5e1ccd0bc8f823fef2effcaa6d7a678252d5fa34bd54975afb09857c894bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0d5e1ccd0bc8f823fef2effcaa6d7a678252d5fa34bd54975afb09857c894bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/android-device-server/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121067, "scanner": "repobility-supply-chain", "fingerprint": "9c3d0546ea71fd88b14272fc5edca16e3853c84b138ff2f19f3e8747029d721b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c3d0546ea71fd88b14272fc5edca16e3853c84b138ff2f19f3e8747029d721b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `tauri-apps/tauri-action` pinned to mutable ref `@v0`"}, "properties": {"repobilityId": 121066, "scanner": "repobility-supply-chain", "fingerprint": "f05d630c3c59b01f5981f8c1b492f3f78ec14b82508a73e0e5be9feb89cebbfa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f05d630c3c59b01f5981f8c1b492f3f78ec14b82508a73e0e5be9feb89cebbfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `swatinem/rust-cache` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 121065, "scanner": "repobility-supply-chain", "fingerprint": "150f662960b6f3d314c3ecd62e05c15efa7fb302b739d612bdfa281c06e3c676", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|150f662960b6f3d314c3ecd62e05c15efa7fb302b739d612bdfa281c06e3c676"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 121064, "scanner": "repobility-supply-chain", "fingerprint": "820550182e2655634f3086b071f6f28f6a2cb57790a361c578dd1742abb8a607", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|820550182e2655634f3086b071f6f28f6a2cb57790a361c578dd1742abb8a607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121063, "scanner": "repobility-supply-chain", "fingerprint": "da64c18525cde74f1be2638525fdd89edd4dd9456d4319452a924cc797685c52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da64c18525cde74f1be2638525fdd89edd4dd9456d4319452a924cc797685c52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121062, "scanner": "repobility-supply-chain", "fingerprint": "58812fb271c331361eb91fad2d2ace7880c909759f6f3ac01a5c715ddeab763d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58812fb271c331361eb91fad2d2ace7880c909759f6f3ac01a5c715ddeab763d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121061, "scanner": "repobility-supply-chain", "fingerprint": "41277470c75e6918d33f0ec2b7027f03c2230daa4aebbb741bf5da20d234cbf4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41277470c75e6918d33f0ec2b7027f03c2230daa4aebbb741bf5da20d234cbf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/deploy-pages` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 121060, "scanner": "repobility-supply-chain", "fingerprint": "ef8007e8aab3e0026d6cc8656f96b83436e2f57185198f3346b1c56962f62c25", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef8007e8aab3e0026d6cc8656f96b83436e2f57185198f3346b1c56962f62c25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-pages-artifact` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 121059, "scanner": "repobility-supply-chain", "fingerprint": "3fee47a047a1b61ec31af9bc51d1669287f948adaaa5a5bb61513a84ebab21da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3fee47a047a1b61ec31af9bc51d1669287f948adaaa5a5bb61513a84ebab21da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/configure-pages` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121058, "scanner": "repobility-supply-chain", "fingerprint": "44f3a957542f257d5bc2dd861f946fc531b5bcbd7bfe67d50679cba517b8f649", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44f3a957542f257d5bc2dd861f946fc531b5bcbd7bfe67d50679cba517b8f649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121057, "scanner": "repobility-supply-chain", "fingerprint": "2cbb3890ecf0126aaf828bf002b251104c0e20c23ab881c0d1a154b66926ac7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2cbb3890ecf0126aaf828bf002b251104c0e20c23ab881c0d1a154b66926ac7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121056, "scanner": "repobility-supply-chain", "fingerprint": "ba90960de9b2cc10f579c866bab95dc460e92e8abbd46ae699e1bd5a50bada64", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba90960de9b2cc10f579c866bab95dc460e92e8abbd46ae699e1bd5a50bada64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121055, "scanner": "repobility-supply-chain", "fingerprint": "4c8349dd7801d32d34413105b7b2055f6553338cce95a9ee38c22987989eca49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c8349dd7801d32d34413105b7b2055f6553338cce95a9ee38c22987989eca49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121054, "scanner": "repobility-supply-chain", "fingerprint": "514f6c2579c0e9c12a71082bb02b55f47337426c79d8be1385666e6993fde9f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|514f6c2579c0e9c12a71082bb02b55f47337426c79d8be1385666e6993fde9f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121053, "scanner": "repobility-supply-chain", "fingerprint": "b2b4bfff5cd39ea4e4d4c788a97b5f8d982343134c3300c027d97f9010649f00", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2b4bfff5cd39ea4e4d4c788a97b5f8d982343134c3300c027d97f9010649f00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121052, "scanner": "repobility-supply-chain", "fingerprint": "5b4b7385244099454d90f667bd352e86f3afe7895294b48c583ed57113e07368", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b4b7385244099454d90f667bd352e86f3afe7895294b48c583ed57113e07368"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121051, "scanner": "repobility-supply-chain", "fingerprint": "68eb1010c6400f83f51b6533edc26a6493c0e137c92131d432c993d35456b88d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|68eb1010c6400f83f51b6533edc26a6493c0e137c92131d432c993d35456b88d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121050, "scanner": "repobility-supply-chain", "fingerprint": "dbf62655f64609236af26777f3d8406e2fb0bcb37a8797da148a2b7c2883b17d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbf62655f64609236af26777f3d8406e2fb0bcb37a8797da148a2b7c2883b17d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121049, "scanner": "repobility-supply-chain", "fingerprint": "4a082f9791c959f0cc30aa201cd55f2078dc516f4474df1a2c421d07c02ce580", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a082f9791c959f0cc30aa201cd55f2078dc516f4474df1a2c421d07c02ce580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121048, "scanner": "repobility-supply-chain", "fingerprint": "ab648c19d211198b4f44469138ab36b75e5a692e0205577cddbd001c6ed4be4d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab648c19d211198b4f44469138ab36b75e5a692e0205577cddbd001c6ed4be4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121047, "scanner": "repobility-supply-chain", "fingerprint": "8fa13b465ca1b233c942a7220cbb466b6c9d2f0a551e5ad45da337bbd0af4a60", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fa13b465ca1b233c942a7220cbb466b6c9d2f0a551e5ad45da337bbd0af4a60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121046, "scanner": "repobility-supply-chain", "fingerprint": "14b93aac1f0f5b1301c270b87d4b967f74c1b1dcf80d5838b941b2983a187052", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|14b93aac1f0f5b1301c270b87d4b967f74c1b1dcf80d5838b941b2983a187052"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121045, "scanner": "repobility-supply-chain", "fingerprint": "91f0028b32eea9455c9ae15138bc6f86e49c3aae3b422fa08b0de88ad6534878", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91f0028b32eea9455c9ae15138bc6f86e49c3aae3b422fa08b0de88ad6534878"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121044, "scanner": "repobility-supply-chain", "fingerprint": "4158f37271f817b7191ae46d67192b6868476ac2632a48f80086e65987fb26c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4158f37271f817b7191ae46d67192b6868476ac2632a48f80086e65987fb26c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121043, "scanner": "repobility-supply-chain", "fingerprint": "173d05943eb6b1e789704cf258766b0ea5186ebbc5aafd65ae35e06b8d318889", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|173d05943eb6b1e789704cf258766b0ea5186ebbc5aafd65ae35e06b8d318889"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-slim` not pinned by digest"}, "properties": {"repobilityId": 121042, "scanner": "repobility-supply-chain", "fingerprint": "9cf485cbf8f0144d8bea391133405bf2575d3ae335c1b5ed2f86298c9c1dfb36", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9cf485cbf8f0144d8bea391133405bf2575d3ae335c1b5ed2f86298c9c1dfb36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /sessions has no auth"}, "properties": {"repobilityId": 121041, "scanner": "repobility-route-auth", "fingerprint": "358b79bd2ea094c7cbf158264e9079449e58885b94a9010b9b5c24e6304a2fdc", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|358b79bd2ea094c7cbf158264e9079449e58885b94a9010b9b5c24e6304a2fdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/remote-access/routes.ts"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /sessions/:sessionId has no auth"}, "properties": {"repobilityId": 121040, "scanner": "repobility-route-auth", "fingerprint": "a68d262746b597af479822d9d261e061be06e47ff7ab9e1517caa42ec5a964df", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a68d262746b597af479822d9d261e061be06e47ff7ab9e1517caa42ec5a964df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/remote-access/routes.ts"}, "region": {"startLine": 266}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /relay has no auth"}, "properties": {"repobilityId": 121039, "scanner": "repobility-route-auth", "fingerprint": "970b6b3164b981e4ec30d29638e6817e520733292394d81dd266cb3a79d9c56a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|970b6b3164b981e4ec30d29638e6817e520733292394d81dd266cb3a79d9c56a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/remote-access/routes.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /relay has no auth"}, "properties": {"repobilityId": 121038, "scanner": "repobility-route-auth", "fingerprint": "7bb6f2308b04647e9f52781982c837b84a137c137b005e4a1b7391af4e19765b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7bb6f2308b04647e9f52781982c837b84a137c137b005e4a1b7391af4e19765b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/remote-access/routes.ts"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /clear has no auth"}, "properties": {"repobilityId": 121037, "scanner": "repobility-route-auth", "fingerprint": "57ef46f3a4a66611ab5daf4cff19bbe7215f741c44f188c7aec56175a1df2bb9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|57ef46f3a4a66611ab5daf4cff19bbe7215f741c44f188c7aec56175a1df2bb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/remote-access/routes.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /disable has no auth"}, "properties": {"repobilityId": 121036, "scanner": "repobility-route-auth", "fingerprint": "e3a3f5100bb3e4ecad91f37334cfe272a698b6d0651e0f741d6c5d4bf95f6a84", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e3a3f5100bb3e4ecad91f37334cfe272a698b6d0651e0f741d6c5d4bf95f6a84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/remote-access/routes.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /enable has no auth"}, "properties": {"repobilityId": 121035, "scanner": "repobility-route-auth", "fingerprint": "ed3b0eb1afe80acb26dd721e2c77cc7d42f48437de99b4d61fc7a1668614f934", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ed3b0eb1afe80acb26dd721e2c77cc7d42f48437de99b4d61fc7a1668614f934"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/remote-access/routes.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /configure has no auth"}, "properties": {"repobilityId": 121034, "scanner": "repobility-route-auth", "fingerprint": "0d66dad875297cced87c66a17278d780287b67744e6435cb3c1113b29c61ad72", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0d66dad875297cced87c66a17278d780287b67744e6435cb3c1113b29c61ad72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/remote-access/routes.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /install has no auth"}, "properties": {"repobilityId": 121033, "scanner": "repobility-route-auth", "fingerprint": "5662b67567cb48d19fd4eeab3062a2cc3c6173955d4eb7f36dd3394e5679d292", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5662b67567cb48d19fd4eeab3062a2cc3c6173955d4eb7f36dd3394e5679d292"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/codex-updates.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /remote-executors/:host/test has no auth"}, "properties": {"repobilityId": 121032, "scanner": "repobility-route-auth", "fingerprint": "d75b7ba2e1468377a5236ccb6577426099ee76adfca21799ce7ce29ec565b594", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d75b7ba2e1468377a5236ccb6577426099ee76adfca21799ce7ce29ec565b594"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/settings.ts"}, "region": {"startLine": 793}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /remote-executors has no auth"}, "properties": {"repobilityId": 121031, "scanner": "repobility-route-auth", "fingerprint": "8ed97cba0818213400f3c8a90772b7ec5b18e7886101ce0e4610e9c343855825", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8ed97cba0818213400f3c8a90772b7ec5b18e7886101ce0e4610e9c343855825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/settings.ts"}, "region": {"startLine": 765}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /helper-targets/models has no auth"}, "properties": {"repobilityId": 121030, "scanner": "repobility-route-auth", "fingerprint": "874ee2d946688c08d0b47a86c69c138b3b4cd6d6ac1412394e7bbd04d25a6d59", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|874ee2d946688c08d0b47a86c69c138b3b4cd6d6ac1412394e7bbd04d25a6d59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/settings.ts"}, "region": {"startLine": 746}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT / has no auth"}, "properties": {"repobilityId": 121029, "scanner": "repobility-route-auth", "fingerprint": "b577dc497bd467556f49d8252dad128cf94b9c63d6cdd06bcba3588f1e521827", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b577dc497bd467556f49d8252dad128cf94b9c63d6cdd06bcba3588f1e521827"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/settings.ts"}, "region": {"startLine": 404}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE / has no auth"}, "properties": {"repobilityId": 121028, "scanner": "repobility-route-auth", "fingerprint": "dabcaa745aa0c125aff20758c5db4d6d64ce9f31060fc6b062388ec2cbe63b20", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|dabcaa745aa0c125aff20758c5db4d6d64ce9f31060fc6b062388ec2cbe63b20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/network-binding.ts"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT / has no auth"}, "properties": {"repobilityId": 121027, "scanner": "repobility-route-auth", "fingerprint": "168b61b6d1db1c2ba218ed7e0148821e0ed6a720ac464f3106a44b7e447972c4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|168b61b6d1db1c2ba218ed7e0148821e0ed6a720ac464f3106a44b7e447972c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/network-binding.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /:id has no auth"}, "properties": {"repobilityId": 121026, "scanner": "repobility-route-auth", "fingerprint": "788dd2c16b150cb4bd2ed3e01f42eb11f9fb54c07e5db12d66db514424ac1ed4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|788dd2c16b150cb4bd2ed3e01f42eb11f9fb54c07e5db12d66db514424ac1ed4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/browser-profiles.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 121025, "scanner": "repobility-route-auth", "fingerprint": "434f01b0361db8c54e43ebc7b739a62cf81fefe845af81b4c84c8d20f7229e64", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|434f01b0361db8c54e43ebc7b739a62cf81fefe845af81b4c84c8d20f7229e64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/client-logs.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /reset has no auth"}, "properties": {"repobilityId": 121024, "scanner": "repobility-route-auth", "fingerprint": "1dbeab8ec9fec759b3009733d296506615fa48cd16484a445b9920c30fe62137", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1dbeab8ec9fec759b3009733d296506615fa48cd16484a445b9920c30fe62137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/onboarding.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /complete has no auth"}, "properties": {"repobilityId": 121023, "scanner": "repobility-route-auth", "fingerprint": "f8ca048724727b9b4d01b34cb3cdfb20c45d1ca607a26d25abf1385f4facf11c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f8ca048724727b9b4d01b34cb3cdfb20c45d1ca607a26d25abf1385f4facf11c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/onboarding.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 121022, "scanner": "repobility-route-auth", "fingerprint": "6c9a1d5d0a3100b6f87a679b8970dc5b464d6ffe7ea7a239b31a4117666e6da8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6c9a1d5d0a3100b6f87a679b8970dc5b464d6ffe7ea7a239b31a4117666e6da8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/public-shares.ts"}, "region": {"startLine": 861}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /sessions/:projectId/:sessionId/viewers/:viewerId has no auth"}, "properties": {"repobilityId": 121021, "scanner": "repobility-route-auth", "fingerprint": "8b2c52a50c9628a4a05d1cf620efd2744fae5c10ba9dcb0e307bf7d5a5ce1299", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8b2c52a50c9628a4a05d1cf620efd2744fae5c10ba9dcb0e307bf7d5a5ce1299"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/public-shares.ts"}, "region": {"startLine": 848}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /sessions/:projectId/:sessionId/viewers/:viewerId/freeze has no auth"}, "properties": {"repobilityId": 121020, "scanner": "repobility-route-auth", "fingerprint": "d260fdde613910ebaa53944f617280e7fcf0c5601fff28611bacd609801badb6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d260fdde613910ebaa53944f617280e7fcf0c5601fff28611bacd609801badb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/public-shares.ts"}, "region": {"startLine": 824}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /sessions/:projectId/:sessionId/freeze-live has no auth"}, "properties": {"repobilityId": 121019, "scanner": "repobility-route-auth", "fingerprint": "cc478076ee3e81ec4e6d5ce93d2e95921e6c5ebfb9aa07d1497e6bdf7bd74bb7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cc478076ee3e81ec4e6d5ce93d2e95921e6c5ebfb9aa07d1497e6bdf7bd74bb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/public-shares.ts"}, "region": {"startLine": 808}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /sessions/:projectId/:sessionId has no auth"}, "properties": {"repobilityId": 121018, "scanner": "repobility-route-auth", "fingerprint": "404301a44e2dd9dcb46337251ff4fd30f7ce8a9c28fb378ec81cb50023931d2c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|404301a44e2dd9dcb46337251ff4fd30f7ce8a9c28fb378ec81cb50023931d2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/public-shares.ts"}, "region": {"startLine": 797}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /upload has no auth"}, "properties": {"repobilityId": 121017, "scanner": "repobility-route-auth", "fingerprint": "4d4b737aea1b6cc3070c2235076f43ffcc3c8bc8b20c1175d5b3aa7f66a8422c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4d4b737aea1b6cc3070c2235076f43ffcc3c8bc8b20c1175d5b3aa7f66a8422c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/sharing.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "GHSA-5xrq-8626-4rwp", "level": "error", "message": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "properties": {"repobilityId": 121366, "scanner": "osv-scanner", "fingerprint": "0806fec4420135fab4b0c94dfe4a59c4faf5e0da4ecef5e379ff15a3f669b383", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47429"], "package": "vitest", "rule_id": "GHSA-5xrq-8626-4rwp", "scanner": "osv-scanner", "correlation_key": "vuln|vitest|CVE-2026-47429|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p77j-4mvh-x3m3", "level": "error", "message": {"text": "google.golang.org/grpc: GHSA-p77j-4mvh-x3m3"}, "properties": {"repobilityId": 121277, "scanner": "osv-scanner", "fingerprint": "5226c5cdcf2d09b22550f8868dd16a6e96b97090843cb61ca8759b81b0335414", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33186", "GO-2026-4762"], "package": "google.golang.org/grpc", "rule_id": "GHSA-p77j-4mvh-x3m3", "scanner": "osv-scanner", "correlation_key": "vuln|google.golang.org/grpc|CVE-2026-33186|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-p77j-4mvh-x3m3", "GO-2026-4762"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1d47c43d849ab6e608d970b1356bf48496c002d006876eb7bebfa8d65b5e88ae", "5226c5cdcf2d09b22550f8868dd16a6e96b97090843cb61ca8759b81b0335414"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-bridge/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 121217, "scanner": "gitleaks", "fingerprint": "7f83574fc7e9782f4d4cf770b86e90181bfd5a6030bfdfdd9eb02df65bdd89c8", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token\": \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|8|token : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/src/layouts/BaseLayout.astro"}, "region": {"startLine": 81}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 121216, "scanner": "gitleaks", "fingerprint": "9e29b5e62e49dbcfb59d4960442ee863c39caccbe7a6ffaa466e6a255d76418b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token\": \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|site/public/open/index.html|3|token : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/public/open/index.html"}, "region": {"startLine": 31}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 121215, "scanner": "gitleaks", "fingerprint": "f7f8397f72abb560d06b7e94016c47e9817c532259ce0551f5430b3595355d91", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "auth: \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|3|auth: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/test/push/PushService.test.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 121214, "scanner": "gitleaks", "fingerprint": "ef468be5e79dad5365d350f35882892c4b6c8e441b052f8204c3c0a10a35cc75", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "privateKey: \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|privatekey: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/test/push/PushService.test.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 121213, "scanner": "gitleaks", "fingerprint": "4f3b7aa0b9facf4870ab9067e6d117f7046799652284236dedb1e29fdf4be15c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "secretbox: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|39|secretbox: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/research/binary-websocket-framing.md"}, "region": {"startLine": 391}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.TAURI_SIGNING_PRIVATE_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 121086, "scanner": "repobility-supply-chain", "fingerprint": "a0278c849cd9ba9261c6a828bc4c6d125582bb377a5fc6fae1bef4c331ecf0de", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0278c849cd9ba9261c6a828bc4c6d125582bb377a5fc6fae1bef4c331ecf0de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AZURE_CLIENT_SECRET` on a `pull_request` trigger"}, "properties": {"repobilityId": 121085, "scanner": "repobility-supply-chain", "fingerprint": "31ffea3957eee1b0e087b02fd09fab08276abb6b8e38139159298290070a68a6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31ffea3957eee1b0e087b02fd09fab08276abb6b8e38139159298290070a68a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 121084, "scanner": "repobility-supply-chain", "fingerprint": "805f7746e627f7f1be8870e25579194f8b525eb2752b7488ca0ec897bcd94aee", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|805f7746e627f7f1be8870e25579194f8b525eb2752b7488ca0ec897bcd94aee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 121083, "scanner": "repobility-supply-chain", "fingerprint": "59a428e31095fc2de7cf510029553d5f0c0a755a98835fbe50fc350909220247", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59a428e31095fc2de7cf510029553d5f0c0a755a98835fbe50fc350909220247"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ASC_API_ISSUER_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 121082, "scanner": "repobility-supply-chain", "fingerprint": "6202d164a976873843060d953af869289717320fdd4d7e87a295e5e940349ebc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6202d164a976873843060d953af869289717320fdd4d7e87a295e5e940349ebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ASC_API_KEY_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 121081, "scanner": "repobility-supply-chain", "fingerprint": "ba949021e68e7b900339f26e3ec02b5cef6d46f3165f6420e6f0abbb84f8eb61", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba949021e68e7b900339f26e3ec02b5cef6d46f3165f6420e6f0abbb84f8eb61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.MACOS_CERTIFICATE_PASSWORD` on a `pull_request` trigger"}, "properties": {"repobilityId": 121080, "scanner": "repobility-supply-chain", "fingerprint": "04b05e6e5baca608c95396eabd8b73b25a4b0b2ff446003884aa59894de8719a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04b05e6e5baca608c95396eabd8b73b25a4b0b2ff446003884aa59894de8719a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.MACOS_CERTIFICATE_P12_BASE64` on a `pull_request` trigger"}, "properties": {"repobilityId": 121079, "scanner": "repobility-supply-chain", "fingerprint": "7ed9960e781075169dd808ab871cd3f3377a40336d2b0576a23addd9ef16e055", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ed9960e781075169dd808ab871cd3f3377a40336d2b0576a23addd9ef16e055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD` on a `pull_request` trigger"}, "properties": {"repobilityId": 121078, "scanner": "repobility-supply-chain", "fingerprint": "81e803aa29df04713b71606be0c193f105029d9c085bfd78037658c7e96e9927", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81e803aa29df04713b71606be0c193f105029d9c085bfd78037658c7e96e9927"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.TAURI_SIGNING_PRIVATE_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 121077, "scanner": "repobility-supply-chain", "fingerprint": "ae9caf3975a53a8f327ac8aa849cd72caf588bd694951fef85f341fb983b3887", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae9caf3975a53a8f327ac8aa849cd72caf588bd694951fef85f341fb983b3887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ASC_API_KEY_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 121076, "scanner": "repobility-supply-chain", "fingerprint": "b6577d646ca34fa4eb21b07c4930660fb1f4ace0ddb6341a620c51750ee58c6d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6577d646ca34fa4eb21b07c4930660fb1f4ace0ddb6341a620c51750ee58c6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ASC_API_KEY_P8_BASE64` on a `pull_request` trigger"}, "properties": {"repobilityId": 121075, "scanner": "repobility-supply-chain", "fingerprint": "4048181b280a83b8ca4546149f2c07e9f934e430fe5d6a46cb07bdf0134728e7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4048181b280a83b8ca4546149f2c07e9f934e430fe5d6a46cb07bdf0134728e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.MACOS_KEYCHAIN_PASSWORD` on a `pull_request` trigger"}, "properties": {"repobilityId": 121074, "scanner": "repobility-supply-chain", "fingerprint": "63c97f7b2a6bcf4be73ad9c07082f218207a4b342131e1592868009df3082ed1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|63c97f7b2a6bcf4be73ad9c07082f218207a4b342131e1592868009df3082ed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.MACOS_CERTIFICATE_PASSWORD` on a `pull_request` trigger"}, "properties": {"repobilityId": 121073, "scanner": "repobility-supply-chain", "fingerprint": "bb90b7b270a27ec4c559dec69708c3372d6f53cc687430cfe31790ee1fb7eca6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb90b7b270a27ec4c559dec69708c3372d6f53cc687430cfe31790ee1fb7eca6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.MACOS_CERTIFICATE_P12_BASE64` on a `pull_request` trigger"}, "properties": {"repobilityId": 121072, "scanner": "repobility-supply-chain", "fingerprint": "6915b55e25fcc65a50f6f2d027a247bccd06ae5cb20a1338e63e2451f3b59618", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6915b55e25fcc65a50f6f2d027a247bccd06ae5cb20a1338e63e2451f3b59618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.TAURI_SIGNING_PRIVATE_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 121071, "scanner": "repobility-supply-chain", "fingerprint": "e3d3b6ecd2b233acb47296d6b1ca5a64d78cbb452c459e1537563c56ff412962", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3d3b6ecd2b233acb47296d6b1ca5a64d78cbb452c459e1537563c56ff412962"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AZURE_CLIENT_SECRET` on a `pull_request` trigger"}, "properties": {"repobilityId": 121070, "scanner": "repobility-supply-chain", "fingerprint": "856f38bf57a3bb0509a26e08849b854c79cf3636d5babfa02a21fcaad51d20dd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|856f38bf57a3bb0509a26e08849b854c79cf3636d5babfa02a21fcaad51d20dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ASC_API_KEY_P8_BASE64` on a `pull_request` trigger"}, "properties": {"repobilityId": 121069, "scanner": "repobility-supply-chain", "fingerprint": "fab26e24a2853f7880e97056fff95b159f117b4edeb250b35b6b3c035ad3490d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fab26e24a2853f7880e97056fff95b159f117b4edeb250b35b6b3c035ad3490d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.MACOS_CERTIFICATE_P12_BASE64` on a `pull_request` trigger"}, "properties": {"repobilityId": 121068, "scanner": "repobility-supply-chain", "fingerprint": "9702ca5a0304379a94f7ce4d0208f90c7ac6cf2a8c84ff1fb11117b5d040233b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9702ca5a0304379a94f7ce4d0208f90c7ac6cf2a8c84ff1fb11117b5d040233b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-ci.yml"}, "region": {"startLine": 47}}}]}]}]}